Cross Realm MIT <-> Active Directory - Kerberos

This is a discussion on Cross Realm MIT <-> Active Directory - Kerberos ; Hi I have been through many documents for several times but I just can't seem to find the problem. Here is the idea. Users are defined in Active Directory (domain/realm WINDOWS.COM) Host and service principals are defined in MIT Kerberos ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Cross Realm MIT <-> Active Directory

  1. Cross Realm MIT <-> Active Directory

    Hi
    I have been through many documents for several times but I just can't
    seem to find the problem.
    Here is the idea.
    Users are defined in Active Directory (domain/realm WINDOWS.COM)
    Host and service principals are defined in MIT Kerberos (realm
    UNIX.COM).
    Now I want the Windows users to be able to login to the Unix machines(
    and thus the UNIX.COM realm).
    Since users and host/service principals are in separated realms, cross
    realm authentication should be set up, right?
    So the point is that users XYZ (Windows Domain User) should be able to
    logon to the Unix Machines.
    1) Does the Windows user XYZ need to be defined in MIT Kerberos? I
    presume that this is the case (although set with a random password).
    2) Is something wrong with the given krb5.conf ?
    [libdefaults]
    default_realm = UNIX.COM
    default_keytab_name = FILE:/etc/krb5/krb5.keytab
    default_tkt_enctypes = des-cbc-md5 des-cbc-crc
    default_tgs_enctypes = des-cbc-md5 des-cbc-crc

    [realms]
    UNIX.COM= {
    kdc = server1.unix.com:88
    admin_server = server1.unix.com:749
    default_domain = unix.com
    }

    WINDOWS.COM= {
    kdc = server1.windows.com:88
    admin_server = server1.windows.com:749
    default_domain = unix.com
    }

    [domain_realm]
    .windows.com = WINDOWS.COM
    windows.com = WINDOWS.COM
    .unix.com = UNIX.COM
    unix.com = UNIX.COM

    [capaths]
    WINDOWS.COM = {
    UNIX.COM = .
    }

    UNIX.COM = {
    WINDOWS.COM = .
    }

    3) In kdc.conf I edited the following
    master_key_type = des-cbc-md5
    supported_enctypes = des-cbc-md5:normal des-cbc-crc:normal

    4) In MIT Kerberos I defined krbtgt/WINDOWS.COM@UNIX.COM and
    krbtgt/UNIX.COM@WINDOWS.COM principals with password ABC

    5) In Active Directory I defined the MIT realm and MIT kerberos master
    with ksetup
    >ksetup

    default realm = windows.com (NT Domain)
    UNIX.COM:
    kdc = server1.unix.com
    Realm Flags = 0x0 none
    Mapping XYZ@UNIX.COM to XYZ

    6) In Active Directory I defined the realm trust (one way, incoming)
    with the password ABC
    7) In Active Directory Users and Computers I created the name mapping
    for user XYZ to XYZ@UNIX.COM (since the mapping set up by ksetup wasn't
    visible here, did this just to be sure)

    Now why can't user XYZ@UNIX.COM login successfully with his Windows
    password?
    I am quite desperate on this one. What am I missing?
    Any help would be greatly appreciated.

    Kind regards

    Miguel


  2. Re: Cross Realm MIT <-> Active Directory


    "Miguel Sanders" wrote in message
    news:1162725045.392694.47100@i42g2000cwa.googlegro ups.com...
    > Hi
    > I have been through many documents for several times but I just can't
    > seem to find the problem.
    > Here is the idea.
    > Users are defined in Active Directory (domain/realm WINDOWS.COM)
    > Host and service principals are defined in MIT Kerberos (realm
    > UNIX.COM).
    > Now I want the Windows users to be able to login to the Unix machines(
    > and thus the UNIX.COM realm).
    > Since users and host/service principals are in separated realms, cross
    > realm authentication should be set up, right?
    > So the point is that users XYZ (Windows Domain User) should be able to
    > logon to the Unix Machines.
    > 1) Does the Windows user XYZ need to be defined in MIT Kerberos? I
    > presume that this is the case (although set with a random password).


    You don't need the user in the MIT kdc. You either need a mapping like
    auth_to_local = RULE:[1:$1@$0](.*@.WINDOWS.COM$)s/@.*//
    auth_to_local = DEFAULT
    as part of the realms UNIX.COM section or use a .k5login file.

