RE: Windows Xp authentication to MIT KDC - Kerberos

This is a discussion on RE: Windows Xp authentication to MIT KDC - Kerberos ; Following up on two replies: Chaskiel M Grundman cg2v at andrew.cmu.edu said: > Did you set a machine account password? is it correct? does the name of the > relevant host principal exactly match .stanford.edu? It is > possible that ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: RE: Windows Xp authentication to MIT KDC

  1. RE: Windows Xp authentication to MIT KDC


    Following up on two replies:

    Chaskiel M Grundman cg2v at andrew.cmu.edu said:

    > Did you set a machine account password? is it correct? does the name of

    the
    > relevant host principal exactly match .stanford.edu? It is
    > possible that configuring the 'primary dns suffix' (hit the 'more' button
    > in the dialog that allows you to join a domain) will allow you to use a
    > more arbitrary principal name. I have never tried, and the documentation
    > does not say anything about it.



    Yes, I set a machine account password. Since I was cut and pasting from
    what I put into the KDC for my system, I assume it is correct, particularly
    since the KDC logs show my system binding and getting a tgt. The relevant
    host principal exactly matches the DNS name of my host, which is what it
    uses when contacting the KDC. The primary DNS suffix is "stanford.edu",
    and the NetBIOS computer name is:

    SW-90-717-287-3

    which is what it should be.



    Richard E. Silverman res at qoxp.net said:

    > All your realm names are lower case. Is that really correct? It's very
    > unusual.


    Yes, our realm is lower case (from a unix host):

    tribes:~> klist
    Ticket cache: FILE:/tmp/krb5cc_54046_WTO254
    Default principal: quanah@stanford.edu

    and yes, we know it is odd.


    > This means that on some level, the client still thinks this realm is a
    > Windows domain, as opposed to an external realm. It's trying to find a
    > domain controller.


    Oh, I see. I was getting the error about SRV records when I was trying to
    tell the system to join a domain (rather than using the workgroup
    "STANFORD.EDU"). So doing that is not what I want, so the SRV errors were
    correct and not the problem. Sigh....



    So... Is there any debugging on the windows side of things I can turn up to
    get an idea of why the logins are failing when I specify to use
    "stanford.edu" at login time?


    --Quanah


    --
    Quanah Gibson-Mount
    Principal Software Developer
    ITS/Shared Application Services
    Stanford University
    GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Windows Xp authentication to MIT KDC

    Quanah Gibson-Mount wrote:

    > So... Is there any debugging on the windows side of things I can turn up to
    > get an idea of why the logins are failing when I specify to use
    > "stanford.edu" at login time?


    Windows is case insensitive and I would not be surprised that it
    assumes that all realm names should be upper-cased.

    Jeffrey Altman

  3. Re: Windows Xp authentication to MIT KDC

    Jeffrey Altman writes:
    > Quanah Gibson-Mount wrote:


    >> So... Is there any debugging on the windows side of things I can turn
    >> up to get an idea of why the logins are failing when I specify to use
    >> "stanford.edu" at login time?


    > Windows is case insensitive and I would not be surprised that it
    > assumes that all realm names should be upper-cased.


    We do know that logging in to stanford.edu as a realm *does* work if the
    system has joined our Windows domain and has a few additional patches
    applied.

    Quanah, there are a set of patches that we have to apply to enable
    stanford.edu logins to systems that have joined the domain; I'm wondering
    if you need those patches to do what you're trying to do as well. You can
    get the list from Tony. I don't think they're part of Microsoft's
    standard patch set, but I don't remember exactly what they fix.

    --
    Russ Allbery (rra@stanford.edu)

+ Reply to Thread