Windows LSA under a non-Windows domain

Douglas E. Engert deengert at anl.gov
Mon Oct 26 17:08:38 EDT 2009 


Santiago Rivas wrote:
> After installing both "*Windows 2000/XP support tools" *and "*Windows
> 2000/XP Resource Kit" *I run kerbtray but no credentials are found (list is
> empty).
> 
> Searching the web, I've found the link
> http://mailman.mit.edu/pipermail/krbdev/2003-December/002106.html where you
> give the steps to set MSLSA cache for a non-Microsoft KDC. But when I run
> ksetup.exe I get the errors described in the attached file
> (ksetup_error.txt)
> Could you please help me?

That note was from 6 years ago. There is a ksetup for XP SP2
Google for:  site:microsoft.com ksetup download

The LSA would be empty unless you logged into XP using  AD or Samba
using Kerberos.  (The Microsoft kinit or runas should also update the LSA.)

Are you using NTLM by chance?

If you are using Samba, you might be better off asking your questions
on how to setup a Samba client to use Kerberos on that last.


> 
> Thank you very much indeed!
> 
> 
> 2009/10/26 Douglas E. Engert <deengert at anl.gov>
> 
>>
>> Santiago Rivas wrote:
>>
>>> Sorry Max,
>>>
>>> I'm afraid there must be a mistake, cause all the Samba configuration work
>>> is already done. I'm asking for information about LSA...
>>>
>> To see what is in the LSA, use the Microsoft kerbtray and/or klist
>> commands,
>> or the Network Identity Manager.
>>
>> runas with /user will run a command under a different user and will
>> set the LSA. Also look at the /netonly option too.
>>
>> Also see the Microsoft ksetup command, useful with non-AD Kerberos realms.
>>
>>
>>
>>
>>> Thanks!
>>>
>>> 2009/10/26 Max (Weijun) Wang <Weijun.Wang at sun.com>
>>>
>>> http://www.ibm.com/developerworks/aix/library/au-unixothers/
>>>> Also, Googling "Samba as Windows Domain Controller" shows a lot of
>>>> results.
>>>>
>>>> --Max
>>>>
>>>>
>>>> On Oct 26, 2009, at 7:01 PM, Santiago Rivas wrote:
>>>>
>>>>  Hi everyone,
>>>>
>>>>> I'm setting up Kerberos to work on Windows XP machines managed by a
>>>>> Samba
>>>>> as
>>>>> PDC.
>>>>>
>>>>> Thanks to your support, I know how to configure the credentials file
>>>>> cache
>>>>> on Windows platform. Next step is learn how to use Local Security
>>>>> Authority
>>>>> (LSA) in order to obtain TGT automatically from user logon.
>>>>>
>>>>> I've read several documents on the web (
>>>>>
>>>>>
>>>>> http://java.sun.com/javase/6/docs/technotes/guides/security/kerberos/jgss-windows.html
>>>>> )
>>>>> and I get an idea, but still have some questions to ask:
>>>>>
>>>>> - Is it required to be under an Active Directory Windows Domain for LSA
>>>>> to
>>>>> gather the credentials? I ask it because most of the articles that I've
>>>>> read
>>>>> about LSA asume to be on that scenario, nevertheless I'm using openldap
>>>>> and
>>>>> Samba (as I mentioned before).
>>>>>
>>>>> - If it's possible to use LSA under a non-Windows domain, is there any
>>>>> extra
>>>>> configuration needed? (besides the *allowtgtsessionkey* registry change)
>>>>>
>>>>> Thanks in advance!
>>>>> _______________________________________________
>>>>> krbdev mailing list             krbdev at mit.edu
>>>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>>>>
>>>>>
>>>> _______________________________________________
>>> krbdev mailing list             krbdev at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>>
>>>
>>>
>> --
>>
>>  Douglas E. Engert  <DEEngert at anl.gov>
>>  Argonne National Laboratory
>>  9700 South Cass Avenue
>>  Argonne, Illinois  60439
>>  (630) 252-5444
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> krbdev mailing list             krbdev at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/krbdev

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list