Ye,s I did use the ksetup command on the Windows machine to add the MIT KDC..
On Tue, Aug 3, 2010 at 4:08 PM, Wilper, Ross A <[email protected]> wrote: > For #3… > > > > Windows Kerberos libraries do not look at krb5.ini/krb5.conf to find > external KDCs, they look in the registry > > HKLM/SYSTEM/CurrentControlSet/Control/LSA/Kerberos/Domains/<RealmName> > > REG_MULTI_SZ KdcNames > > > > (This registry key is populated by the Windows ksetup command) > > > > For #5… > > Yes, if needed. > > > > -Ross > > > > *From:* N K [mailto:[email protected]] > *Sent:* Tuesday, August 03, 2010 4:04 PM > *To:* Wilper, Ross A > *Cc:* [email protected] > *Subject:* Re: Establishing and verifying a trust between Unix MIT KDC and > Windows Server 2003 AD > > > > Hi Ross, > > > > Thank you very much for your prompt response. A number of things that I > have tried so far: > > > > 1) Incorrect passphrase for one of the three trust accounts > > >> Will look at this > > 2) Enctype mismatch (by default, a new trust will only support RC4-HMAC) > > >> specified the encryption type in the kdc.conf file and used the > "cpw" command to change the password of principals and re-generate the keys > using the specified encryption > > > 3) Client machine cannot resolve the MIT KDCs > > >> Have included the mit kdc info in the client machine's krb5.ini > file and updated DNS information with the unix kerberos realm. However, > the netdom tool returns something like: > > netdom trust <domain> /Domain:<realm> /verify /kerberos > /verbose > > Establishing a session with \\<domaincontroller> > > Reading LSA domain policy information > > Unable to contact the domain <realm> > > Deleting the session with \\<domaincontroller> > > The command failed to complete successfully. > > > 4) Duplicate mappings on user accounts in the same AD domain > (do an ldap search on altSecurityIdentities) > > >> Will take a look at this > > > 5) You may need to set TLN mappings (referrals) on one side or the other > > >> Using the netdom ... /addtln command ? > > > 6) If you have multiple domains, is the realm trust set transitive? > > >> Yes, the trust is transitive. > > > Regards, > > Nivedita > > > > On Tue, Aug 3, 2010 at 3:37 PM, Wilper, Ross A <[email protected]> > wrote: > > Unfortunately, there are a lot of reasons that this could fail. > > 1) Incorrect passphrase for one of the three trust accounts > 2) Enctype mismatch (by default, a new trust will only support RC4-HMAC) > 3) Client machine cannot resolve the MIT KDCs > 4) Duplicate mappings on user accounts in the same AD domain > (do an ldap search on altSecurityIdentities) > 5) You may need to set TLN mappings (referrals) on one side or the other > 6) If you have multiple domains, is the realm trust set transitive? > > Probably more. The only times I've had failures were case #1 and #3 > > Also note that MIT credentials will always fail to logon to RDP when NLA is > in use. > > -Ross > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of N K > Sent: Tuesday, August 03, 2010 3:19 PM > To: [email protected] > Subject: Establishing and verifying a trust between Unix MIT KDC and > Windows Server 2003 AD > > Hi all, > > I followed the steps for a cross-realm setup between the MIT KDC and AD > according to O'reilly's Definitive Guide book: > > - specifying KDC's using ksetup on the participating Windows machines > > - creating principals krbtgt/dom...@realm and krbtgt/re...@domain in the > MIT > KDC > > - creating a 2 way trust in the AD > > - mapping an AD user to a user in the MIT KDC > > However, when I try to logon to the Kerberos realm from a Windows machine > using the credentials of the MIT KDC user, I get an error that the system > could not log me on because the username or domain is incorrect. > > Has anyone come across a similar problem before? > > Thanks much in advance, > > Nivedita. > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
