Hello all,
I managed to solve the following problem:
"The system can not log you on due to the following
error: No mapping between account names and security
IDs was done. Please try again or consult your system
administrator."
error: No mapping between account names and security
IDs was done. Please try again or consult your system
administrator."
It's simply because I haven't added the user to list of users for the computer (",)
I can now authenticate using Kerberos Realm.
Thanks for all who have replied to my mail,
- lara -
Lara Adianto <[EMAIL PROTECTED]> wrote:
Thanks to Brent and Arden who have given me some
insights, though I'm not fully successful yet, but I
can see a progress...
Apparently, my biggest problem was the DNS server
setup. I managed to come over the problem (phiughh)
Now, the problem is when a client wants to login with
the domain set to Kerberos Realm (I use Heimdal):
username: lara
password: password
domain: MY_KERBEROS_REALM.COM (Kerberos Realm)
the following windows login message pops up:
The system can not log you on due to the following
error: No mapping between account names and security
IDs was done. Please try again or consult your system
administrator.
With reference from the following resources:
-http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
-http://www.pdc.kth.se/heimdal/heimdal.html (there's
one section about how to configure windows 2000 to use
a Heimdal KDC)
I have done the following steps:
On W2K Server:
1. Create a domain W2K_DOMAIN_REALM in my W2K server
2. Add Inter-realm keys for W2K_DOMAIN_REALM (Domain
Tree Management Tool --> W2K_DOMAIN_REALM --> Trusts
tab --> add MY_KERBEROS_REALM.COM on both directions)
3. Create a user lara, and create account mappings to
[EMAIL PROTECTED]
4. Use Ksetup to add kdc:
C:> ksetup /addkdc MY_KERBEROS_REALM.COM
kerberos.my_kerberos_realm.com
5. Use Netdom.exe to make it transitive (I'm not sure
whether this is needed actually)
On KDC (Linux machine):
1. Create a host principal in the kerberos realm
shell% kadmin -l -r MY_KERBEROS_REALM.COM
kadmin > ank -p password
host/myhost.my_kerberos_realm.com
(I'm not sure what's the purpose of creating this host
principal, bec the client seems to search for server:
host/[EMAIL PROTECTED] for the
authentication)
2. Add Inter-realm keys:
kadmin > add
krbtgt/[EMAIL PROTECTED]
kadmin > add
krbtgt/[EMAIL PROTECTED]
3. Add [EMAIL PROTECTED]
4. Kinit [EMAIL PROTECTED]
3. Add host/CLIENT_MACHINE_NAME (If not, the client
authentication failed, with the following error being
logged: KDC_ERR_S_PRINCIPAL_UNKNOWN, for server:
host/CLIENT_MACHINE_NAME)
On W2K Client machine:
1. Use ksetup:
C:> ksetup /setdomain MY_KERBEROS_REALM.COM
C:> ksetup /addkdc MY_KERBEROS_REALM.COM
kerberos.my_kerberos_realm.com
C:> ksetup /setmachpassword password
C:> ksetup /mapuser [EMAIL PROTECTED] lara
And I have rebooted the client machine everytime I
make changes....What else can I miss ?
Did I do the right things ?
I will really appreciate if someone can give a brief
explanation how the authentication of W2K client using
MIT/Heimdal Kerberos KDC works.
It seems to me that it's the client who contacts the
Kerberos Realm for authentication and not the W2K
server...Is this the right way to go ?
But if that's the way then when will the account
mapping for kerberos realm created in AD be used in
this authentication process ? What's the purpose of
having the trusted relationship between W2K and
Kerberos Realm ?
Why does my client contact the
host/[EMAIL PROTECTED] for
authentication ?