    > 2) Is something wrong with the given krb5.conf ?
    > [libdefaults]
    > default_realm = UNIX.COM
    > default_keytab_name = FILE:/etc/krb5/krb5.keytab
    > default_tkt_enctypes = des-cbc-md5 des-cbc-crc
    > default_tgs_enctypes = des-cbc-md5 des-cbc-crc
    >
    > [realms]
    > UNIX.COM= {
    > kdc = server1.unix.com:88
    > admin_server = server1.unix.com:749
    > default_domain = unix.com
    > }
    >
    > WINDOWS.COM= {
    > kdc = server1.windows.com:88
    > admin_server = server1.windows.com:749
    > default_domain = unix.com
    > }
    >
    > [domain_realm]
    > .windows.com = WINDOWS.COM
    > windows.com = WINDOWS.COM
    > .unix.com = UNIX.COM
    > unix.com = UNIX.COM
    >
    > [capaths]
    > WINDOWS.COM = {
    > UNIX.COM = .
    > }
    >
    > UNIX.COM = {
    > WINDOWS.COM = .
    > }
    >
    > 3) In kdc.conf I edited the following
    > master_key_type = des-cbc-md5
    > supported_enctypes = des-cbc-md5:normal des-cbc-crc:normal


    You should use rc4-hmac. des is week and shouldn't be used.

    >
    > 4) In MIT Kerberos I defined krbtgt/WINDOWS.COM@UNIX.COM and
    > krbtgt/UNIX.COM@WINDOWS.COM principals with password ABC
    >
    > 5) In Active Directory I defined the MIT realm and MIT kerberos master
    > with ksetup
    >>ksetup

    > default realm = windows.com (NT Domain)
    > UNIX.COM:
    > kdc = server1.unix.com
    > Realm Flags = 0x0 none
    > Mapping XYZ@UNIX.COM to XYZ


    The mapping is only needed when you login from Unix to Windows.

    >
    > 6) In Active Directory I defined the realm trust (one way, incoming)
    > with the password ABC
    > 7) In Active Directory Users and Computers I created the name mapping
    > for user XYZ to XYZ@UNIX.COM (since the mapping set up by ksetup wasn't
    > visible here, did this just to be sure)


    I don't think you need this.

    >
    > Now why can't user XYZ@UNIX.COM login successfully with his Windows
    > password?
    > I am quite desperate on this one. What am I missing?
    > Any help would be greatly appreciated.
    >


    You have to tell the Windows clients where to find the service principals
    for the unix.com domain. This will be done with
    trust WINDOWS.COM/ domain:UNIX.COM /addtln:unix.com
    on Active Directory.

    > Kind regards
    >
    > Miguel
    >


    Regards
    Markus



  3. Re: Cross Realm MIT <-> Active Directory

    1) You should use rc4-hmac. des is week and shouldn't be used.

    Can that be used in combination with Active Directory? Which stanza's/
    configuration items should be used in kdc.conf and krb5.conf?

    2) Now why can't user XYZ@UNIX.COM login successfully with his Windows
    password?

    I meant on the Unix box, not on the Windows box, so sorry on that.


    Markus Moeller wrote:
    > "Miguel Sanders" wrote in message
    > news:1162725045.392694.47100@i42g2000cwa.googlegro ups.com...
    > > Hi
    > > I have been through many documents for several times but I just can't
    > > seem to find the problem.
    > > Here is the idea.
    > > Users are defined in Active Directory (domain/realm WINDOWS.COM)
    > > Host and service principals are defined in MIT Kerberos (realm
    > > UNIX.COM).
    > > Now I want the Windows users to be able to login to the Unix machines(
    > > and thus the UNIX.COM realm).
    > > Since users and host/service principals are in separated realms, cross
    > > realm authentication should be set up, right?
    > > So the point is that users XYZ (Windows Domain User) should be able to
    > > logon to the Unix Machines.
    > > 1) Does the Windows user XYZ need to be defined in MIT Kerberos? I
    > > presume that this is the case (although set with a random password).

    >
    > You don't need the user in the MIT kdc. You either need a mapping like
    > auth_to_local = RULE:[1:$1@$0](.*@.WINDOWS.COM$)s/@.*//
    > auth_to_local = DEFAULT
    > as part of the realms UNIX.COM section or use a .k5login file.
    >
    > > 2) Is something wrong with the given krb5.conf ?
    > > [libdefaults]
    > > default_realm = UNIX.COM
    > > default_keytab_name = FILE:/etc/krb5/krb5.keytab
    > > default_tkt_enctypes = des-cbc-md5 des-cbc-crc
    > > default_tgs_enctypes = des-cbc-md5 des-cbc-crc
    > >
    > > [realms]
    > > UNIX.COM= {
    > > kdc = server1.unix.com:88
    > > admin_server = server1.unix.com:749
    > > default_domain = unix.com
    > > }
    > >
    > > WINDOWS.COM= {
    > > kdc = server1.windows.com:88
    > > admin_server = server1.windows.com:749
    > > default_domain = unix.com
    > > }
    > >
    > > [domain_realm]
    > > .windows.com = WINDOWS.COM
    > > windows.com = WINDOWS.COM
    > > .unix.com = UNIX.COM
    > > unix.com = UNIX.COM
    > >
    > > [capaths]
    > > WINDOWS.COM = {
    > > UNIX.COM = .
    > > }
    > >
    > > UNIX.COM = {
    > > WINDOWS.COM = .
    > > }
    > >
    > > 3) In kdc.conf I edited the following
    > > master_key_type = des-cbc-md5
    > > supported_enctypes = des-cbc-md5:normal des-cbc-crc:normal

