Windows LSA under a non-Windows domain

Santiago Rivas sanribu at gmail.com
Mon Oct 26 17:58:37 EDT 2009 

> That note was from 6 years ago. There is a ksetup for XP SP2
> Google for:  site:microsoft.com ksetup download
>
> >> On the client side, I'm working with Windows XP Pro SP3 and the support
tools where installed from CD/Support/Tools/Suptools.exe ... Do you think I
should still install "ksetup for XP SP2"? <<


> The LSA would be empty unless you logged into XP using  AD or Samba
> using Kerberos.  (The Microsoft kinit or runas should also update the LSA.)


> Are you using NTLM by chance?
>

>> I don't think so, at least conciously. But how do I know it? <<

>
> If you are using Samba, you might be better off asking your questions
> on how to setup a Samba client to use Kerberos on that last.
>
>
>> Now that you mention it, I've checked KDC log and I see that an error is
generated when user logs on client WinXP machine. Hum... so I'm mistaking on
Samba configuration (and I guess that's why Max told me to google for "Samba
as Windows Domain Controller").

Thanks, Douglas, for pointing it out. <<


>
>
>> Thank you very much indeed!
>>
>>
>> 2009/10/26 Douglas E. Engert <deengert at anl.gov>
>>
>>
>>> Santiago Rivas wrote:
>>>
>>> Sorry Max,
>>>>
>>>> I'm afraid there must be a mistake, cause all the Samba configuration
>>>> work
>>>> is already done. I'm asking for information about LSA...
>>>>
>>>> To see what is in the LSA, use the Microsoft kerbtray and/or klist
>>> commands,
>>> or the Network Identity Manager.
>>>
>>> runas with /user will run a command under a different user and will
>>> set the LSA. Also look at the /netonly option too.
>>>
>>> Also see the Microsoft ksetup command, useful with non-AD Kerberos
>>> realms.
>>>
>>>
>>>
>>>
>>> Thanks!
>>>>
>>>> 2009/10/26 Max (Weijun) Wang <Weijun.Wang at sun.com>
>>>>
>>>> http://www.ibm.com/developerworks/aix/library/au-unixothers/
>>>>
>>>>> Also, Googling "Samba as Windows Domain Controller" shows a lot of
>>>>> results.
>>>>>
>>>>> --Max
>>>>>
>>>>>
>>>>> On Oct 26, 2009, at 7:01 PM, Santiago Rivas wrote:
>>>>>
>>>>>  Hi everyone,
>>>>>
>>>>> I'm setting up Kerberos to work on Windows XP machines managed by a
>>>>>> Samba
>>>>>> as
>>>>>> PDC.
>>>>>>
>>>>>> Thanks to your support, I know how to configure the credentials file
>>>>>> cache
>>>>>> on Windows platform. Next step is learn how to use Local Security
>>>>>> Authority
>>>>>> (LSA) in order to obtain TGT automatically from user logon.
>>>>>>
>>>>>> I've read several documents on the web (
>>>>>>
>>>>>>
>>>>>>
>>>>>> http://java.sun.com/javase/6/docs/technotes/guides/security/kerberos/jgss-windows.html
>>>>>> )
>>>>>> and I get an idea, but still have some questions to ask:
>>>>>>
>>>>>> - Is it required to be under an Active Directory Windows Domain for
>>>>>> LSA
>>>>>> to
>>>>>> gather the credentials? I ask it because most of the articles that
>>>>>> I've
>>>>>> read
>>>>>> about LSA asume to be on that scenario, nevertheless I'm using
>>>>>> openldap
>>>>>> and
>>>>>> Samba (as I mentioned before).
>>>>>>
>>>>>> - If it's possible to use LSA under a non-Windows domain, is there any
>>>>>> extra
>>>>>> configuration needed? (besides the *allowtgtsessionkey* registry
>>>>>> change)
>>>>>>
>>>>>> Thanks in advance!
>>>>>> _______________________________________________
>>>>>> krbdev mailing list             krbdev at mit.edu
>>>>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>
>>>> krbdev mailing list             krbdev at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>>>
>>>>
>>>>
>>>> --
>>>
>>>  Douglas E. Engert  <DEEngert at anl.gov>
>>>  Argonne National Laboratory
>>>  9700 South Cass Avenue
>>>  Argonne, Illinois  60439
>>>  (630) 252-5444
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> _______________________________________________
>>> krbdev mailing list             krbdev at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>>
>>
> --
>
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
>

More information about the krbdev mailing list