[24133] in Kerberos
Re: MIT to Windows 2k interoperability problems
daemon@ATHENA.MIT.EDU (Jeffrey C Albro)
Wed Jun 22 17:15:20 2005
Date: Wed, 22 Jun 2005 17:13:50 -0400 (EDT)
From: Jeffrey C Albro <jalbro@bu.edu>
To: "Douglas E. Engert" <deengert@anl.gov>
In-Reply-To: <42B9C611.3000402@anl.gov>
Message-ID: <Pine.LNX.4.58.0506221709070.4212@signals10.bu.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: amiliv@gmail.com
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
That is a very good document, but needs to be read REALLY carefully...
I'll add some hints:
To check that you cleaned things up correctly, you can use adsiedit.msc on
the windows side to make sure you don't have duplicate
serviceprincipalnames.
ktpass requires a new, made up password (most MS documementation doesn't
make this clear).
Also, ktpass documents suggest you can create a serviceprincipalname
WITHOUT mapping to a user (no -mapuser) I have no idea what that
means.
-Jeff
-----------------------------------------------------------
Jeffrey Albro | Systems Administrator | Boston University
- Department of Electrical and Computer Engineering -
jalbro@bu.edu | Photonics, Room 305 | 617-358-2785
-----------------------------------------------------------
On Wed, 22 Jun 2005, Douglas E. Engert wrote:
> Google for: cross-realm windows kerberos
>
> Then read:
> http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
>
> amiliv@gmail.com wrote:
>
> > Hi,
> >
> > I've got small problem with Kerberos, and couldn't seem to be able to
> > find solution by simply Googling around...
> >
> > I changed my Kerberos domain name. Basically, I just wiped out old
> > KDC, and reinstalled from scratch (it was testing only, so no real
> > users on it anyhow). There was one-way trust between old domain and
> > another Kerberos domain (part of Windows 2000 Active Directory).
> >
> > Before the change, I had saslauthd running on Unix side, and it was
> > able to authenticate users against Active Directory (using Kerberos).
> > After the change, I did exactly the same steps, but things simply don't
> > work anymore. Interesting thing is that I also added slave server, and
> > if saslauthd is going through the slave, it can successfully
> > authenticate users on Windows Kerberos domain. My guess is that
> > there's some stale information about old domain and associated accounts
> > on Windows side (created with ktpass.exe) that needs to be wiped out
> > too.
> >
> > All I could find on the web is how to initially make things to work.
> > In short, setup account for Unix host in Active Directory, associate
> > host Kerberos principal with that account and create key using
> > ktpass.exe, import the key into /etc/krb5.keytab on Unix side. But no
> > info on how to undo it (the part on the Windows side, removing key from
> > krb5.keytab is trivial), so that I can recreate host principal for my
> > master KDC in clean way. As I said, I guess my problems are due to
> > stale information for the host principal on the Windows side.
> >
> > I hope somebody could give me a hint or two to get me going into right
> > direction.
> >
> > ________________________________________________
> > Kerberos mailing list Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
> >
>
> --
>
> Douglas E. Engert <DEEngert@anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
