cross-realm trust MIT and Windows 2008 - Authentication issues
Douglas E. Engert
deengert at anl.gov
Thu Aug 2 14:27:57 EDT 2012
On 8/2/2012 12:08 PM, C.Racky at t-online.de wrote:
> Greethings,
>
> I have the following setup:
>
> -A MIT-Kerberos Realm MITREALM containing user principals
> (user at MITREALM [1])
> -A Windows 2008 Active Directory ADS.NET which is configured on DC
> adsdc01.
> -A Windows 2008 Domain member admember within ADS.NET domain.
> -There is a crossrealm trust between ADS.NET and MIT Realm MITREALM
> -Local Windows Account has got Kerberos mapping
>
> Login using pricipal user at MITREALM [2] works on all systems of
> ADS.NET Domain successfully.
> But access from adsdc01 to admember or from admember to network drive
> of adsdc01 (below) does not work.
>
> Unexpectedly I see the following log entries on MIT Kerberos Server:
> Jul 23 17:39:05 mitkrb01 krb5kdc[20062](info): AS_REQ (6 etypes {18 17
> 23 24 -135 3}) 100.21.20.165: ISSUE: authtime 1343057945, etypes
> {rep=18 tkt=18 ses=18}, user at MITREALM [3] for krbtgt/MITREALM at MITREALM
> [4]
> Jul 23 17:39:05 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18
> 17 23 24 -135}) 100.21.20.165: ISSUE: authtime 1343057945, etypes
> {rep=18 tkt=18 ses=18}, user at MITREALM [5] for krbtgt/ADS.NET at MITREALM
> [6]
> Jul 23 17:39:20 mitkrb01 krb5kdc[20062](info): AS_REQ (6 etypes {18 17
> 23 24 -135 3}) 100.21.20.165: ISSUE: authtime 1343057960, etypes
> {rep=18 tkt=18 ses=18}, user at MITREALM [7] for krbtgt/MITREALM at MITREALM
> [8]
> Jul 23 17:39:20 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18
> 17 23 24 -135}) 100.21.20.165: ISSUE: authtime 1343057960, etypes
> {rep=18 tkt=18 ses=18}, user at MITREALM [9] for krbtgt/ADS.NET at MITREALM
> [10]
> Jul 23 17:39:20 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18
> 17 23 24 -135}) 100.21.20.165: UNKNOWN_SERVER: authtime 1343057960,
> user at MITREALM [11] for cifs/adsdc01.ads.net at MITREALM [12], Server not
> found in Kerberos database
> Jul 23 17:39:21 mitkrb01 krb5kdc[20062](info): TGS_REQ (1 etypes {18})
> 100.21.20.165: ISSUE: authtime 1343057960, etypes {rep=18 tkt=18
> ses=18}, user at MITREALM [13] for krbtgt/MITREALM at MITREALM [14]
> Jul 23 17:39:21 mitkrb01 krb5kdc[20062](info): AS_REQ (6 etypes {18 17
> 23 24 -135 3}) 100.21.20.165: ISSUE: authtime 1343057961, etypes
> {rep=18 tkt=18 ses=18}, user at MITREALM [15] for
> krbtgt/MITREALM at MITREALM [16]
> Jul 23 17:39:21 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18
> 17 23 24 -135}) 100.21.20.165: ISSUE: authtime 1343057961, etypes
> {rep=18 tkt=18 ses=18}, user at MITREALM [17] for krbtgt/ADS.NET at MITREALM
> [18]
> Jul 23 17:39:21 mitkrb01 krb5kdc[20062](info): TGS_REQ (1 etypes {18})
> 100.21.20.165: ISSUE: authtime 1343057961, etypes {rep=18 tkt=18
> ses=18}, user at MITREALM [19] for krbtgt/MITREALM at MITREALM [20]
> Jul 23 17:39:29 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18
> 17 23 24 -135}) 100.21.20.165: UNKNOWN_SERVER: authtime 1343057960,
> user at MITREALM [21] for ldap/adsdc01.ads.net at MITREALM [22], Server not
> found in Kerberos database
>
> ==> I seems as if the Windows system looks for the service-pricipal
> on MIT system instead of Windows DC.
Sounds like referrals, this might work:
http://web.mit.edu/kerberos/krb5-current/doc/krb_admins/realm_config.html
"Mapping hostnames onto Kerberos realms" second method.
>
> Do you understand this?
> Is there any general limitation of Windows related to cross-realm
> trusts and services like cifs, ldap?
> Can you please help me? Maybe it is just a misconfigureation, but I
> spent now several days with this issue without any progress.
>
> Best regards
> Chris
>
> Links:
> ------
> [1] mailto:user at MITREALM
> [2] mailto:user at MITREALM
> [3] mailto:user at MITREALM
> [4] mailto:krbtgt/MITREALM at MITREALM
> [5] mailto:user at MITREALM
> [6] mailto:krbtgt/ADS.NET at MITREALM
> [7] mailto:user at MITREALM
> [8] mailto:krbtgt/MITREALM at MITREALM
> [9] mailto:user at MITREALM
> [10] mailto:krbtgt/ADS.NET at MITREALM
> [11] mailto:user at MITREALM
> [12] mailto:cifs/adsdc01.ads.net at MITREALM
> [13] mailto:user at MITREALM
> [14] mailto:krbtgt/MITREALM at MITREALM
> [15] mailto:user at MITREALM
> [16] mailto:krbtgt/MITREALM at MITREALM
> [17] mailto:user at MITREALM
> [18] mailto:krbtgt/ADS.NET at MITREALM
> [19] mailto:user at MITREALM
> [20] mailto:krbtgt/MITREALM at MITREALM
> [21] mailto:user at MITREALM
> [22] mailto:ldap/adsdc01.ads.net at MITREALM
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list