Cross realm between AD and MIT

jm130794 jm130794 at gmail.com
Sat Aug 27 01:55:22 EDT 2011 

I found a solution (is it a good solution ?) :

- I add my client (W7) into my AD.MYREALM (Microsoft Domain)
- on the client, I do : ksetup /AddKdc MYREALM

As you see, I don't give the address of the MIT KDC. I can open a session
with a MIT KDC user.

If I do :  ksetup /AddKdc MYREALM kdc1.myrealm, that does not work.

What do you think about it ?

Jean-Michel

2011/8/26 jm130794 <jm130794 at gmail.com>

> Hello Ross,
>
> With my first client, I added my computer in the Microsoft Domain. After
> that, I could log in with my account MIT. I never change anything in the
> registry.
>
> Thanks,
>
> JM
>
>
>
> 2011/8/26 Wilper, Ross A <rwilper at stanford.edu>
>
> One thing that you did not make clear is if you defined the MIT kerberos
>> realm in the registry of the Windows 7 machine.
>> (ksetup /AddKDC <realm> <kdc> or just go to
>> HKLM\System\CurrentControlSet\LSA\Kerberos\Domains and make a key named the
>> same as the realm and add a REG_MULTI_SZ value "KdcNames")
>>
>> -Ross
>>
>> -----Original Message-----
>> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
>> Behalf Of jm130794
>> Sent: Friday, August 26, 2011 7:41 AM
>> To: Robert Wehn
>> Cc: kerberos at mit.edu
>> Subject: Re: Cross realm between AD and MIT
>>
>> Hello,
>>
>>
>> I tried with another client and I have the same problem !
>>
>> I can't open a session with user1 (MIT principal).
>>
>> JM
>>
>>
>> 2011/8/24 Robert Wehn <robert.wehn at rz.uni-augsburg.de>
>>
>> > Hi JM
>> >
>> > might be a dns error.
>> > The Client (user) has to guess the realm to the service and often uses
>> > dns (for example TXT records) or some registry entry (HostTorealm) to
>> > determine the KRB REALM for the service (in this case the local login).
>> >
>> > Try to wireshark what DNS request a win XP Machine does, when you try to
>> > login using Cross Realm Trust
>> > Do the same on the Windows 7 Machine.
>> >
>> > When testing Cross-Realm trust several months ago I had the impression
>> > MS changed something there, but i didn't really finish this.
>> > Actually it doesn't read out TXT Records which worked fine for WinXP.
>> >
>> > If you find out something, pleas tell me.
>> >
>> > Robert.
>> >
>> > Am 24.08.2011 14:06, schrieb jm130794:
>> > > I used wireshark to find why my connection fails. It seems that AD
>> > returns
>> > > the error KDC_ERR_WRONG_REALM. It's weird that I can connect to the
>> > server and
>> > > not on the client!
>> > >
>> > > Regards,
>> > >
>> > >
>> > > JM
>> > >
>> > > 2011/8/24 jm130794 <jm130794 at gmail.com>
>> > >
>> > >> Hello
>> > >>
>> > >> I installed a cross realm between my MIT and an AD. I can open a
>> session
>> > on
>> > >> my AD server with a principal defined in my MIT Kerberos (eg user1).
>> > >>
>> > >> I added a Windows Seven to my Microsoft Domain. I can open a session
>> on
>> > >> this station with the Domain Administrator Domain without problem.
>> > >>
>> > >> When I try to open a session with user1 (MIT principal), that doesn't
>> > >> work...
>> > >>
>> > >> Any idea ?
>> > >>
>> > >> Thanks,
>> > >>
>> > >> JM
>> > >>
>> > >>
>> > > ________________________________________________
>> > > Kerberos mailing list           Kerberos at mit.edu
>> > > https://mailman.mit.edu/mailman/listinfo/kerberos
>> >
>> > --
>> >
>> > Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
>> > Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
>> > 86135 Augsburg .................................. Fax. (0821) 598-2028
>> >
>> > ________________________________________________
>> > Kerberos mailing list           Kerberos at mit.edu
>> > https://mailman.mit.edu/mailman/listinfo/kerberos
>> >
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>

More information about the Kerberos mailing list