Windows Crossrealm trust with MIT Kerberos
C.Racky at t-online.de
Tue Mar 26 15:58:09 EDT 2013
My situation / setup is as follows:
1. MIT Kerberos Server holding MITREALM
2. "usera" defined in MITREALM with password "password"
3. Windows Domain MSWINAD domain controler "windc" with crossrealm
trust to the MITREALM
4. Domain Memberserver "memberhost" in MSWINAD domain
5. Account "usera" defined in MSWINAD domain. The account has a
mapping configured to map
MSWINAD local user "usera" to usera at MITREALM 
6. "usera" has password "random" in domain MSWINAD (because each
Windows user needs a password)
My Issue is now:
If I try as MIT authenticated (mapped) user "usera" on system "windc"
to access an published CIFS shared
on server" memberhost" this works great via UNC. e.g.
But if I use instead the IP adresses in UNC it does not work. e.g.
One simple request leads to a lockout of the account.
Checking the traffic with network monitor shows that during one trial
the NTLM login was executed exactly 27 times
with the domain user and the password used by the current session
which is wrong for the domain account.
Is this a know issue?
Are there any solutions to handle such situations?
How do you cover the account lockout issue?
 mailto:usera at MITREALM
More information about the Kerberos