Establishing and verifying a trust between Unix MIT KDC and Windows Server 2003 AD

N K nkaluskar at gmail.com
Tue Aug 3 19:10:05 EDT 2010 

Ye,s I did use the ksetup command on the Windows machine to add the MIT
KDC..

On Tue, Aug 3, 2010 at 4:08 PM, Wilper, Ross A <rwilper at stanford.edu> wrote:

>  For #3…
>
>
>
> Windows Kerberos libraries do not look at krb5.ini/krb5.conf to find
> external KDCs, they look in the registry
>
> HKLM/SYSTEM/CurrentControlSet/Control/LSA/Kerberos/Domains/<RealmName>
>
>                 REG_MULTI_SZ KdcNames
>
>
>
> (This registry key is populated by the Windows ksetup command)
>
>
>
> For #5…
>
> Yes, if needed.
>
>
>
> -Ross
>
>
>
> *From:* N K [mailto:nkaluskar at gmail.com]
> *Sent:* Tuesday, August 03, 2010 4:04 PM
> *To:* Wilper, Ross A
> *Cc:* kerberos at MIT.EDU
> *Subject:* Re: Establishing and verifying a trust between Unix MIT KDC and
> Windows Server 2003 AD
>
>
>
> Hi Ross,
>
>
>
> Thank you very much for your prompt response. A number of things that I
> have tried so far:
>
>
>
> 1) Incorrect passphrase for one of the three trust accounts
>
>        >> Will look at this
>
> 2) Enctype mismatch (by default, a new trust will only support RC4-HMAC)
>
>       >> specified the encryption type in the kdc.conf file and used the
> "cpw" command to change the password of principals and re-generate the keys
> using the specified encryption
>
>
> 3) Client machine cannot resolve the MIT KDCs
>
>        >> Have included the mit kdc info in the client machine's krb5.ini
> file and updated DNS information with the unix kerberos realm. However,
> the netdom tool returns something like:
>
>                    netdom trust <domain> /Domain:<realm> /verify /kerberos
> /verbose
>
>                       Establishing a session with \\<domaincontroller>
>
>                       Reading LSA domain policy information
>
>                       Unable to contact the domain <realm>
>
>                       Deleting the session with \\<domaincontroller>
>
>                        The command failed to complete successfully.
>
>
> 4) Duplicate mappings on user accounts in the same AD domain
>        (do an ldap search on altSecurityIdentities)
>
>      >> Will take a look at this
>
>
> 5) You may need to set TLN mappings (referrals) on one side or the other
>
>     >> Using the netdom ... /addtln command ?
>
>
> 6) If you have multiple domains, is the realm trust set transitive?
>
>     >> Yes, the trust is transitive.
>
>
> Regards,
>
> Nivedita
>
>
>
> On Tue, Aug 3, 2010 at 3:37 PM, Wilper, Ross A <rwilper at stanford.edu>
> wrote:
>
> Unfortunately, there are a lot of reasons that this could fail.
>
> 1) Incorrect passphrase for one of the three trust accounts
> 2) Enctype mismatch (by default, a new trust will only support RC4-HMAC)
> 3) Client machine cannot resolve the MIT KDCs
> 4) Duplicate mappings on user accounts in the same AD domain
>        (do an ldap search on altSecurityIdentities)
> 5) You may need to set TLN mappings (referrals) on one side or the other
> 6) If you have multiple domains, is the realm trust set transitive?
>
> Probably more. The only times I've had failures were case #1 and #3
>
> Also note that MIT credentials will always fail to logon to RDP when NLA is
> in use.
>
> -Ross
>
>
> -----Original Message-----
> From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On Behalf
> Of N K
> Sent: Tuesday, August 03, 2010 3:19 PM
> To: kerberos at MIT.EDU
> Subject: Establishing and verifying a trust between Unix MIT KDC and
> Windows Server 2003 AD
>
> Hi all,
>
> I followed the steps for a cross-realm setup between the MIT KDC and AD
> according to O'reilly's Definitive Guide book:
>
> - specifying KDC's using ksetup on the participating Windows machines
>
> - creating principals krbtgt/domain at realm and krbtgt/realm at domain in the
> MIT
> KDC
>
> - creating a 2 way trust in the AD
>
> - mapping an AD user to a user in the MIT KDC
>
> However, when I try to logon to the Kerberos realm from a Windows machine
> using the credentials of the MIT KDC user, I get an error that the system
> could not log me on because the username or domain is incorrect.
>
> Has anyone come across a similar problem before?
>
> Thanks much in advance,
>
> Nivedita.
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>

More information about the Kerberos mailing list