Greethings,
I have the following setup:
-A MIT-Kerberos Realm MITREALM containing user principals
(user@MITREALM [1])
-A Windows 2008 Active Directory ADS.NET which is configured on DC
adsdc01.
-A Windows 2008 Domain member admember within ADS.NET domain.
-There is a crossrealm trust between ADS.NET and MIT Realm MITREALM
-Local Windows Account has got Kerberos mapping
Login using pricipal user@MITREALM [2] works on all systems of
ADS.NET Domain successfully.
But access from adsdc01 to admember or from admember to network drive
of adsdc01 (below) does not work.
Unexpectedly I see the following log entries on MIT Kerberos Server:
Jul 23 17:39:05 mitkrb01 krb5kdc[20062](info): AS_REQ (6 etypes {18 17
23 24 -135 3}) 100.21.20.165: ISSUE: authtime 1343057945, etypes
{rep=18 tkt=18 ses=18}, user@MITREALM [3] for krbtgt/MITREALM@MITREALM
[4]
Jul 23 17:39:05 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18
17 23 24 -135}) 100.21.20.165: ISSUE: authtime 1343057945, etypes
{rep=18 tkt=18 ses=18}, user@MITREALM [5] for krbtgt/ADS.NET@MITREALM
[6]
Jul 23 17:39:20 mitkrb01 krb5kdc[20062](info): AS_REQ (6 etypes {18 17
23 24 -135 3}) 100.21.20.165: ISSUE: authtime 1343057960, etypes
{rep=18 tkt=18 ses=18}, user@MITREALM [7] for krbtgt/MITREALM@MITREALM
[8]
Jul 23 17:39:20 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18
17 23 24 -135}) 100.21.20.165: ISSUE: authtime 1343057960, etypes
{rep=18 tkt=18 ses=18}, user@MITREALM [9] for krbtgt/ADS.NET@MITREALM
[10]
Jul 23 17:39:20 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18
17 23 24 -135}) 100.21.20.165: UNKNOWN_SERVER: authtime 1343057960,
user@MITREALM [11] for cifs/adsdc01.ads.net@MITREALM [12], Server not
found in Kerberos database
Jul 23 17:39:21 mitkrb01 krb5kdc[20062](info): TGS_REQ (1 etypes {18})
100.21.20.165: ISSUE: authtime 1343057960, etypes {rep=18 tkt=18
ses=18}, user@MITREALM [13] for krbtgt/MITREALM@MITREALM [14]
Jul 23 17:39:21 mitkrb01 krb5kdc[20062](info): AS_REQ (6 etypes {18 17
23 24 -135 3}) 100.21.20.165: ISSUE: authtime 1343057961, etypes
{rep=18 tkt=18 ses=18}, user@MITREALM [15] for
krbtgt/MITREALM@MITREALM [16]
Jul 23 17:39:21 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18
17 23 24 -135}) 100.21.20.165: ISSUE: authtime 1343057961, etypes
{rep=18 tkt=18 ses=18}, user@MITREALM [17] for krbtgt/ADS.NET@MITREALM
[18]
Jul 23 17:39:21 mitkrb01 krb5kdc[20062](info): TGS_REQ (1 etypes {18})
100.21.20.165: ISSUE: authtime 1343057961, etypes {rep=18 tkt=18
ses=18}, user@MITREALM [19] for krbtgt/MITREALM@MITREALM [20]
Jul 23 17:39:29 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18
17 23 24 -135}) 100.21.20.165: UNKNOWN_SERVER: authtime 1343057960,
user@MITREALM [21] for ldap/adsdc01.ads.net@MITREALM [22], Server not
found in Kerberos database
==> I seems as if the Windows system looks for the service-pricipal
on MIT system instead of Windows DC.
Do you understand this?
Is there any general limitation of Windows related to cross-realm
trusts and services like cifs, ldap?
Can you please help me? Maybe it is just a misconfigureation, but I
spent now several days with this issue without any progress.
Best regards
Chris
Links:
------
[1] mailto:user@MITREALM
[2] mailto:user@MITREALM
[3] mailto:user@MITREALM
[4] mailto:krbtgt/MITREALM@MITREALM
[5] mailto:user@MITREALM
[6] mailto:krbtgt/ADS.NET@MITREALM
[7] mailto:user@MITREALM
[8] mailto:krbtgt/MITREALM@MITREALM
[9] mailto:user@MITREALM
[10] mailto:krbtgt/ADS.NET@MITREALM
[11] mailto:user@MITREALM
[12] mailto:cifs/adsdc01.ads.net@MITREALM
[13] mailto:user@MITREALM
[14] mailto:krbtgt/MITREALM@MITREALM
[15] mailto:user@MITREALM
[16] mailto:krbtgt/MITREALM@MITREALM
[17] mailto:user@MITREALM
[18] mailto:krbtgt/ADS.NET@MITREALM
[19] mailto:user@MITREALM
[20] mailto:krbtgt/MITREALM@MITREALM
[21] mailto:user@MITREALM
[22] mailto:ldap/adsdc01.ads.net@MITREALM
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
