Establishing and verifying a trust between Unix MIT KDC and Windows Server 2003 AD
Wilper, Ross A
rwilper at stanford.edu
Tue Aug 3 19:08:46 EDT 2010
For #3...
Windows Kerberos libraries do not look at krb5.ini/krb5.conf to find external KDCs, they look in the registry
HKLM/SYSTEM/CurrentControlSet/Control/LSA/Kerberos/Domains/<RealmName>
REG_MULTI_SZ KdcNames
(This registry key is populated by the Windows ksetup command)
For #5...
Yes, if needed.
-Ross
From: N K [mailto:nkaluskar at gmail.com]
Sent: Tuesday, August 03, 2010 4:04 PM
To: Wilper, Ross A
Cc: kerberos at MIT.EDU
Subject: Re: Establishing and verifying a trust between Unix MIT KDC and Windows Server 2003 AD
Hi Ross,
Thank you very much for your prompt response. A number of things that I have tried so far:
1) Incorrect passphrase for one of the three trust accounts
>> Will look at this
2) Enctype mismatch (by default, a new trust will only support RC4-HMAC)
>> specified the encryption type in the kdc.conf file and used the "cpw" command to change the password of principals and re-generate the keys using the specified encryption
3) Client machine cannot resolve the MIT KDCs
>> Have included the mit kdc info in the client machine's krb5.ini file and updated DNS information with the unix kerberos realm. However, the netdom tool returns something like:
netdom trust <domain> /Domain:<realm> /verify /kerberos /verbose
Establishing a session with \\<domaincontroller>
Reading LSA domain policy information
Unable to contact the domain <realm>
Deleting the session with \\<domaincontroller>
The command failed to complete successfully.
4) Duplicate mappings on user accounts in the same AD domain
(do an ldap search on altSecurityIdentities)
>> Will take a look at this
5) You may need to set TLN mappings (referrals) on one side or the other
>> Using the netdom ... /addtln command ?
6) If you have multiple domains, is the realm trust set transitive?
>> Yes, the trust is transitive.
Regards,
Nivedita
On Tue, Aug 3, 2010 at 3:37 PM, Wilper, Ross A <rwilper at stanford.edu<mailto:rwilper at stanford.edu>> wrote:
Unfortunately, there are a lot of reasons that this could fail.
1) Incorrect passphrase for one of the three trust accounts
2) Enctype mismatch (by default, a new trust will only support RC4-HMAC)
3) Client machine cannot resolve the MIT KDCs
4) Duplicate mappings on user accounts in the same AD domain
(do an ldap search on altSecurityIdentities)
5) You may need to set TLN mappings (referrals) on one side or the other
6) If you have multiple domains, is the realm trust set transitive?
Probably more. The only times I've had failures were case #1 and #3
Also note that MIT credentials will always fail to logon to RDP when NLA is in use.
-Ross
-----Original Message-----
From: kerberos-bounces at MIT.EDU<mailto:kerberos-bounces at MIT.EDU> [mailto:kerberos-bounces at MIT.EDU<mailto:kerberos-bounces at MIT.EDU>] On Behalf Of N K
Sent: Tuesday, August 03, 2010 3:19 PM
To: kerberos at MIT.EDU<mailto:kerberos at MIT.EDU>
Subject: Establishing and verifying a trust between Unix MIT KDC and Windows Server 2003 AD
Hi all,
I followed the steps for a cross-realm setup between the MIT KDC and AD
according to O'reilly's Definitive Guide book:
- specifying KDC's using ksetup on the participating Windows machines
- creating principals krbtgt/domain at realm and krbtgt/realm at domain in the MIT
KDC
- creating a 2 way trust in the AD
- mapping an AD user to a user in the MIT KDC
However, when I try to logon to the Kerberos realm from a Windows machine
using the credentials of the MIT KDC user, I get an error that the system
could not log me on because the username or domain is incorrect.
Has anyone come across a similar problem before?
Thanks much in advance,
Nivedita.
________________________________________________
Kerberos mailing list Kerberos at mit.edu<mailto:Kerberos at mit.edu>
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list