Tom Medhurst wrote: > Hi There, > I apologise in advance for the following rant, but I believe there are > issues that need addressing... > > I am completely unable to get Windows clients authenticating against > Kerberos 5 server. I truly appreciate the assistance that Douglas has given > me with that case, but we have been unsuccessful in getting it to work. > > In-fact there are forum posts all over the web, full of people who are > unable to get Windows clients authenticating against krb5, all that I have > encountered have been left unanswered.
Well, I did not think Microsoft was this unix unfriendly, so I did some more searching and last night brought up an MIT 1.7 KDC on u1(ubuntu) and ran ksetup on dougpc (XP SP3 Pro). The /etc/hosts and c:/windows\system32\drivers\etc\hosts files where modified to add u1.myhome.org user [email protected] and host/[email protected] were added to the realm. and ksetup /setComputerPassword was usedwith the same password as used with the kadmin.local: addprinc -e "arcfour-hmac:normal" host/[email protected] ksetup show this: default realm = MYHOME.ORG (external) MYHOME.ORG: kdc = u1.myhome.org Realm Flags = 0x0 none Mapping [email protected] to testuser. The hidden piece of information is in: http://technet.microsoft.com/en-us/library/cc736890(WS.10).aspx which says if the mapping is to user guest, it will work. If user guest could work, why not try adding user testuser to the local group "guests". Login from the console worked! The Microsoft "klist tickets" and "klist tgt" did not show any tickets in the LSA, but did allow login. The profile appears to be set for the testuser and I could create a file in the testuser's My Documents. From another account, runas /user:[email protected] cmd.exe (with and without /netonly) also work and show tickets. Not tried: Vista or W7. Maybe the LSA does save the tickets. PuTTY that use SSPI with the tickets in the LSA. Mapping * * I suspect it will work with any users is in the local guests group. Checking ACLs to see if being in group guests does not open up additional security risks. (I also change the subject of the original message as others on those forums might find this message.) > > Many thanks for your time, > Kind Regards > Tom Medhurst > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