Hope somebody can help me,
Lara
--- Arden Pineda <[EMAIL PROTECTED]>wrote:
> Do you have the RealmFlags value set for the
> Kerberos domain on windows
> machines (DCs & member machines)? I believe the
> ksetup utility does not
> have the option to set the realmflags setting, but I
> could be wrong. You
> need this setting, aside from the KpasswdNames and
> KdcNames, especially for
> non-MIT kerberos. In our environment, we have it
> set to 8. For more
> details, consult the regentry.chm file included in
> the Windows 2000 Resource
> Kit.
>
> I have included the list of Kerberos registry
> entries that you need below.
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
> Control\Lsa\Kerberos\Domains\EXAMPLE.COM]
>
> Key: RealmFlags
> Type: DWORD
> Value: 8
>
> Key: KPasswdNames
> Type: MULTI_SZ
> Value: yourkpasswdserver.example.com
>
> Key: KdcNames
> Type: MULTI_SZ
> Value: yourkdc.example.com
> yourkdc2.example.com
>
>
> We used a custom adm to deploy these settings to all
> our machines. I hope
> this helps.
>
> Regards,
> Arden
>
> _____
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of Jackson Shaw
> Sent: Tuesday, March 23, 2004 8:42 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Can Microsoft Active
> Directory be configured to
> authenticate to an external ldap server ??
>
>
>
> http://www.vintela.com/products/vas/
>
>
>
> does the job for you.
>
>
>
>
> _____
>
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of Brent Westmoreland
> Sent: Tuesday, March 23, 2004 9:01 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] Can Microsoft Active
> Directory be configured to
> authenticate to an external ldap server ??
>
>
>
> Hmmm,
>
>
>
> sorry no experience with heimdal...
>
>
>
> did you follow the steps in the following article?
> They are designed for an
> mit realm, but if you consult your heimdal
> documentation you should be able
> to find equivalent commands.
>
>
>
>
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.as
> p
>
>
>
> looks like you configured AD to trust the kerberos
> realm, but not the
> kerberos realm to trust AD. You will need to
> configure what are called
> cross-realm principals for this.
>
>
>
> example command for an MIT realm.
>
>
>
> % Kadmin -q "ank -pw password
> krbtgt/[EMAIL PROTECTED]"
>
> % Kadmin -q "ank -pw password
> krbtgt/[EMAIL PROTECTED]"
>
> Also if your clients are going to authenticate
> directly to your kerberos
> realm then you may have to create a host principal
> (kerberos equivalent to a
> computer account) in your kerberos realm for each
> client that you are
> directly authenticating.
>
>
>
>
>
> Brent Westmoreland
>
>
>
> On Mar 23, 2004, at 5:11 AM, Lara Adianto wrote:
>
>
>
> Thank you Robbie, but I still can't get it to work
> :-(
>
> When a win2k client tries to log in using my linux
>
> kerberos realm, it fails with error message:
>
> The system could not log you on. Make sure that the
>
> username and password are correct. Letters in the
>
> password must be typed in the correct case...bla bla
>
>
> bla
>
>
>
> So...I'm wondering if I have missed some steps.
>
> Let's say that I use the following values:
>
> Windows realm: EXAMPLE.COM
>
> Linux realm: EXAMPLE1.COM
>
> username: lara
>
>
>
> These are the steps that I followed:
>
> 1. Create an External trust for EXAMPLE.COM
>
> - On Active Directory Domains and Trusts, for domain
>
>
> EXAMPLE.COM, I added EXAMPLE1.COM to 'Domains
> trusted
>
> by this domain'
>
> 2. Create Account Mapping
>
> - On Active Directory Users and Computers, for user
>
> lara, I created the name mapping to kerberos realm:
>
> [EMAIL PROTECTED]
>
> 3. Configure client to log in using linux kerberos
>
> realm
>
> - On client machine: ksetup \addkdc EXAMPLE1.COM
>
> kerberos.example1.com
>
>
>
> That's it..
>
>
>
> Do I miss something here ? like resolving DNS ? any
>
=== message truncated ===
=====
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------
__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html
List info : http://www.activedir.org/mail_list..htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
