Cross-realm between Windows Server 2008 R2
jm130794
jm130794 at gmail.com
Thu Jun 16 12:50:50 EDT 2011
Hello,
I can open a session with my MIT user on seven but, when I try to create a
file on his home directory Z: I get a access error. I can see this message
on my kerberos MIT :
Jun 15 22:20:15 srv1 krb5kdc[1350](info): TGS_REQ (5 etypes {18 17 23 24
-135}) 192.168.2.5: UNKNOWN_SERVER: authtime 0, user1 at TEST.FR for cifs/
dc1.ad.test.fr at TEST.FR, Server not found in Kerberos database
I must add a principal for my dc in MIT database ?
Thanks
2011/6/15 jm130794 <jm130794 at gmail.com>
> Hi alls,
>
> Yesterday, I forget to Reply All :(
>
> As I said to Simo :
>
> I realized my mistake. I tried to login as a normal user. It is prohibited
> by default on Windows Server 2008.
>
> For testing, I mapped on user1 at TEST.FR administrator at AD.TEST.FR. It works.
>
> Now, I'll try to add a workstation Windows Seven to my domain...
>
> Thanks
>
>
> 2011/6/15 Douglas E. Engert <deengert at anl.gov>
>
>
>>
>> On 6/14/2011 4:11 AM, jm130794 wrote:
>> > Hello,
>> >
>> > I have a little question : is it possible create a cross-realm between
>> AD
>> > (Windows Server 2008 R2) and MIT Kerberos ?
>> >
>> > I tried but...
>>
>> Are you able to go the other way, with a Windows user accessing a server
>> in the Kerberos realm?
>>
>> You did not say how you set up cross realm.
>>
>> >
>> > When I try to connect on Windows Server with my Kerberos MIT user, I get
>> > these errors in krb5kdc.log :
>> >
>> > Jun 14 09:22:29 srv1 krb5kdc[979](info): AS_REQ (7 etypes {18 17 23 3 1
>> 24
>> > -135}) 192.168.2.2: NEEDED_PREAUTH: user1 at TEST.FR for krbtgt/TEST.FR@
>> TEST.FR,
>> > Additional pre-authentication required
>> > Jun 14 09:22:29 srv1 krb5kdc[979](info): AS_REQ (7 etypes {18 17 23 3 1
>> 24
>> > -135}) 192.168.2.2: ISSUE: authtime 1308036149, etypes {rep=18 tkt=18
>> > ses=18}, user1 at TEST.FR for krbtgt/TEST.FR at TEST.FR
>> > Jun 14 09:22:29 srv1 krb5kdc[979](info): TGS_REQ (7 etypes {18 17 23 3 1
>> 24
>> > -135}) 192.168.2.2: ISSUE: authtime 1308036149, etypes {rep=18 tkt=18
>> > ses=18}, user1 at TEST.FR for krbtgt/AD.TEST.FR at TEST.FR
>>
>> This last one looks correct, but it is using an AES-256 key. If your W2008
>> r2
>> is still running at 2003 level, the AD may be expecting arcfour keys.
>>
>> A Wireshark trace of the KRB5 packets would show a lot more info,
>> such as what did the client do with this cross realm TGT?
>> Did it try and use it to get a service ticket from AD?
>> And what did AD do with it?
>>
>> For windows services, AD will want to add a PAC to the ticket,
>> with UUID and GUID info for the user. So the KRB5 users will need
>> accounts in AD to use AD services.
>>
>>
>> >
>> > Any ideas ?
>> > ________________________________________________
>> > Kerberos mailing list Kerberos at mit.edu
>> > https://mailman.mit.edu/mailman/listinfo/kerberos
>> >
>> >
>>
>> --
>>
>> Douglas E. Engert <DEEngert at anl.gov>
>> Argonne National Laboratory
>> 9700 South Cass Avenue
>> Argonne, Illinois 60439
>> (630) 252-5444
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
More information about the Kerberos
mailing list