Greethings, I have the following setup:
-A MIT-Kerberos Realm MITREALM containing user principals (user@MITREALM [1]) -A Windows 2008 Active Directory ADS.NET which is configured on DC adsdc01. -A Windows 2008 Domain member admember within ADS.NET domain. -There is a crossrealm trust between ADS.NET and MIT Realm MITREALM -Local Windows Account has got Kerberos mapping Login using pricipal user@MITREALM [2] works on all systems of ADS.NET Domain successfully. But access from adsdc01 to admember or from admember to network drive of adsdc01 (below) does not work. Unexpectedly I see the following log entries on MIT Kerberos Server: Jul 23 17:39:05 mitkrb01 krb5kdc[20062](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 100.21.20.165: ISSUE: authtime 1343057945, etypes {rep=18 tkt=18 ses=18}, user@MITREALM [3] for krbtgt/MITREALM@MITREALM [4] Jul 23 17:39:05 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18 17 23 24 -135}) 100.21.20.165: ISSUE: authtime 1343057945, etypes {rep=18 tkt=18 ses=18}, user@MITREALM [5] for krbtgt/ADS.NET@MITREALM [6] Jul 23 17:39:20 mitkrb01 krb5kdc[20062](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 100.21.20.165: ISSUE: authtime 1343057960, etypes {rep=18 tkt=18 ses=18}, user@MITREALM [7] for krbtgt/MITREALM@MITREALM [8] Jul 23 17:39:20 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18 17 23 24 -135}) 100.21.20.165: ISSUE: authtime 1343057960, etypes {rep=18 tkt=18 ses=18}, user@MITREALM [9] for krbtgt/ADS.NET@MITREALM [10] Jul 23 17:39:20 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18 17 23 24 -135}) 100.21.20.165: UNKNOWN_SERVER: authtime 1343057960, user@MITREALM [11] for cifs/adsdc01.ads.net@MITREALM [12], Server not found in Kerberos database Jul 23 17:39:21 mitkrb01 krb5kdc[20062](info): TGS_REQ (1 etypes {18}) 100.21.20.165: ISSUE: authtime 1343057960, etypes {rep=18 tkt=18 ses=18}, user@MITREALM [13] for krbtgt/MITREALM@MITREALM [14] Jul 23 17:39:21 mitkrb01 krb5kdc[20062](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 100.21.20.165: ISSUE: authtime 1343057961, etypes {rep=18 tkt=18 ses=18}, user@MITREALM [15] for krbtgt/MITREALM@MITREALM [16] Jul 23 17:39:21 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18 17 23 24 -135}) 100.21.20.165: ISSUE: authtime 1343057961, etypes {rep=18 tkt=18 ses=18}, user@MITREALM [17] for krbtgt/ADS.NET@MITREALM [18] Jul 23 17:39:21 mitkrb01 krb5kdc[20062](info): TGS_REQ (1 etypes {18}) 100.21.20.165: ISSUE: authtime 1343057961, etypes {rep=18 tkt=18 ses=18}, user@MITREALM [19] for krbtgt/MITREALM@MITREALM [20] Jul 23 17:39:29 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18 17 23 24 -135}) 100.21.20.165: UNKNOWN_SERVER: authtime 1343057960, user@MITREALM [21] for ldap/adsdc01.ads.net@MITREALM [22], Server not found in Kerberos database ==> I seems as if the Windows system looks for the service-pricipal on MIT system instead of Windows DC. Do you understand this? Is there any general limitation of Windows related to cross-realm trusts and services like cifs, ldap? Can you please help me? Maybe it is just a misconfigureation, but I spent now several days with this issue without any progress. Best regards Chris Links: ------ [1] mailto:user@MITREALM [2] mailto:user@MITREALM [3] mailto:user@MITREALM [4] mailto:krbtgt/MITREALM@MITREALM [5] mailto:user@MITREALM [6] mailto:krbtgt/ADS.NET@MITREALM [7] mailto:user@MITREALM [8] mailto:krbtgt/MITREALM@MITREALM [9] mailto:user@MITREALM [10] mailto:krbtgt/ADS.NET@MITREALM [11] mailto:user@MITREALM [12] mailto:cifs/adsdc01.ads.net@MITREALM [13] mailto:user@MITREALM [14] mailto:krbtgt/MITREALM@MITREALM [15] mailto:user@MITREALM [16] mailto:krbtgt/MITREALM@MITREALM [17] mailto:user@MITREALM [18] mailto:krbtgt/ADS.NET@MITREALM [19] mailto:user@MITREALM [20] mailto:krbtgt/MITREALM@MITREALM [21] mailto:user@MITREALM [22] mailto:ldap/adsdc01.ads.net@MITREALM ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos