[32550] in Kerberos
RE: Establishing and verifying a trust between Unix MIT KDC and
daemon@ATHENA.MIT.EDU (Wilper, Ross A)
Tue Aug 3 22:44:38 2010
From: "Wilper, Ross A" <rwilper@stanford.edu>
To: N K <nkaluskar@gmail.com>
Date: Tue, 3 Aug 2010 16:18:09 -0700
Message-ID: <C6BF43271ABC924B9A7057FAD2B4953F06C453E17F@ITS-ExchMB02.stanford.edu>
In-Reply-To: <AANLkTi=A7cdRVWDcoKM0FvoC2w5c2yQoGuiwnS-ueJGA@mail.gmail.com>
Content-Language: en-US
MIME-Version: 1.0
Cc: "kerberos@MIT.EDU" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I do not think that you can use netdom /verify with an external Kerberos trust, unfortunately.
If the registry value checks out on all the Domain controllers and the client, then it's probably elsewhere.
You could also try the "RealmFlags" value http://technet.microsoft.com/en-us/library/cc736698(WS.10).aspx depending on your external realm's settings.
-Ross
From: N K [mailto:nkaluskar@gmail.com]
Sent: Tuesday, August 03, 2010 4:10 PM
To: Wilper, Ross A
Cc: kerberos@MIT.EDU
Subject: Re: Establishing and verifying a trust between Unix MIT KDC and Windows Server 2003 AD
Ye,s I did use the ksetup command on the Windows machine to add the MIT KDC..
On Tue, Aug 3, 2010 at 4:08 PM, Wilper, Ross A <rwilper@stanford.edu<mailto:rwilper@stanford.edu>> wrote:
For #3...
Windows Kerberos libraries do not look at krb5.ini/krb5.conf to find external KDCs, they look in the registry
HKLM/SYSTEM/CurrentControlSet/Control/LSA/Kerberos/Domains/<RealmName>
REG_MULTI_SZ KdcNames
(This registry key is populated by the Windows ksetup command)
For #5...
Yes, if needed.
-Ross
From: N K [mailto:nkaluskar@gmail.com<mailto:nkaluskar@gmail.com>]
Sent: Tuesday, August 03, 2010 4:04 PM
To: Wilper, Ross A
Cc: kerberos@MIT.EDU<mailto:kerberos@MIT.EDU>
Subject: Re: Establishing and verifying a trust between Unix MIT KDC and Windows Server 2003 AD
Hi Ross,
Thank you very much for your prompt response. A number of things that I have tried so far:
1) Incorrect passphrase for one of the three trust accounts
>> Will look at this
2) Enctype mismatch (by default, a new trust will only support RC4-HMAC)
>> specified the encryption type in the kdc.conf file and used the "cpw" command to change the password of principals and re-generate the keys using the specified encryption
3) Client machine cannot resolve the MIT KDCs
>> Have included the mit kdc info in the client machine's krb5.ini file and updated DNS information with the unix kerberos realm. However, the netdom tool returns something like:
netdom trust <domain> /Domain:<realm> /verify /kerberos /verbose
Establishing a session with \\<domaincontroller>
Reading LSA domain policy information
Unable to contact the domain <realm>
Deleting the session with \\<domaincontroller>
The command failed to complete successfully.
4) Duplicate mappings on user accounts in the same AD domain
(do an ldap search on altSecurityIdentities)
>> Will take a look at this
5) You may need to set TLN mappings (referrals) on one side or the other
>> Using the netdom ... /addtln command ?
6) If you have multiple domains, is the realm trust set transitive?
>> Yes, the trust is transitive.
Regards,
Nivedita
On Tue, Aug 3, 2010 at 3:37 PM, Wilper, Ross A <rwilper@stanford.edu<mailto:rwilper@stanford.edu>> wrote:
Unfortunately, there are a lot of reasons that this could fail.
1) Incorrect passphrase for one of the three trust accounts
2) Enctype mismatch (by default, a new trust will only support RC4-HMAC)
3) Client machine cannot resolve the MIT KDCs
4) Duplicate mappings on user accounts in the same AD domain
(do an ldap search on altSecurityIdentities)
5) You may need to set TLN mappings (referrals) on one side or the other
6) If you have multiple domains, is the realm trust set transitive?
Probably more. The only times I've had failures were case #1 and #3
Also note that MIT credentials will always fail to logon to RDP when NLA is in use.
-Ross
-----Original Message-----
From: kerberos-bounces@MIT.EDU<mailto:kerberos-bounces@MIT.EDU> [mailto:kerberos-bounces@MIT.EDU<mailto:kerberos-bounces@MIT.EDU>] On Behalf Of N K
Sent: Tuesday, August 03, 2010 3:19 PM
To: kerberos@MIT.EDU<mailto:kerberos@MIT.EDU>
Subject: Establishing and verifying a trust between Unix MIT KDC and Windows Server 2003 AD
Hi all,
I followed the steps for a cross-realm setup between the MIT KDC and AD
according to O'reilly's Definitive Guide book:
- specifying KDC's using ksetup on the participating Windows machines
- creating principals krbtgt/domain@realm and krbtgt/realm@domain in the MIT
KDC
- creating a 2 way trust in the AD
- mapping an AD user to a user in the MIT KDC
However, when I try to logon to the Kerberos realm from a Windows machine
using the credentials of the MIT KDC user, I get an error that the system
could not log me on because the username or domain is incorrect.
Has anyone come across a similar problem before?
Thanks much in advance,
Nivedita.
________________________________________________
Kerberos mailing list Kerberos@mit.edu<mailto:Kerberos@mit.edu>
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
