Enabling a Unix OS in dual boot config with a Windows OS to maintain a valid keytab in Active Directory without invalidating the Windows OS's domain trust relationship

John Hefferman john.hefferman at cern.ch
Sat Jan 8 06:51:22 EST 2011 

Dear List,

This information is aimed at sites for which all of the following apply:
 - Sites that are using Active Directory as a Kerberos KDC
 - Sites that have dual-boot configured machines running both a Linux and Windows based OS with the same hostname
 - Sites that want to have a working Kerberos keytab on the Linux OS, but without invalidating the trust relationship between the Windows OS and Active Directory.

This problem may be old news or may not apply, but it can be solved with a few steps:

Problem/Background: If a keytab is constructed for the Linux OS (using msktutil, ktpass etc), the password of the corresponding computer account is reset in Active Directory in order for client and domain controller(s) to have matching keys. This invalidates the Windows OS's password, which no longer matches the one stored in Active Directory. This results in the following error when attempting to logon to the domain from the Windows OS:

'The trust relationship between this workstation and the primary domain failed'

A Solution: Configure the Windows OS to use a password which matches that used by the Linux OS (I used the NetJoinDomain function to do this). There is an increased security risk, in that the Windows OS can no longer periodically update the key, but developing a custom key renewal system which does not invalidate either OS's key might be an option.

Steps:
 1. Login as the local Administrator on the Windows OS
 2. Disable the Windows OS's ability to reset the machine password (the instructions apply to Windows7 too): http://support.microsoft.com/kb/154501
 3. Reset the computer account's password and create the key (ktpass and msktutil have been tested but msktutil must be changed to return the random password generated)
 4. Logon as local Administrator on the Windows OS and use the NetJoinDomain (http://msdn.microsoft.com/en-us/library/aa370433%28v=vs.85%29.aspx) function and the password used in the previous step to restore the trust relationship. See function usage below:

NetJoinDomain(null, <domain>, null, null, <machine_password>, (NETSETUP_JOIN_DOMAIN | NETSETUP_JOIN_UNSECURE | NETSETUP_MACHINE_PWD_PASSED | NETSETUP_DOMAIN_JOIN_IF_JOINED))

If this is interesting but you need any further information, feel free to get in contact.

Regards,

John

More information about the Kerberos mailing list