Windows LSA under a non-Windows domain
Santiago Rivas
sanribu at gmail.com
Mon Oct 26 15:53:49 EDT 2009
After installing both "*Windows 2000/XP support tools" *and "*Windows
2000/XP Resource Kit" *I run kerbtray but no credentials are found (list is
empty).
Searching the web, I've found the link
http://mailman.mit.edu/pipermail/krbdev/2003-December/002106.html where you
give the steps to set MSLSA cache for a non-Microsoft KDC. But when I run
ksetup.exe I get the errors described in the attached file
(ksetup_error.txt)
Could you please help me?
Thank you very much indeed!
2009/10/26 Douglas E. Engert <deengert at anl.gov>
>
>
> Santiago Rivas wrote:
>
>> Sorry Max,
>>
>> I'm afraid there must be a mistake, cause all the Samba configuration work
>> is already done. I'm asking for information about LSA...
>>
>
> To see what is in the LSA, use the Microsoft kerbtray and/or klist
> commands,
> or the Network Identity Manager.
>
> runas with /user will run a command under a different user and will
> set the LSA. Also look at the /netonly option too.
>
> Also see the Microsoft ksetup command, useful with non-AD Kerberos realms.
>
>
>
>
>> Thanks!
>>
>> 2009/10/26 Max (Weijun) Wang <Weijun.Wang at sun.com>
>>
>> http://www.ibm.com/developerworks/aix/library/au-unixothers/
>>>
>>> Also, Googling "Samba as Windows Domain Controller" shows a lot of
>>> results.
>>>
>>> --Max
>>>
>>>
>>> On Oct 26, 2009, at 7:01 PM, Santiago Rivas wrote:
>>>
>>> Hi everyone,
>>>
>>>> I'm setting up Kerberos to work on Windows XP machines managed by a
>>>> Samba
>>>> as
>>>> PDC.
>>>>
>>>> Thanks to your support, I know how to configure the credentials file
>>>> cache
>>>> on Windows platform. Next step is learn how to use Local Security
>>>> Authority
>>>> (LSA) in order to obtain TGT automatically from user logon.
>>>>
>>>> I've read several documents on the web (
>>>>
>>>>
>>>> http://java.sun.com/javase/6/docs/technotes/guides/security/kerberos/jgss-windows.html
>>>> )
>>>> and I get an idea, but still have some questions to ask:
>>>>
>>>> - Is it required to be under an Active Directory Windows Domain for LSA
>>>> to
>>>> gather the credentials? I ask it because most of the articles that I've
>>>> read
>>>> about LSA asume to be on that scenario, nevertheless I'm using openldap
>>>> and
>>>> Samba (as I mentioned before).
>>>>
>>>> - If it's possible to use LSA under a non-Windows domain, is there any
>>>> extra
>>>> configuration needed? (besides the *allowtgtsessionkey* registry change)
>>>>
>>>> Thanks in advance!
>>>> _______________________________________________
>>>> krbdev mailing list krbdev at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>>>
>>>>
>>> _______________________________________________
>> krbdev mailing list krbdev at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>
>>
>>
> --
>
> Douglas E. Engert <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
>
-------------- next part --------------
Microsoft Windows XP [Versión 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\santi>ksetup
Machine is not configured to log on to an external KDC. Probably a workgroup member
Failed to create Kerberos key: 5 (0x5)
C:\Documents and Settings\santi>ksetup /addkdc ZIGIA.ORG
Failed to create Kerberos key: 5 (0x5)
Failed to open Kerberos Key: 0x5
NOTE: /AddKdc requires a reboot to take effect on pre-SP1 Win2000 computers
C:\Documents and Settings\santi>ksetup /addkdc ZIGIA.ORG krb.zigia.org
Failed to create Kerberos key: 5 (0x5)
Failed to open Kerberos Key: 0x5
Failed /AddKdc : 0xc0000001
C:\Documents and Settings\santi>ksetup /setrealm ZIGIA.ORG
Setting Dns Domain
Failed to set dns domain info: 0xc0000022
Failed /SetRealm : 0xc0000022
More information about the krbdev
mailing list