I do not think that you can use netdom /verify with an external Kerberos trust, unfortunately.
If the registry value checks out on all the Domain controllers and the client, then it's probably elsewhere. You could also try the "RealmFlags" value http://technet.microsoft.com/en-us/library/cc736698(WS.10).aspx depending on your external realm's settings. -Ross From: N K [mailto:[email protected]] Sent: Tuesday, August 03, 2010 4:10 PM To: Wilper, Ross A Cc: [email protected] Subject: Re: Establishing and verifying a trust between Unix MIT KDC and Windows Server 2003 AD Ye,s I did use the ksetup command on the Windows machine to add the MIT KDC.. On Tue, Aug 3, 2010 at 4:08 PM, Wilper, Ross A <[email protected]<mailto:[email protected]>> wrote: For #3... Windows Kerberos libraries do not look at krb5.ini/krb5.conf to find external KDCs, they look in the registry HKLM/SYSTEM/CurrentControlSet/Control/LSA/Kerberos/Domains/<RealmName> REG_MULTI_SZ KdcNames (This registry key is populated by the Windows ksetup command) For #5... Yes, if needed. -Ross From: N K [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, August 03, 2010 4:04 PM To: Wilper, Ross A Cc: [email protected]<mailto:[email protected]> Subject: Re: Establishing and verifying a trust between Unix MIT KDC and Windows Server 2003 AD Hi Ross, Thank you very much for your prompt response. A number of things that I have tried so far: 1) Incorrect passphrase for one of the three trust accounts >> Will look at this 2) Enctype mismatch (by default, a new trust will only support RC4-HMAC) >> specified the encryption type in the kdc.conf file and used the "cpw" command to change the password of principals and re-generate the keys using the specified encryption 3) Client machine cannot resolve the MIT KDCs >> Have included the mit kdc info in the client machine's krb5.ini file and updated DNS information with the unix kerberos realm. However, the netdom tool returns something like: netdom trust <domain> /Domain:<realm> /verify /kerberos /verbose Establishing a session with \\<domaincontroller> Reading LSA domain policy information Unable to contact the domain <realm> Deleting the session with \\<domaincontroller> The command failed to complete successfully. 4) Duplicate mappings on user accounts in the same AD domain (do an ldap search on altSecurityIdentities) >> Will take a look at this 5) You may need to set TLN mappings (referrals) on one side or the other >> Using the netdom ... /addtln command ? 6) If you have multiple domains, is the realm trust set transitive? >> Yes, the trust is transitive. Regards, Nivedita On Tue, Aug 3, 2010 at 3:37 PM, Wilper, Ross A <[email protected]<mailto:[email protected]>> wrote: Unfortunately, there are a lot of reasons that this could fail. 1) Incorrect passphrase for one of the three trust accounts 2) Enctype mismatch (by default, a new trust will only support RC4-HMAC) 3) Client machine cannot resolve the MIT KDCs 4) Duplicate mappings on user accounts in the same AD domain (do an ldap search on altSecurityIdentities) 5) You may need to set TLN mappings (referrals) on one side or the other 6) If you have multiple domains, is the realm trust set transitive? Probably more. The only times I've had failures were case #1 and #3 Also note that MIT credentials will always fail to logon to RDP when NLA is in use. -Ross -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of N K Sent: Tuesday, August 03, 2010 3:19 PM To: [email protected]<mailto:[email protected]> Subject: Establishing and verifying a trust between Unix MIT KDC and Windows Server 2003 AD Hi all, I followed the steps for a cross-realm setup between the MIT KDC and AD according to O'reilly's Definitive Guide book: - specifying KDC's using ksetup on the participating Windows machines - creating principals krbtgt/dom...@realm and krbtgt/re...@domain in the MIT KDC - creating a 2 way trust in the AD - mapping an AD user to a user in the MIT KDC However, when I try to logon to the Kerberos realm from a Windows machine using the credentials of the MIT KDC user, I get an error that the system could not log me on because the username or domain is incorrect. Has anyone come across a similar problem before? Thanks much in advance, Nivedita. ________________________________________________ Kerberos mailing list [email protected]<mailto:[email protected]> https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
