Establishing and verifying a trust between Unix MIT KDC and Windows Server 2003 AD

Wilper, Ross A rwilper at stanford.edu
Tue Aug 3 19:08:46 EDT 2010


For #3...

Windows Kerberos libraries do not look at krb5.ini/krb5.conf to find external KDCs, they look in the registry
HKLM/SYSTEM/CurrentControlSet/Control/LSA/Kerberos/Domains/<RealmName>
                REG_MULTI_SZ KdcNames

(This registry key is populated by the Windows ksetup command)

For #5...
Yes, if needed.

-Ross

From: N K [mailto:nkaluskar at gmail.com]
Sent: Tuesday, August 03, 2010 4:04 PM
To: Wilper, Ross A
Cc: kerberos at MIT.EDU
Subject: Re: Establishing and verifying a trust between Unix MIT KDC and Windows Server 2003 AD

Hi Ross,

Thank you very much for your prompt response. A number of things that I have tried so far:

1) Incorrect passphrase for one of the three trust accounts
       >> Will look at this
2) Enctype mismatch (by default, a new trust will only support RC4-HMAC)
      >> specified the encryption type in the kdc.conf file and used the "cpw" command to change the password of principals and re-generate the keys using the specified encryption

3) Client machine cannot resolve the MIT KDCs
       >> Have included the mit kdc info in the client machine's krb5.ini file and updated DNS information with the unix kerberos realm. However, the netdom tool returns something like:
                   netdom trust <domain> /Domain:<realm> /verify /kerberos /verbose

                      Establishing a session with \\<domaincontroller>

                      Reading LSA domain policy information

                      Unable to contact the domain <realm>

                      Deleting the session with \\<domaincontroller>

                       The command failed to complete successfully.

4) Duplicate mappings on user accounts in the same AD domain
       (do an ldap search on altSecurityIdentities)
     >> Will take a look at this

5) You may need to set TLN mappings (referrals) on one side or the other
    >> Using the netdom ... /addtln command ?

6) If you have multiple domains, is the realm trust set transitive?
    >> Yes, the trust is transitive.

Regards,
Nivedita

On Tue, Aug 3, 2010 at 3:37 PM, Wilper, Ross A <rwilper at stanford.edu<mailto:rwilper at stanford.edu>> wrote:
Unfortunately, there are a lot of reasons that this could fail.

1) Incorrect passphrase for one of the three trust accounts
2) Enctype mismatch (by default, a new trust will only support RC4-HMAC)
3) Client machine cannot resolve the MIT KDCs
4) Duplicate mappings on user accounts in the same AD domain
       (do an ldap search on altSecurityIdentities)
5) You may need to set TLN mappings (referrals) on one side or the other
6) If you have multiple domains, is the realm trust set transitive?

Probably more. The only times I've had failures were case #1 and #3

Also note that MIT credentials will always fail to logon to RDP when NLA is in use.

-Ross

-----Original Message-----
From: kerberos-bounces at MIT.EDU<mailto:kerberos-bounces at MIT.EDU> [mailto:kerberos-bounces at MIT.EDU<mailto:kerberos-bounces at MIT.EDU>] On Behalf Of N K
Sent: Tuesday, August 03, 2010 3:19 PM
To: kerberos at MIT.EDU<mailto:kerberos at MIT.EDU>
Subject: Establishing and verifying a trust between Unix MIT KDC and Windows Server 2003 AD

Hi all,

I followed the steps for a cross-realm setup between the MIT KDC and AD
according to O'reilly's Definitive Guide book:

- specifying KDC's using ksetup on the participating Windows machines

- creating principals krbtgt/domain at realm and krbtgt/realm at domain in the MIT
KDC

- creating a 2 way trust in the AD

- mapping an AD user to a user in the MIT KDC

However, when I try to logon to the Kerberos realm from a Windows machine
using the credentials of the MIT KDC user, I get an error that the system
could not log me on because the username or domain is incorrect.

Has anyone come across a similar problem before?

Thanks much in advance,

Nivedita.
________________________________________________
Kerberos mailing list           Kerberos at mit.edu<mailto:Kerberos at mit.edu>
https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list