[24079] in Kerberos
remote printing/drive mapping to windows ad with mit kerberos
daemon@ATHENA.MIT.EDU (David Botsch)
Tue Jun 14 17:12:11 2005
Date: Tue, 14 Jun 2005 17:11:30 -0400
From: David Botsch <dwb7@ccmr.cornell.edu>
To: kerberos@mit.edu
Message-ID: <20050614211130.GC23996@ccmr.cornell.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Errors-To: kerberos-bounces@mit.edu
Hi. We have successfully set up cross realm login to our windows active domain
where a user logs in as user@MIT.KERBEROS.REALM ... this works fine if the user
is logging onto the console of a Windows machine in the domain.
However, if a user has his own machine, not in the windows active directory
domain, things do not work. So, the scenario is this:
a user needs to map a windows printer share or a drive share, authenticating as
user@MIT.KERBEROS.REALM -- any thoughts on how to make this work?
>From what we can tell, the windows client (we have been testing with XP SP2)
requests the krbtgt@MIT.KERB.REALM@MIT.KERB.REALM, and then either:
1. does a second AS request for this same tgt or
2. does a TGS request for cifs/windows-2003-server-fqdn@MIT.KERB.REALM
in the case of 1, after the two successful AS requests, nothing else happens
in the case of 2, this fails, of course, because the principal does not exist
in the MIT kerberos db. Ok, so adding this princiapl to the MIT kerberos db is
easy enough. But, there seems to be no documentation on how to then add this
same principal to Windows with the same kvno/password.
But, as I said, sometimes 1 happens, and sometimes 2 happens.
I was expecting this to work the same, of course, as machines in the domain.
That is, obtain krbtgt/MITREALM@MITREALM, use this to do a TGS req for
krbtgt/WIN.AD.REALM@MITREALM, and then present this.
Any thoughts here?
Thanks!
--
********************************
David William Botsch
Consultant/Advisor II
CCMR Computing Facility
dwb7@ccmr.cornell.edu
********************************
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
