MIT Kerberos and Windows 2008 R2 Trust relationship misunderstanding
Frederic SOULIER
frederic.soulier at univ-tlse1.fr
Mon Mar 8 08:21:59 EST 2010
Hi,
We have the following architecture :
- 1 MIT Kerberos storing all of our users (17 000 users) on CentOS 5.4
- 1 Active Directory based on Windows 2008 R2 storing all of our users
whithout password
We have made a trust relationship between MIT Kerberos and AD 2008 R2.
The goal is to permit a MIT Kerberos user to login on AD domain from
Windows Xp and Windows 7 machine.
All seems to work fine since we have understand the encryption
problematic (RC4,AES,etc....).
A user can connect to the AD domain authenticating against the MIT Kerberos.
But we notice these logs on the kerberos MIT instance :
Mar 8 13:49:19 kerberos krb5kdc[14886]: TGS_REQ (5 etypes {18 17 23 24
-135}) 192.93.172.201: UNKNOWN_SERVER: authtime 1268052553,
fsoulier at KRB.UT1.ORG for cifs/ad1-test.ut1.org at KRB.UT1.ORG, Server not
found in Kerberos database
The Windows 7 machine request a ticket for the cifs/ad-test.ut1.org
service on the MIT Kerberos.
This service doesn't exist in MIT Kerberos. It was only created in the
AD domain.
I'm beginner in Kerberos and AD but i'm thinking using trust
relationship between MIT and AD could avoid this request because of the
Windows 7 client, integrated in AD domain, should request directly the
AD and not the MIT Kerberos after the first authentication.
Perhaps i'm making a mistake but i find poor/any documentation about it...
If anyone can provide help or advice.....
Regards
--
Frederic Soulier
DSI / Service Système
Université Toulouse 1 Capitole
2 rue du doyen Gabriel Marty
31 042 Toulouse Cedex 9
Tel: +33 5 61 63 39 98 Fax: +33 5 61 63 37 98
More information about the Kerberos
mailing list