[32136] in Kerberos
Re: MIT Kerberos and Windows 2008 R2 Trust relationship
daemon@ATHENA.MIT.EDU (Guillaume Rousse)
Tue Mar 9 17:52:01 2010
Message-ID: <4B96D109.9000907@inria.fr>
Date: Tue, 09 Mar 2010 23:51:53 +0100
From: Guillaume Rousse <Guillaume.Rousse@inria.fr>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <4B94F9F7.8020100@univ-tlse1.fr>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Le 08/03/2010 14:21, Frederic SOULIER a écrit :
> I'm beginner in Kerberos and AD but i'm thinking using trust
> relationship between MIT and AD could avoid this request because of the
> Windows 7 client, integrated in AD domain, should request directly the
> AD and not the MIT Kerberos after the first authentication.
>
> Perhaps i'm making a mistake but i find poor/any documentation about it...
>
> If anyone can provide help or advice.....
If the machine ask the MIT KDC a ticket for a given service, it probably
believes the service belong to the Kerberos realm managed by this
server, instead of the Kerberos realm from AD. As windows mainly use DNS
records for its kerberos configuration, I'd rather check your DNS setup.
Also, it might have asked the AD KDC, and this last one replies with a
reference. You should check in AD logs (kerberos logging level can be
modified), or use a network sniffer to get sure.
Last thing to check, if you use a test user from AD to log on the same
windows 7 host, does it still tries to aquire its CIFS ticket from the
MIT KDC ?
--
Guillaume Rousse
Service des Moyens Informatiques
INRIA Saclay - Île-de-France
Parc Orsay Université, 4 rue J. Monod
91893 Orsay Cedex France
Tel: 01 69 35 69 62
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