    >
    >
    >
    > >
    > > 4) In MIT Kerberos I defined krbtgt/WINDOWS.COM@UNIX.COM and
    > > krbtgt/UNIX.COM@WINDOWS.COM principals with password ABC
    > >
    > > 5) In Active Directory I defined the MIT realm and MIT kerberos master
    > > with ksetup
    > >>ksetup

    > > default realm = windows.com (NT Domain)
    > > UNIX.COM:
    > > kdc = server1.unix.com
    > > Realm Flags = 0x0 none
    > > Mapping XYZ@UNIX.COM to XYZ

    >
    > The mapping is only needed when you login from Unix to Windows.
    >
    > >
    > > 6) In Active Directory I defined the realm trust (one way, incoming)
    > > with the password ABC
    > > 7) In Active Directory Users and Computers I created the name mapping
    > > for user XYZ to XYZ@UNIX.COM (since the mapping set up by ksetup wasn't
    > > visible here, did this just to be sure)

    >
    > I don't think you need this.
    >
    > >
    > > Now why can't user XYZ@UNIX.COM login successfully with his Windows
    > > password?
    > > I am quite desperate on this one. What am I missing?
    > > Any help would be greatly appreciated.
    > >

    >
    > You have to tell the Windows clients where to find the service principals
    > for the unix.com domain. This will be done with
    > trust WINDOWS.COM/ domain:UNIX.COM /addtln:unix.com
    > on Active Directory.
    >
    > > Kind regards
    > >
    > > Miguel
    > >

    >
    > Regards
    > Markus



  4. Re: Cross Realm MIT <-> Active Directory

    "Miguel Sanders" wrote in message
    news:1162737224.386797.216750@e3g2000cwe.googlegro ups.com...
    > 1) You should use rc4-hmac. des is week and shouldn't be used.
    >
    > Can that be used in combination with Active Directory? Which stanza's/
    > configuration items should be used in kdc.conf and krb5.conf?



    My kdc.conf looks like:

    [kdcdefaults]
    kdc_ports = 750,88
    [realms]
    UNIX.COM = {
    database_name = /var/lib/kerberos/krb5kdc/principal
    admin_keytab = FILE:/var/lib/kerberos/krb5kdc/kadm5.keytab
    acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl
    key_stash_file = /var/lib/kerberos/krb5kdc/.k5.UNIX.COM
    kdc_ports = 750,88
    supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal
    des-cbc-crc:normal des-cbc-md5:normal
    kdc_supported_enctypes = rc4-hmac:normal
    des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal
    max_life = 10h 0m 0s
    max_renewable_life = 7d 0h 0m 0s
    }
    [logging]
    kdc = FILE:/var/log/kdc.log
    admin_server = FILE:/var/log/kadmin.log


    >
    > 2) Now why can't user XYZ@UNIX.COM login successfully with his Windows
    > password?
    >
    > I meant on the Unix box, not on the Windows box, so sorry on that.
    >


    I think here is some misunderstanding. I think you want that your Windows
    user xyz can login to your Unix machine. Now you have to differentiate two
    cases.

    1) Use Kerberos credentials to login
    If you use your Windows credentials (XYZ@WINDOWS.COM) the Unix server
    will try to match the credentials XYZ@WINDOWS.COM with a unix user xyz and
    the default domain defined in krb5.conf (in your case UNIX.COM), which is
    XYZ@UNIX.COM and fails. This can only be avoided by using a mapping either
    in krb5.conf via auth_to_local or a .k5login file in the user xyz's home
    directory.

    2) Use a password.

    This usually doesn't work. The reason is that most applications don't allow
    to use XYZ@WINDOWS.COM as a username and if you use xyz the default domain
    UNIX.COM will be used again.


    >
    > Markus Moeller wrote:
    >> "Miguel Sanders" wrote in message
    >> news:1162725045.392694.47100@i42g2000cwa.googlegro ups.com...
    >> > Hi
    >> > I have been through many documents for several times but I just can't
    >> > seem to find the problem.
    >> > Here is the idea.
    >> > Users are defined in Active Directory (domain/realm WINDOWS.COM)
    >> > Host and service principals are defined in MIT Kerberos (realm
    >> > UNIX.COM).
    >> > Now I want the Windows users to be able to login to the Unix machines(
    >> > and thus the UNIX.COM realm).
    >> > Since users and host/service principals are in separated realms, cross
    >> > realm authentication should be set up, right?
    >> > So the point is that users XYZ (Windows Domain User) should be able to
    >> > logon to the Unix Machines.
    >> > 1) Does the Windows user XYZ need to be defined in MIT Kerberos? I
    >> > presume that this is the case (although set with a random password).

    >>
    >> You don't need the user in the MIT kdc. You either need a mapping like
    >> auth_to_local = RULE:[1:$1@$0](.*@.WINDOWS.COM$)s/@.*//
    >> auth_to_local = DEFAULT
    >> as part of the realms UNIX.COM section or use a .k5login file.
    >>
    >> > 2) Is something wrong with the given krb5.conf ?
    >> > [libdefaults]
    >> > default_realm = UNIX.COM
    >> > default_keytab_name = FILE:/etc/krb5/krb5.keytab
    >> > default_tkt_enctypes = des-cbc-md5 des-cbc-crc
    >> > default_tgs_enctypes = des-cbc-md5 des-cbc-crc
    >> >
    >> > [realms]
    >> > UNIX.COM= {
    >> > kdc = server1.unix.com:88
    >> > admin_server = server1.unix.com:749
    >> > default_domain = unix.com
    >> > }
    >> >
    >> > WINDOWS.COM= {
    >> > kdc = server1.windows.com:88
    >> > admin_server = server1.windows.com:749
    >> > default_domain = unix.com
    >> > }
    >> >
    >> > [domain_realm]
    >> > .windows.com = WINDOWS.COM
    >> > windows.com = WINDOWS.COM
    >> > .unix.com = UNIX.COM
    >> > unix.com = UNIX.COM
    >> >
    >> > [capaths]
    >> > WINDOWS.COM = {
    >> > UNIX.COM = .
    >> > }
    >> >
    >> > UNIX.COM = {
    >> > WINDOWS.COM = .
    >> > }
    >> >
    >> > 3) In kdc.conf I edited the following
    >> > master_key_type = des-cbc-md5
    >> > supported_enctypes = des-cbc-md5:normal des-cbc-crc:normal

    >>
    >>
    >>
    >> >
    >> > 4) In MIT Kerberos I defined krbtgt/WINDOWS.COM@UNIX.COM and
    >> > krbtgt/UNIX.COM@WINDOWS.COM principals with password ABC
    >> >
    >> > 5) In Active Directory I defined the MIT realm and MIT kerberos master
    >> > with ksetup
    >> >>ksetup
    >> > default realm = windows.com (NT Domain)
    >> > UNIX.COM:
    >> > kdc = server1.unix.com
    >> > Realm Flags = 0x0 none
    >> > Mapping XYZ@UNIX.COM to XYZ

    >>
    >> The mapping is only needed when you login from Unix to Windows.
    >>
    >> >
    >> > 6) In Active Directory I defined the realm trust (one way, incoming)
    >> > with the password ABC
    >> > 7) In Active Directory Users and Computers I created the name mapping
    >> > for user XYZ to XYZ@UNIX.COM (since the mapping set up by ksetup wasn't
    >> > visible here, did this just to be sure)

    >>
    >> I don't think you need this.
    >>
    >> >
    >> > Now why can't user XYZ@UNIX.COM login successfully with his Windows
    >> > password?
    >> > I am quite desperate on this one. What am I missing?
    >> > Any help would be greatly appreciated.
    >> >

    >>
    >> You have to tell the Windows clients where to find the service principals
    >> for the unix.com domain. This will be done with
    >> trust WINDOWS.COM/ domain:UNIX.COM /addtln:unix.com
    >> on Active Directory.
    >>
    >> > Kind regards
    >> >
    >> > Miguel
    >> >

    >>
    >> Regards
    >> Markus

    >


    Regards
    Markus



  5. Re: Cross Realm MIT <-> Active Directory

    Thanks a lot Markus

    Could you paste your krb5.conf aswell?

    Kind regards

    Miguel
    Markus Moeller wrote:
    > "Miguel Sanders" wrote in message
    > news:1162737224.386797.216750@e3g2000cwe.googlegro ups.com...
    > > 1) You should use rc4-hmac. des is week and shouldn't be used.
    > >
    > > Can that be used in combination with Active Directory? Which stanza's/
    > > configuration items should be used in kdc.conf and krb5.conf?

    >
    >
    > My kdc.conf looks like:
    >
    > [kdcdefaults]
    > kdc_ports = 750,88
    > [realms]
    > UNIX.COM = {
    > database_name = /var/lib/kerberos/krb5kdc/principal
    > admin_keytab = FILE:/var/lib/kerberos/krb5kdc/kadm5.keytab
    > acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl
    > key_stash_file = /var/lib/kerberos/krb5kdc/.k5.UNIX.COM
    > kdc_ports = 750,88
    > supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal
    > des-cbc-crc:normal des-cbc-md5:normal
    > kdc_supported_enctypes = rc4-hmac:normal
    > des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal
    > max_life = 10h 0m 0s
    > max_renewable_life = 7d 0h 0m 0s
    > }
    > [logging]
    > kdc = FILE:/var/log/kdc.log
    > admin_server = FILE:/var/log/kadmin.log
    >
    >
    > >
    > > 2) Now why can't user XYZ@UNIX.COM login successfully with his Windows
    > > password?
    > >
    > > I meant on the Unix box, not on the Windows box, so sorry on that.
    > >

