Thanks a lot Markus Could you paste your krb5.conf aswell?
Kind regards Miguel Markus Moeller wrote: > "Miguel Sanders" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > 1) You should use rc4-hmac. des is week and shouldn't be used. > > > > Can that be used in combination with Active Directory? Which stanza's/ > > configuration items should be used in kdc.conf and krb5.conf? > > > My kdc.conf looks like: > > [kdcdefaults] > kdc_ports = 750,88 > [realms] > UNIX.COM = { > database_name = /var/lib/kerberos/krb5kdc/principal > admin_keytab = FILE:/var/lib/kerberos/krb5kdc/kadm5.keytab > acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl > key_stash_file = /var/lib/kerberos/krb5kdc/.k5.UNIX.COM > kdc_ports = 750,88 > supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal > des-cbc-crc:normal des-cbc-md5:normal > kdc_supported_enctypes = rc4-hmac:normal > des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal > max_life = 10h 0m 0s > max_renewable_life = 7d 0h 0m 0s > } > [logging] > kdc = FILE:/var/log/kdc.log > admin_server = FILE:/var/log/kadmin.log > > > > > > 2) Now why can't user [EMAIL PROTECTED] login successfully with his Windows > > password? > > > > I meant on the Unix box, not on the Windows box, so sorry on that. > > > > I think here is some misunderstanding. I think you want that your Windows > user xyz can login to your Unix machine. Now you have to differentiate two > cases. > > 1) Use Kerberos credentials to login > If you use your Windows credentials ([EMAIL PROTECTED]) the Unix server > will try to match the credentials [EMAIL PROTECTED] with a unix user xyz and > the default domain defined in krb5.conf (in your case UNIX.COM), which is > [EMAIL PROTECTED] and fails. This can only be avoided by using a mapping > either > in krb5.conf via auth_to_local or a .k5login file in the user xyz's home > directory. > > 2) Use a password. > > This usually doesn't work. The reason is that most applications don't allow > to use [EMAIL PROTECTED] as a username and if you use xyz the default domain > UNIX.COM will be used again. > > > > > > Markus Moeller wrote: > >> "Miguel Sanders" <[EMAIL PROTECTED]> wrote in message > >> news:[EMAIL PROTECTED] > >> > Hi > >> > I have been through many documents for several times but I just can't > >> > seem to find the problem. > >> > Here is the idea. > >> > Users are defined in Active Directory (domain/realm WINDOWS.COM) > >> > Host and service principals are defined in MIT Kerberos (realm > >> > UNIX.COM). > >> > Now I want the Windows users to be able to login to the Unix machines( > >> > and thus the UNIX.COM realm). > >> > Since users and host/service principals are in separated realms, cross > >> > realm authentication should be set up, right? > >> > So the point is that users XYZ (Windows Domain User) should be able to > >> > logon to the Unix Machines. > >> > 1) Does the Windows user XYZ need to be defined in MIT Kerberos? I > >> > presume that this is the case (although set with a random password). > >> > >> You don't need the user in the MIT kdc. You either need a mapping like > >> auth_to_local = RULE:[1:[EMAIL PROTECTED]([EMAIL > >> PROTECTED])s/@.*// > >> auth_to_local = DEFAULT > >> as part of the realms UNIX.COM section or use a .k5login file. > >> > >> > 2) Is something wrong with the given krb5.conf ? > >> > [libdefaults] > >> > default_realm = UNIX.COM > >> > default_keytab_name = FILE:/etc/krb5/krb5.keytab > >> > default_tkt_enctypes = des-cbc-md5 des-cbc-crc > >> > default_tgs_enctypes = des-cbc-md5 des-cbc-crc > >> > > >> > [realms] > >> > UNIX.COM= { > >> > kdc = server1.unix.com:88 > >> > admin_server = server1.unix.com:749 > >> > default_domain = unix.com > >> > } > >> > > >> > WINDOWS.COM= { > >> > kdc = server1.windows.com:88 > >> > admin_server = server1.windows.com:749 > >> > default_domain = unix.com > >> > } > >> > > >> > [domain_realm] > >> > .windows.com = WINDOWS.COM > >> > windows.com = WINDOWS.COM > >> > .unix.com = UNIX.COM > >> > unix.com = UNIX.COM > >> > > >> > [capaths] > >> > WINDOWS.COM = { > >> > UNIX.COM = . > >> > } > >> > > >> > UNIX.COM = { > >> > WINDOWS.COM = . > >> > } > >> > > >> > 3) In kdc.conf I edited the following > >> > master_key_type = des-cbc-md5 > >> > supported_enctypes = des-cbc-md5:normal des-cbc-crc:normal > >> > >> > >> > >> > > >> > 4) In MIT Kerberos I defined krbtgt/[EMAIL PROTECTED] and > >> > krbtgt/[EMAIL PROTECTED] principals with password ABC > >> > > >> > 5) In Active Directory I defined the MIT realm and MIT kerberos master > >> > with ksetup > >> >>ksetup > >> > default realm = windows.com (NT Domain) > >> > UNIX.COM: > >> > kdc = server1.unix.com > >> > Realm Flags = 0x0 none > >> > Mapping [EMAIL PROTECTED] to XYZ > >> > >> The mapping is only needed when you login from Unix to Windows. > >> > >> > > >> > 6) In Active Directory I defined the realm trust (one way, incoming) > >> > with the password ABC > >> > 7) In Active Directory Users and Computers I created the name mapping > >> > for user XYZ to [EMAIL PROTECTED] (since the mapping set up by ksetup > >> > wasn't > >> > visible here, did this just to be sure) > >> > >> I don't think you need this. > >> > >> > > >> > Now why can't user [EMAIL PROTECTED] login successfully with his Windows > >> > password? > >> > I am quite desperate on this one. What am I missing? > >> > Any help would be greatly appreciated. > >> > > >> > >> You have to tell the Windows clients where to find the service principals > >> for the unix.com domain. This will be done with > >> trust WINDOWS.COM/ domain:UNIX.COM /addtln:unix.com > >> on Active Directory. > >> > >> > Kind regards > >> > > >> > Miguel > >> > > >> > >> Regards > >> Markus > > > > Regards > Markus ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
