[24131] in Kerberos

home help back first fref pref prev next nref lref last post

Re: MIT to Windows 2k interoperability problems

daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Wed Jun 22 16:17:37 2005

Message-ID: <42B9C611.3000402@anl.gov>
Date: Wed, 22 Jun 2005 16:12:01 -0400
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: amiliv@gmail.com
In-Reply-To: <1119387044.766800.58520@g14g2000cwa.googlegroups.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu

Google for: cross-realm windows kerberos

Then read:
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp

amiliv@gmail.com wrote:

> Hi,
> 
> I've got small problem with Kerberos, and couldn't seem to be able to
> find solution by simply Googling around...
> 
> I changed my Kerberos domain name.  Basically, I just wiped out old
> KDC, and reinstalled from scratch (it was testing only, so no real
> users on it anyhow).  There was one-way trust between old domain and
> another Kerberos domain (part of Windows 2000 Active Directory).
> 
> Before the change, I had saslauthd running on Unix side, and it was
> able to authenticate users against Active Directory (using Kerberos).
> After the change, I did exactly the same steps, but things simply don't
> work anymore.  Interesting thing is that I also added slave server, and
> if saslauthd is going through the slave, it can successfully
> authenticate users on Windows Kerberos domain.  My guess is that
> there's some stale information about old domain and associated accounts
> on Windows side (created with ktpass.exe) that needs to be wiped out
> too.
> 
> All I could find on the web is how to initially make things to work.
> In short, setup account for Unix host in Active Directory, associate
> host Kerberos principal with that account and create key using
> ktpass.exe, import the key into /etc/krb5.keytab on Unix side.  But no
> info on how to undo it (the part on the Windows side, removing key from
> krb5.keytab is trivial), so that I can recreate host principal for my
> master KDC in clean way.  As I said, I guess my problems are due to
> stale information for the host principal on the Windows side.
> 
> I hope somebody could give me a hint or two to get me going into right
> direction.
> 
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post