Hi, I successfuly tested this issue. You have to process following steps: on MS w2k DC(W2K.TEST.REALM): 1. set trust to your MIT KDC 2. set mapping for users which are being autenticated to your MIT KDC
on MIT KDC(TEST.REALM) do: 1. recompile with a referral patch from CITI(http://www.citi.umich.edu/u/kwc/krb5stuff/referral.html) 2. in database create [EMAIL PROTECTED] (with the same password as typed in MS 'trust' dialog on W2k DC) on client side: 1. get 'ksetup' tool( it resides on MS resourcekit CD, I think) 2. with ksetup do: ksetup /setdomain TEST.REALM ksetup /addkdc TEST.REALM kdc.test.realm 3. look into registry and search for HKLM\System\CurrentControlSet\Control\LSA\Kerberos\Domains\TEST.REALM - add 'RealmFlags = 8' key key type is REG_DWORD Now, it could be possible to authenticate to MIT and use services in your W2k domain. (You could see your MIT realm in 'domain list' in logon dialog). I hope, I didn't forget anything. :-)) Zdenek Hatas "Rafael Righi" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hello all, > > I have a kdc ( kerberos 1.2.2 ) on linux machine and another > machine with Windows 2000. I read "Step-by-step Guide to Kerberos 5 > Interoperability" from Microsoft site and execute the steps of "Setting > Trust with a Kerberos Realm" section. > The problem is: when I put a principal on win 2k logon don't work > ( appear a error message ). I set the trusts ,the mapping beteween > win2k user and kerberos user, sets the kdc machine and other things . > In kdc.log appear this text: > > Jan 11 15:09:05 machinekdc krb5kdc[5106](info): AS_REQ 20.xx.xx.11(88): > ISSUE: authtime 1010768945, user@REALM for krbtgt/REALM@REALM > > Jan 11 15:09:05 machinekdc krb5kdc[5106](info): TGS_REQ 20.xx.xx.11(88): > ISSUE: authtime 1010768945, user@REALM for krbtgt/WIN2K@REALM > > The "user" is autenticated successful against the krbtgt/REALM@REALM > but the "user" don't is not autenticated with Windows 2000 (krbtgt/WIN2K@REALM ). > > If anyone knows anything about this case , please send email to > me. Thank you. > > PS: An interisting event is that: a Heimdal implementation of Kerberos > works well with the same kdc.conf and krb5.conf configuration. But I want > to use MIT implementation instead. > > Rafael Righi > > Brazil > > ____________________________________________________________________ > > Rafael da Rosa Righi E-mail : [EMAIL PROTECTED] > [EMAIL PROTECTED] > Estagiario Set. Suporte. a Redes - Centro de Processamento de Dados > Curso de Ciencia da Computacao - Universidade Federal de Santa Maria > > Brazil > ____________________________________________________________________ -- Posted via Mailgate.ORG Server - http://www.Mailgate.ORG ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