    >
    > I think here is some misunderstanding. I think you want that your Windows
    > user xyz can login to your Unix machine. Now you have to differentiate two
    > cases.
    >
    > 1) Use Kerberos credentials to login
    > If you use your Windows credentials (XYZ@WINDOWS.COM) the Unix server
    > will try to match the credentials XYZ@WINDOWS.COM with a unix user xyz and
    > the default domain defined in krb5.conf (in your case UNIX.COM), which is
    > XYZ@UNIX.COM and fails. This can only be avoided by using a mapping either
    > in krb5.conf via auth_to_local or a .k5login file in the user xyz's home
    > directory.
    >
    > 2) Use a password.
    >
    > This usually doesn't work. The reason is that most applications don't allow
    > to use XYZ@WINDOWS.COM as a username and if you use xyz the default domain
    > UNIX.COM will be used again.
    >
    >
    > >
    > > Markus Moeller wrote:
    > >> "Miguel Sanders" wrote in message
    > >> news:1162725045.392694.47100@i42g2000cwa.googlegro ups.com...
    > >> > Hi
    > >> > I have been through many documents for several times but I just can't
    > >> > seem to find the problem.
    > >> > Here is the idea.
    > >> > Users are defined in Active Directory (domain/realm WINDOWS.COM)
    > >> > Host and service principals are defined in MIT Kerberos (realm
    > >> > UNIX.COM).
    > >> > Now I want the Windows users to be able to login to the Unix machines(
    > >> > and thus the UNIX.COM realm).
    > >> > Since users and host/service principals are in separated realms, cross
    > >> > realm authentication should be set up, right?
    > >> > So the point is that users XYZ (Windows Domain User) should be able to
    > >> > logon to the Unix Machines.
    > >> > 1) Does the Windows user XYZ need to be defined in MIT Kerberos? I
    > >> > presume that this is the case (although set with a random password).
    > >>
    > >> You don't need the user in the MIT kdc. You either need a mapping like
    > >> auth_to_local = RULE:[1:$1@$0](.*@.WINDOWS.COM$)s/@.*//
    > >> auth_to_local = DEFAULT
    > >> as part of the realms UNIX.COM section or use a .k5login file.
    > >>
    > >> > 2) Is something wrong with the given krb5.conf ?
    > >> > [libdefaults]
    > >> > default_realm = UNIX.COM
    > >> > default_keytab_name = FILE:/etc/krb5/krb5.keytab
    > >> > default_tkt_enctypes = des-cbc-md5 des-cbc-crc
    > >> > default_tgs_enctypes = des-cbc-md5 des-cbc-crc
    > >> >
    > >> > [realms]
    > >> > UNIX.COM= {
    > >> > kdc = server1.unix.com:88
    > >> > admin_server = server1.unix.com:749
    > >> > default_domain = unix.com
    > >> > }
    > >> >
    > >> > WINDOWS.COM= {
    > >> > kdc = server1.windows.com:88
    > >> > admin_server = server1.windows.com:749
    > >> > default_domain = unix.com
    > >> > }
    > >> >
    > >> > [domain_realm]
    > >> > .windows.com = WINDOWS.COM
    > >> > windows.com = WINDOWS.COM
    > >> > .unix.com = UNIX.COM
    > >> > unix.com = UNIX.COM
    > >> >
    > >> > [capaths]
    > >> > WINDOWS.COM = {
    > >> > UNIX.COM = .
    > >> > }
    > >> >
    > >> > UNIX.COM = {
    > >> > WINDOWS.COM = .
    > >> > }
    > >> >
    > >> > 3) In kdc.conf I edited the following
    > >> > master_key_type = des-cbc-md5
    > >> > supported_enctypes = des-cbc-md5:normal des-cbc-crc:normal
    > >>
    > >>
    > >>
    > >> >
    > >> > 4) In MIT Kerberos I defined krbtgt/WINDOWS.COM@UNIX.COM and
    > >> > krbtgt/UNIX.COM@WINDOWS.COM principals with password ABC
    > >> >
    > >> > 5) In Active Directory I defined the MIT realm and MIT kerberos master
    > >> > with ksetup
    > >> >>ksetup
    > >> > default realm = windows.com (NT Domain)
    > >> > UNIX.COM:
    > >> > kdc = server1.unix.com
    > >> > Realm Flags = 0x0 none
    > >> > Mapping XYZ@UNIX.COM to XYZ
    > >>
    > >> The mapping is only needed when you login from Unix to Windows.
    > >>
    > >> >
    > >> > 6) In Active Directory I defined the realm trust (one way, incoming)
    > >> > with the password ABC
    > >> > 7) In Active Directory Users and Computers I created the name mapping
    > >> > for user XYZ to XYZ@UNIX.COM (since the mapping set up by ksetup wasn't
    > >> > visible here, did this just to be sure)
    > >>
    > >> I don't think you need this.
    > >>
    > >> >
    > >> > Now why can't user XYZ@UNIX.COM login successfully with his Windows
    > >> > password?
    > >> > I am quite desperate on this one. What am I missing?
    > >> > Any help would be greatly appreciated.
    > >> >
    > >>
    > >> You have to tell the Windows clients where to find the service principals
    > >> for the unix.com domain. This will be done with
    > >> trust WINDOWS.COM/ domain:UNIX.COM /addtln:unix.com
    > >> on Active Directory.
    > >>
    > >> > Kind regards
    > >> >
    > >> > Miguel
    > >> >
    > >>
    > >> Regards
    > >> Markus

