Windows7 and Kerberos trust relationship
Claudio Prono
claudio.prono at atpss.net
Thu May 26 06:24:10 EDT 2011
Hi,
I am playing with Windows 7 and Kerberos authentication with MIT
Kerberos 1.8.3.
My test is the following: Autenticate a Windows 7 with Kerberos.
So, i have installed a test Windows 7, and a test OpenSuSE 11.4 with
kerberos. Configured Kerberos and installed Kerberos for Windows 3.2.2
on the Windows 7. Tested it with network identity manager, and the
client get the ticket perfectly, can change password etc. etc.
Then, I have followed the following guide to add a windows 7 to an
external KDC:
-
https://wiki.ncsa.illinois.edu/display/ITS/Windows+7+Kerberos+Login+using+External+Kerberos+KDC
so, my kerberos database now have the following keys:
K/M at MEDIASERVICE-TEST.PRI
admin at MEDIASERVICE-TEST.PRI
afs at MEDIASERVICE-TEST.PRI
cprono at MEDIASERVICE-TEST.PRI
host/vmtest-pc.mediaservice-test.pri at MEDIASERVICE-TEST.PRI
kadmin/admin at MEDIASERVICE-TEST.PRI
kadmin/afs-test at MEDIASERVICE-TEST.PRI
kadmin/changepw at MEDIASERVICE-TEST.PRI
kadmin/history at MEDIASERVICE-TEST.PRI
krbtgt/MEDIASERVICE-TEST.PRI at MEDIASERVICE-TEST.PRI
Then, i try to login with the windows Client, but it says to me "The
trust relationship with the domain has failed", or something similar
(sorry, is a translation from italian).
Into the kerberos log i see this:
May 26 12:24:39 afs-test krb5kdc[1498](info): AS_REQ (6 etypes {18 17 23
24 -135 3}) 192.168.87.249: ISSUE: authtime 1306405479, etypes {rep=18
tkt=18 ses=18}, cprono at MEDIASERVICE-TEST.PRI for
krbtgt/MEDIASERVICE-TEST.PRI at MEDIASERVICE-TEST.PRI
May 26 12:24:39 afs-test krb5kdc[1498](info): TGS_REQ (5 etypes {18 17
23 24 -135}) 192.168.87.249: ISSUE: authtime 1306405479, etypes {rep=18
tkt=18 ses=18}, cprono at MEDIASERVICE-TEST.PRI for
host/vmtest-pc.mediaservice-test.pri at MEDIASERVICE-TEST.PRI
May 26 12:24:39 afs-test krb5kdc[1498](info): AS_REQ (6 etypes {18 17 23
24 -135 3}) 192.168.87.249: ISSUE: authtime 1306405479, etypes {rep=18
tkt=18 ses=18},
host/vmtest-pc.mediaservice-test.pri at MEDIASERVICE-TEST.PRI for
krbtgt/MEDIASERVICE-TEST.PRI at MEDIASERVICE-TEST.PRI
Seems all right, but the client don't login... I have tried also to
sniff the network traffic when the autentication is done, and this is
the result:
12:26:21.869814 IP 192.168.87.249.49298 > 192.168.87.253.88: v5
12:26:21.870887 IP 192.168.87.253.88 > 192.168.87.249.49298: v5
12:26:21.888886 IP 192.168.87.249.49299 > 192.168.87.253.88:
12:26:21.892069 IP 192.168.87.253.88 > 192.168.87.249.49299:
12:26:21.896066 IP 192.168.87.249.49300 > 192.168.87.253.88: v5
12:26:21.897171 IP 192.168.87.253.88 > 192.168.87.249.49300: v5
All the requests are to Kerberos, nothing more... So what is wrong?
Any help is well accepted naturally.
Cordially,
Claudio Prono.
--
--------------------------------------------------------------------------------
Claudio Prono OPST
System Developer
Gsm: +39-349-54.33.258
@PSS Srl Tel: +39-011-32.72.100
Via San Bernardino, 17 Fax: +39-011-32.46.497
10141 Torino - ITALY http://atpss.net/disclaimer
--------------------------------------------------------------------------------
PGP Key - http://keys.atpss.net/c_prono.asc
More information about the Kerberos
mailing list