Re: Cross realm auth with MS Server 2003 and MIT kerb

Mon, 25 Oct 2004 06:34:37 -0700



BarBaar wrote: 
Hi all,

I took a little step backward today. First I tried to acces a Debian
telnet service with a WinXP client, and a Windows 2003 server KDC.
This was no problem (the client is a member of the 2003 domain).

The next step was to authenticate on a MIT KDC with the WinXP client.
The WinXP client needs the autenticate on the KDC. This first failed
for the same reason as I described in the first post here (the KDC
does receive the request (AS and TGS) but the the WinXP authentication
did fail.

Then I started to read again in O'reilly's boek, and saw that there is
more involved in getting a WinXP client to talk to a MIT KDC.

I needed to use ksetup:
ksetup /setdomain TEST2.NL
ksetup /addkdc TEST2.NL kdc.test2.nl ksetup /addkpassword TEST2.NL
ksetup /setmatchpassword winxp.test2.nl <password> 

But I thought you said this XP box was a member of the domain. I believe
you  have now made it a member of the Kerberos realm, by the setdomain
and setpassword.

The point being that the last step of login is to get a host ticket
for the local machine. This in now obtained from TEST2.NL


After did I was able to use Kerberos on the WinXP box (and thus use
MIT Kerberos)..


This may have worked for login but may not be what you want, as the
machine is not part of the domain. Remote access to the machine
like SMS may not work anymore.



I never took those stepd before. Do I need to execute any of these
commands on the 2003 server to make cross-realm auth possible? I am a
little confused about this at the moment.


You may need the addkdc and addpassword so that if the MS code needs
to contact the MIT KDC it can find it. But it should also be able to
find it using the DNS SRV records if you have them setup.


Thanks,

Bart
________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos




--

 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to