MIT to Windows 2k interoperability problems - Kerberos

This is a discussion on MIT to Windows 2k interoperability problems - Kerberos ; Hi, I've got small problem with Kerberos, and couldn't seem to be able to find solution by simply Googling around... I changed my Kerberos domain name. Basically, I just wiped out old KDC, and reinstalled from scratch (it was testing ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: MIT to Windows 2k interoperability problems

  1. MIT to Windows 2k interoperability problems

    Hi,

    I've got small problem with Kerberos, and couldn't seem to be able to
    find solution by simply Googling around...

    I changed my Kerberos domain name. Basically, I just wiped out old
    KDC, and reinstalled from scratch (it was testing only, so no real
    users on it anyhow). There was one-way trust between old domain and
    another Kerberos domain (part of Windows 2000 Active Directory).

    Before the change, I had saslauthd running on Unix side, and it was
    able to authenticate users against Active Directory (using Kerberos).
    After the change, I did exactly the same steps, but things simply don't
    work anymore. Interesting thing is that I also added slave server, and
    if saslauthd is going through the slave, it can successfully
    authenticate users on Windows Kerberos domain. My guess is that
    there's some stale information about old domain and associated accounts
    on Windows side (created with ktpass.exe) that needs to be wiped out
    too.

    All I could find on the web is how to initially make things to work.
    In short, setup account for Unix host in Active Directory, associate
    host Kerberos principal with that account and create key using
    ktpass.exe, import the key into /etc/krb5.keytab on Unix side. But no
    info on how to undo it (the part on the Windows side, removing key from
    krb5.keytab is trivial), so that I can recreate host principal for my
    master KDC in clean way. As I said, I guess my problems are due to
    stale information for the host principal on the Windows side.

    I hope somebody could give me a hint or two to get me going into right
    direction.


  2. Re: MIT to Windows 2k interoperability problems

    Google for: cross-realm windows kerberos

    Then read:
    http://www.microsoft.com/windows2000.../kerbsteps.asp

    amiliv@gmail.com wrote:

    > Hi,
    >
    > I've got small problem with Kerberos, and couldn't seem to be able to
    > find solution by simply Googling around...
    >
    > I changed my Kerberos domain name. Basically, I just wiped out old
    > KDC, and reinstalled from scratch (it was testing only, so no real
    > users on it anyhow). There was one-way trust between old domain and
    > another Kerberos domain (part of Windows 2000 Active Directory).
    >
    > Before the change, I had saslauthd running on Unix side, and it was
    > able to authenticate users against Active Directory (using Kerberos).
    > After the change, I did exactly the same steps, but things simply don't
    > work anymore. Interesting thing is that I also added slave server, and
    > if saslauthd is going through the slave, it can successfully
    > authenticate users on Windows Kerberos domain. My guess is that
    > there's some stale information about old domain and associated accounts
    > on Windows side (created with ktpass.exe) that needs to be wiped out
    > too.
    >
    > All I could find on the web is how to initially make things to work.
    > In short, setup account for Unix host in Active Directory, associate
    > host Kerberos principal with that account and create key using
    > ktpass.exe, import the key into /etc/krb5.keytab on Unix side. But no
    > info on how to undo it (the part on the Windows side, removing key from
    > krb5.keytab is trivial), so that I can recreate host principal for my
    > master KDC in clean way. As I said, I guess my problems are due to
    > stale information for the host principal on the Windows side.
    >
    > I hope somebody could give me a hint or two to get me going into right
    > direction.
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: MIT to Windows 2k interoperability problems


    That is a very good document, but needs to be read REALLY carefully...

    I'll add some hints:

    To check that you cleaned things up correctly, you can use adsiedit.msc on
    the windows side to make sure you don't have duplicate
    serviceprincipalnames.

    ktpass requires a new, made up password (most MS documementation doesn't
    make this clear).

    Also, ktpass documents suggest you can create a serviceprincipalname
    WITHOUT mapping to a user (no -mapuser) I have no idea what that
    means.

    -Jeff


    -----------------------------------------------------------
    Jeffrey Albro | Systems Administrator | Boston University
    - Department of Electrical and Computer Engineering -
    jalbro@bu.edu | Photonics, Room 305 | 617-358-2785
    -----------------------------------------------------------



    On Wed, 22 Jun 2005, Douglas E. Engert wrote:

    > Google for: cross-realm windows kerberos
    >
    > Then read:
    > http://www.microsoft.com/windows2000.../kerbsteps.asp
    >
    > amiliv@gmail.com wrote:
    >
    > > Hi,
    > >
    > > I've got small problem with Kerberos, and couldn't seem to be able to
    > > find solution by simply Googling around...
    > >
    > > I changed my Kerberos domain name. Basically, I just wiped out old
    > > KDC, and reinstalled from scratch (it was testing only, so no real
    > > users on it anyhow). There was one-way trust between old domain and
    > > another Kerberos domain (part of Windows 2000 Active Directory).
    > >
    > > Before the change, I had saslauthd running on Unix side, and it was
    > > able to authenticate users against Active Directory (using Kerberos).
    > > After the change, I did exactly the same steps, but things simply don't
    > > work anymore. Interesting thing is that I also added slave server, and
    > > if saslauthd is going through the slave, it can successfully
    > > authenticate users on Windows Kerberos domain. My guess is that
    > > there's some stale information about old domain and associated accounts
    > > on Windows side (created with ktpass.exe) that needs to be wiped out
    > > too.
    > >
    > > All I could find on the web is how to initially make things to work.
    > > In short, setup account for Unix host in Active Directory, associate
    > > host Kerberos principal with that account and create key using
    > > ktpass.exe, import the key into /etc/krb5.keytab on Unix side. But no
    > > info on how to undo it (the part on the Windows side, removing key from
    > > krb5.keytab is trivial), so that I can recreate host principal for my
    > > master KDC in clean way. As I said, I guess my problems are due to
    > > stale information for the host principal on the Windows side.
    > >
    > > I hope somebody could give me a hint or two to get me going into right
    > > direction.
    > >
    > > ________________________________________________
    > > Kerberos mailing list Kerberos@mit.edu
    > > https://mailman.mit.edu/mailman/listinfo/kerberos
    > >
    > >
    > >

    >
    > --
    >
    > Douglas E. Engert
    > Argonne National Laboratory
    > 9700 South Cass Avenue
    > Argonne, Illinois 60439
    > (630) 252-5444
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread