Lara Adianto wrote: > > I have set that up before. Using name mapping in AD and registering [EMAIL > PROTECTED] as the kerberos name for lara. I also setup the cross-realm trust between > windows AD and MIT KDC. > > It worked before !
If it worked before, and you setup your domain controller again, and does not work now, it sounds like the cross realm keys don't match. There are really two principals and keys, one for each direction. krbtgt/<realm1>@<realm2> and krbtgt/<realm2>@<realm1> The KDCs of each realm have to have the key. The user's realm, <realm1>, uses the key just like any other key, to issue a ticket for the service, i.e. krbtgt/<realm2>@<realm1> The other KDC uses its copy like a server would use a key in a keytab, but it looks in its database instead, (which is what it does for its own krbtgt). So you need to make sure you have the keys kvnos and enctypes in sync between the two realms. I suspect that you need to add the keys again to the Kerberos realm. You may have to delete the krbtgt/<realm1>@<realm2> and krbtgt/<realm2>@<realm1> principals and then add again. > See belw for the tickets cached in the windows client, using klist.exe. In this > scenario user lara logged in to MIT REALM ADIANTO.COM using a win2000 machine > (testw2k8.adianto.com) then accesses resource in test_w2kserver which is a member of > windows domain LARASARI.COM (as opposed to ADIANTO.COM which is a workgroup). This > is possible with cross realm setup (hence lara is not asked for password anymore to > access test_w2kserver). -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