    > >

    >
    > Regards
    > Markus



  6. Re: Cross Realm MIT <-> Active Directory

    My krb5.conf file

    [libdefaults]
    default_realm = UNIX.COM
    dns_lookup_kdc = no
    dns_lookup_realm = no
    default_keytab_name = /etc/krb5.keytab
    default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
    des-cbc-md5
    default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
    des-cbc-md5
    permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    noaddresses = no
    [realms]
    UNIX.COM = {
    kdc = opensuse.unix.com
    admin_server = opensuse.unix.com
    auth_to_local = RULE:[1:$1@$0](.*@WINDOWS.COM$)s/@.*//
    auth_to_local = DEFAULT
    }
    WINDOWS.COM = {
    kdc = w2k3.windows.com
    admin_server = w2k3.windows.com
    }
    [domain_realm]
    .unix.com = UNIX.COM
    unix.com = UNIX.COM
    .windows.com = WINDOWS.COM
    windows.com = WINDOWS.COM

    [logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log

    Regards
    Markus


    "Miguel Sanders" wrote in message
    news:1162744296.180067.98070@m73g2000cwd.googlegro ups.com...
    > Thanks a lot Markus
    >
    > Could you paste your krb5.conf aswell?
    >
    > Kind regards
    >
    > Miguel
    > Markus Moeller wrote:
    >> "Miguel Sanders" wrote in message
    >> news:1162737224.386797.216750@e3g2000cwe.googlegro ups.com...
    >> > 1) You should use rc4-hmac. des is week and shouldn't be used.
    >> >
    >> > Can that be used in combination with Active Directory? Which stanza's/
    >> > configuration items should be used in kdc.conf and krb5.conf?

    >>
    >>
    >> My kdc.conf looks like:
    >>
    >> [kdcdefaults]
    >> kdc_ports = 750,88
    >> [realms]
    >> UNIX.COM = {
    >> database_name = /var/lib/kerberos/krb5kdc/principal
    >> admin_keytab =
    >> FILE:/var/lib/kerberos/krb5kdc/kadm5.keytab
    >> acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl
    >> key_stash_file = /var/lib/kerberos/krb5kdc/.k5.UNIX.COM
    >> kdc_ports = 750,88
    >> supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal
    >> des-cbc-crc:normal des-cbc-md5:normal
    >> kdc_supported_enctypes = rc4-hmac:normal
    >> des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal
    >> max_life = 10h 0m 0s
    >> max_renewable_life = 7d 0h 0m 0s
    >> }
    >> [logging]
    >> kdc = FILE:/var/log/kdc.log
    >> admin_server = FILE:/var/log/kadmin.log
    >>
    >>
    >> >
    >> > 2) Now why can't user XYZ@UNIX.COM login successfully with his Windows
    >> > password?
    >> >
    >> > I meant on the Unix box, not on the Windows box, so sorry on that.
    >> >

