Windows Login against Linux KDC

Douglas E. Engert deengert at anl.gov
Fri May 4 10:11:39 EDT 2012



On 5/4/2012 4:14 AM, Robert Wehn wrote:
> Hi Tiago,
>
> start here:
> http://technet.microsoft.com/en-us/library/bb742433.aspx#EDAA
> Section "Using an MIT KDC with a Standalone Windows 2000 Workstation"
>
> Since Vista/Server 2008 Windows supports the following Eccryption Types:
> AES256-CTS-HMAC-SHA1-96  (new since Vista/2008)
> AES128-CTS-HMAC-SHA1-96  (new since Vista/2008)
> RC4-HMAC                 (best available for Win XP / Server 2003)
> DES-CBC-CRC              (insecure)
> DES-CBC-MD5             (insecure)
>
> So to use it with Windows you need AES256, AES 128 and RC4-HMAC (if you
> want to be able to use older OS versions)
>
> Every User has to be created locally on every Windows machine and mapped
> to its kerberos account, but you can script that.
>
> The tool you need is "ksetup.exe" and the "net user" command for the
> Windows command line.
>
> Robert.
>
>
> Am 03.05.2012 16:52, schrieb Tiago Elvas:
>> Hi all,
>>
>> I am struggling to configure my Windows machine running a Windows Server
>> 2008.
>>
>> 1- I have established a domain with a KDC running on a Redhat 5.7 machine.
>> I have correctly configured other Linux machine to retrieve tickets on
>> login ('su' and 'ssh' through PAM)
>> 2- In the Windows machine, I am able to manually retrieve tickets with the
>> "Network Identity Manager".
>>
>> Now what I wanted to do is to restrict the login in the Windows machine to
>> those users who are able to authenticate against the Linux KDC (apart from
>> an Administrator account). So if user "tiago" is not defined in the KDC he
>> cannot login to this (Windows) machine.

In addition to what Robert said above, You said this machine is a Windows 2008
Server. Was it configured to be in a domain? If so you will also need to follow
the section:
   "Setting Trust With a Kerberos Realm"

Note: DES is turned off by default in 2008.

>>
>> Can anybody give some tips on how to do this?
>>
>> Many thanks in advance.
>>
>> Best regards,
>> Tiago
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the Kerberos mailing list