Google for: cross-realm windows kerberos Then read: http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
[EMAIL PROTECTED] wrote:
Hi, I've got small problem with Kerberos, and couldn't seem to be able to find solution by simply Googling around... I changed my Kerberos domain name. Basically, I just wiped out old KDC, and reinstalled from scratch (it was testing only, so no real users on it anyhow). There was one-way trust between old domain and another Kerberos domain (part of Windows 2000 Active Directory). Before the change, I had saslauthd running on Unix side, and it was able to authenticate users against Active Directory (using Kerberos). After the change, I did exactly the same steps, but things simply don't work anymore. Interesting thing is that I also added slave server, and if saslauthd is going through the slave, it can successfully authenticate users on Windows Kerberos domain. My guess is that there's some stale information about old domain and associated accounts on Windows side (created with ktpass.exe) that needs to be wiped out too. All I could find on the web is how to initially make things to work. In short, setup account for Unix host in Active Directory, associate host Kerberos principal with that account and create key using ktpass.exe, import the key into /etc/krb5.keytab on Unix side. But no info on how to undo it (the part on the Windows side, removing key from krb5.keytab is trivial), so that I can recreate host principal for my master KDC in clean way. As I said, I guess my problems are due to stale information for the host principal on the Windows side. I hope somebody could give me a hint or two to get me going into right direction. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
-- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