    >>
    >> I think here is some misunderstanding. I think you want that your Windows
    >> user xyz can login to your Unix machine. Now you have to differentiate
    >> two
    >> cases.
    >>
    >> 1) Use Kerberos credentials to login
    >> If you use your Windows credentials (XYZ@WINDOWS.COM) the Unix
    >> server
    >> will try to match the credentials XYZ@WINDOWS.COM with a unix user xyz
    >> and
    >> the default domain defined in krb5.conf (in your case UNIX.COM), which is
    >> XYZ@UNIX.COM and fails. This can only be avoided by using a mapping
    >> either
    >> in krb5.conf via auth_to_local or a .k5login file in the user xyz's home
    >> directory.
    >>
    >> 2) Use a password.
    >>
    >> This usually doesn't work. The reason is that most applications don't
    >> allow
    >> to use XYZ@WINDOWS.COM as a username and if you use xyz the default
    >> domain
    >> UNIX.COM will be used again.
    >>
    >>
    >> >
    >> > Markus Moeller wrote:
    >> >> "Miguel Sanders" wrote in message
    >> >> news:1162725045.392694.47100@i42g2000cwa.googlegro ups.com...
    >> >> > Hi
    >> >> > I have been through many documents for several times but I just
    >> >> > can't
    >> >> > seem to find the problem.
    >> >> > Here is the idea.
    >> >> > Users are defined in Active Directory (domain/realm WINDOWS.COM)
    >> >> > Host and service principals are defined in MIT Kerberos (realm
    >> >> > UNIX.COM).
    >> >> > Now I want the Windows users to be able to login to the Unix
    >> >> > machines(
    >> >> > and thus the UNIX.COM realm).
    >> >> > Since users and host/service principals are in separated realms,
    >> >> > cross
    >> >> > realm authentication should be set up, right?
    >> >> > So the point is that users XYZ (Windows Domain User) should be able
    >> >> > to
    >> >> > logon to the Unix Machines.
    >> >> > 1) Does the Windows user XYZ need to be defined in MIT Kerberos? I
    >> >> > presume that this is the case (although set with a random password).
    >> >>
    >> >> You don't need the user in the MIT kdc. You either need a mapping like
    >> >> auth_to_local =
    >> >> RULE:[1:$1@$0](.*@.WINDOWS.COM$)s/@.*//
    >> >> auth_to_local = DEFAULT
    >> >> as part of the realms UNIX.COM section or use a .k5login file.
    >> >>
    >> >> > 2) Is something wrong with the given krb5.conf ?
    >> >> > [libdefaults]
    >> >> > default_realm = UNIX.COM
    >> >> > default_keytab_name = FILE:/etc/krb5/krb5.keytab
    >> >> > default_tkt_enctypes = des-cbc-md5 des-cbc-crc
    >> >> > default_tgs_enctypes = des-cbc-md5 des-cbc-crc
    >> >> >
    >> >> > [realms]
    >> >> > UNIX.COM= {
    >> >> > kdc = server1.unix.com:88
    >> >> > admin_server = server1.unix.com:749
    >> >> > default_domain = unix.com
    >> >> > }
    >> >> >
    >> >> > WINDOWS.COM= {
    >> >> > kdc = server1.windows.com:88
    >> >> > admin_server = server1.windows.com:749
    >> >> > default_domain = unix.com
    >> >> > }
    >> >> >
    >> >> > [domain_realm]
    >> >> > .windows.com = WINDOWS.COM
    >> >> > windows.com = WINDOWS.COM
    >> >> > .unix.com = UNIX.COM
    >> >> > unix.com = UNIX.COM
    >> >> >
    >> >> > [capaths]
    >> >> > WINDOWS.COM = {
    >> >> > UNIX.COM = .
    >> >> > }
    >> >> >
    >> >> > UNIX.COM = {
    >> >> > WINDOWS.COM = .
    >> >> > }
    >> >> >
    >> >> > 3) In kdc.conf I edited the following
    >> >> > master_key_type = des-cbc-md5
    >> >> > supported_enctypes = des-cbc-md5:normal des-cbc-crc:normal
    >> >>
    >> >>
    >> >>
    >> >> >
    >> >> > 4) In MIT Kerberos I defined krbtgt/WINDOWS.COM@UNIX.COM and
    >> >> > krbtgt/UNIX.COM@WINDOWS.COM principals with password ABC
    >> >> >
    >> >> > 5) In Active Directory I defined the MIT realm and MIT kerberos
    >> >> > master
    >> >> > with ksetup
    >> >> >>ksetup
    >> >> > default realm = windows.com (NT Domain)
    >> >> > UNIX.COM:
    >> >> > kdc = server1.unix.com
    >> >> > Realm Flags = 0x0 none
    >> >> > Mapping XYZ@UNIX.COM to XYZ
    >> >>
    >> >> The mapping is only needed when you login from Unix to Windows.
    >> >>
    >> >> >
    >> >> > 6) In Active Directory I defined the realm trust (one way, incoming)
    >> >> > with the password ABC
    >> >> > 7) In Active Directory Users and Computers I created the name
    >> >> > mapping
    >> >> > for user XYZ to XYZ@UNIX.COM (since the mapping set up by ksetup
    >> >> > wasn't
    >> >> > visible here, did this just to be sure)
    >> >>
    >> >> I don't think you need this.
    >> >>
    >> >> >
    >> >> > Now why can't user XYZ@UNIX.COM login successfully with his Windows
    >> >> > password?
    >> >> > I am quite desperate on this one. What am I missing?
    >> >> > Any help would be greatly appreciated.
    >> >> >
    >> >>
    >> >> You have to tell the Windows clients where to find the service
    >> >> principals
    >> >> for the unix.com domain. This will be done with
    >> >> trust WINDOWS.COM/ domain:UNIX.COM /addtln:unix.com
    >> >> on Active Directory.
    >> >>
    >> >> > Kind regards
    >> >> >
    >> >> > Miguel
    >> >> >
    >> >>
    >> >> Regards
    >> >> Markus
    >> >

