Windows Crossrealm trust with MIT Kerberos

C.Racky@t-online.de C.Racky at t-online.de
Tue Mar 26 15:58:09 EDT 2013


Hello mailinglist, 

	My situation / setup is as follows: 

	 1. MIT Kerberos Server holding MITREALM
 2. "usera" defined in MITREALM with password "password"
 3. Windows Domain MSWINAD domain controler "windc" with crossrealm
trust to the MITREALM
 4. Domain Memberserver "memberhost" in MSWINAD domain
 5. Account "usera" defined in MSWINAD domain. The account has a
mapping configured to map
   MSWINAD local user "usera" to usera at MITREALM [1] 
 6.   "usera" has password "random" in domain MSWINAD (because each
Windows user needs a password) 

	My Issue is now:
If I try as MIT authenticated (mapped) user "usera" on system "windc"
to access an published CIFS shared 
on server" memberhost" this works great via UNC. e.g.
\memberhostpublishedFolder [2]
But if I use instead the IP adresses in UNC it does not work. e.g.
\192.168.1.12publishedFOlder [3] 

	One simple request leads to a lockout of the account. 

Checking the traffic with network monitor shows that during one trial
the NTLM login was executed exactly 27 times
with the domain user and the password used by the current session
which is wrong for the domain account. 

	Is this a know issue?
Are there any solutions to handle such situations? 

	How do you cover the account lockout issue? 

best regards 

	Chris

Links:
------
[1] mailto:usera at MITREALM
[2] file://\\memberhost\publishedFolder
[3] file://\\192.168.1.12\publishedFOlder


More information about the Kerberos mailing list