Windows7 and Kerberos trust relationship

Claudio Prono claudio.prono at atpss.net
Thu May 26 06:24:10 EDT 2011


Hi,

I am playing with Windows 7 and Kerberos authentication with MIT
Kerberos 1.8.3.

My test is the following: Autenticate a Windows 7 with Kerberos.

So, i have installed a test Windows 7, and a test OpenSuSE 11.4 with
kerberos. Configured Kerberos and installed Kerberos for Windows 3.2.2
on the Windows 7. Tested it with network identity manager, and the
client get the ticket perfectly, can change password etc. etc.

Then, I have followed the following guide to add a windows 7 to an
external KDC:
-
https://wiki.ncsa.illinois.edu/display/ITS/Windows+7+Kerberos+Login+using+External+Kerberos+KDC

so, my kerberos database now have the following keys:

K/M at MEDIASERVICE-TEST.PRI
admin at MEDIASERVICE-TEST.PRI
afs at MEDIASERVICE-TEST.PRI
cprono at MEDIASERVICE-TEST.PRI
host/vmtest-pc.mediaservice-test.pri at MEDIASERVICE-TEST.PRI
kadmin/admin at MEDIASERVICE-TEST.PRI
kadmin/afs-test at MEDIASERVICE-TEST.PRI
kadmin/changepw at MEDIASERVICE-TEST.PRI
kadmin/history at MEDIASERVICE-TEST.PRI
krbtgt/MEDIASERVICE-TEST.PRI at MEDIASERVICE-TEST.PRI

Then, i try to login with the windows Client, but it says to me "The
trust relationship with the domain has failed", or something similar
(sorry, is a translation from italian).

Into the kerberos log i see this:

May 26 12:24:39 afs-test krb5kdc[1498](info): AS_REQ (6 etypes {18 17 23
24 -135 3}) 192.168.87.249: ISSUE: authtime 1306405479, etypes {rep=18
tkt=18 ses=18}, cprono at MEDIASERVICE-TEST.PRI for
krbtgt/MEDIASERVICE-TEST.PRI at MEDIASERVICE-TEST.PRI
May 26 12:24:39 afs-test krb5kdc[1498](info): TGS_REQ (5 etypes {18 17
23 24 -135}) 192.168.87.249: ISSUE: authtime 1306405479, etypes {rep=18
tkt=18 ses=18}, cprono at MEDIASERVICE-TEST.PRI for
host/vmtest-pc.mediaservice-test.pri at MEDIASERVICE-TEST.PRI
May 26 12:24:39 afs-test krb5kdc[1498](info): AS_REQ (6 etypes {18 17 23
24 -135 3}) 192.168.87.249: ISSUE: authtime 1306405479, etypes {rep=18
tkt=18 ses=18},
host/vmtest-pc.mediaservice-test.pri at MEDIASERVICE-TEST.PRI for
krbtgt/MEDIASERVICE-TEST.PRI at MEDIASERVICE-TEST.PRI

Seems all right, but the client don't login... I have tried also to
sniff the network traffic when the autentication is done, and this is
the result:

12:26:21.869814 IP 192.168.87.249.49298 > 192.168.87.253.88:  v5
12:26:21.870887 IP 192.168.87.253.88 > 192.168.87.249.49298:  v5
12:26:21.888886 IP 192.168.87.249.49299 > 192.168.87.253.88:
12:26:21.892069 IP 192.168.87.253.88 > 192.168.87.249.49299:
12:26:21.896066 IP 192.168.87.249.49300 > 192.168.87.253.88:  v5
12:26:21.897171 IP 192.168.87.253.88 > 192.168.87.249.49300:  v5

All the requests are to Kerberos, nothing more... So what is wrong?

Any help is well accepted naturally.

Cordially,

Claudio Prono.






-- 
--------------------------------------------------------------------------------
Claudio Prono                         OPST
System Developer               
                                      Gsm: +39-349-54.33.258
@PSS Srl                              Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  http://atpss.net/disclaimer
--------------------------------------------------------------------------------
PGP Key - http://keys.atpss.net/c_prono.asc







More information about the Kerberos mailing list