[32127] in Kerberos
MIT Kerberos and Windows 2008 R2 Trust relationship misunderstanding
daemon@ATHENA.MIT.EDU (Frederic SOULIER)
Mon Mar 8 08:22:10 2010
Message-ID: <4B94F9F7.8020100@univ-tlse1.fr>
Date: Mon, 08 Mar 2010 14:21:59 +0100
From: Frederic SOULIER <frederic.soulier@univ-tlse1.fr>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi,
We have the following architecture :
- 1 MIT Kerberos storing all of our users (17 000 users) on CentOS 5.4
- 1 Active Directory based on Windows 2008 R2 storing all of our users
whithout password
We have made a trust relationship between MIT Kerberos and AD 2008 R2.
The goal is to permit a MIT Kerberos user to login on AD domain from
Windows Xp and Windows 7 machine.
All seems to work fine since we have understand the encryption
problematic (RC4,AES,etc....).
A user can connect to the AD domain authenticating against the MIT Kerberos.
But we notice these logs on the kerberos MIT instance :
Mar 8 13:49:19 kerberos krb5kdc[14886]: TGS_REQ (5 etypes {18 17 23 24
-135}) 192.93.172.201: UNKNOWN_SERVER: authtime 1268052553,
fsoulier@KRB.UT1.ORG for cifs/ad1-test.ut1.org@KRB.UT1.ORG, Server not
found in Kerberos database
The Windows 7 machine request a ticket for the cifs/ad-test.ut1.org
service on the MIT Kerberos.
This service doesn't exist in MIT Kerberos. It was only created in the
AD domain.
I'm beginner in Kerberos and AD but i'm thinking using trust
relationship between MIT and AD could avoid this request because of the
Windows 7 client, integrated in AD domain, should request directly the
AD and not the MIT Kerberos after the first authentication.
Perhaps i'm making a mistake but i find poor/any documentation about it...
If anyone can provide help or advice.....
Regards
--
Frederic Soulier
DSI / Service Système
Université Toulouse 1 Capitole
2 rue du doyen Gabriel Marty
31 042 Toulouse Cedex 9
Tel: +33 5 61 63 39 98 Fax: +33 5 61 63 37 98
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