    >>
    >> Regards
    >> Markus

    >




  7. Re: Cross Realm MIT <-> Active Directory

    Thanks Markus

    One final question: which version of Windows 2003 are you using and
    which steps did you perform to set up the realm trust. Is it as I
    described? Just asking to be sure
    Markus Moeller wrote:
    > My krb5.conf file
    >
    > [libdefaults]
    > default_realm = UNIX.COM
    > dns_lookup_kdc = no
    > dns_lookup_realm = no
    > default_keytab_name = /etc/krb5.keytab
    > default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
    > des-cbc-md5
    > default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
    > des-cbc-md5
    > permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    > noaddresses = no
    > [realms]
    > UNIX.COM = {
    > kdc = opensuse.unix.com
    > admin_server = opensuse.unix.com
    > auth_to_local = RULE:[1:$1@$0](.*@WINDOWS.COM$)s/@.*//
    > auth_to_local = DEFAULT
    > }
    > WINDOWS.COM = {
    > kdc = w2k3.windows.com
    > admin_server = w2k3.windows.com
    > }
    > [domain_realm]
    > .unix.com = UNIX.COM
    > unix.com = UNIX.COM
    > .windows.com = WINDOWS.COM
    > windows.com = WINDOWS.COM
    >
    > [logging]
    > kdc = FILE:/var/log/krb5kdc.log
    > admin_server = FILE:/var/log/kadmin.log
    > default = FILE:/var/log/krb5lib.log
    >
    > Regards
    > Markus
    >
    >
    > "Miguel Sanders" wrote in message
    > news:1162744296.180067.98070@m73g2000cwd.googlegro ups.com...
    > > Thanks a lot Markus
    > >
    > > Could you paste your krb5.conf aswell?
    > >
    > > Kind regards
    > >
    > > Miguel
    > > Markus Moeller wrote:
    > >> "Miguel Sanders" wrote in message
    > >> news:1162737224.386797.216750@e3g2000cwe.googlegro ups.com...
    > >> > 1) You should use rc4-hmac. des is week and shouldn't be used.
    > >> >
    > >> > Can that be used in combination with Active Directory? Which stanza's/
    > >> > configuration items should be used in kdc.conf and krb5.conf?
    > >>
    > >>
    > >> My kdc.conf looks like:
    > >>
    > >> [kdcdefaults]
    > >> kdc_ports = 750,88
    > >> [realms]
    > >> UNIX.COM = {
    > >> database_name = /var/lib/kerberos/krb5kdc/principal
    > >> admin_keytab =
    > >> FILE:/var/lib/kerberos/krb5kdc/kadm5.keytab
    > >> acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl
    > >> key_stash_file = /var/lib/kerberos/krb5kdc/.k5.UNIX.COM
    > >> kdc_ports = 750,88
    > >> supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal
    > >> des-cbc-crc:normal des-cbc-md5:normal
    > >> kdc_supported_enctypes = rc4-hmac:normal
    > >> des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal
    > >> max_life = 10h 0m 0s
    > >> max_renewable_life = 7d 0h 0m 0s
    > >> }
    > >> [logging]
    > >> kdc = FILE:/var/log/kdc.log
    > >> admin_server = FILE:/var/log/kadmin.log
    > >>
    > >>
    > >> >
    > >> > 2) Now why can't user XYZ@UNIX.COM login successfully with his Windows
    > >> > password?
    > >> >
    > >> > I meant on the Unix box, not on the Windows box, so sorry on that.
    > >> >
    > >>
    > >> I think here is some misunderstanding. I think you want that your Windows
    > >> user xyz can login to your Unix machine. Now you have to differentiate
    > >> two
    > >> cases.
    > >>
    > >> 1) Use Kerberos credentials to login
    > >> If you use your Windows credentials (XYZ@WINDOWS.COM) the Unix
    > >> server
    > >> will try to match the credentials XYZ@WINDOWS.COM with a unix user xyz
    > >> and
    > >> the default domain defined in krb5.conf (in your case UNIX.COM), which is
    > >> XYZ@UNIX.COM and fails. This can only be avoided by using a mapping
    > >> either
    > >> in krb5.conf via auth_to_local or a .k5login file in the user xyz's home
    > >> directory.
    > >>
    > >> 2) Use a password.
    > >>
    > >> This usually doesn't work. The reason is that most applications don't
    > >> allow
    > >> to use XYZ@WINDOWS.COM as a username and if you use xyz the default
    > >> domain
    > >> UNIX.COM will be used again.
    > >>
    > >>
    > >> >
    > >> > Markus Moeller wrote:
    > >> >> "Miguel Sanders" wrote in message
    > >> >> news:1162725045.392694.47100@i42g2000cwa.googlegro ups.com...
    > >> >> > Hi
    > >> >> > I have been through many documents for several times but I just
    > >> >> > can't
    > >> >> > seem to find the problem.
    > >> >> > Here is the idea.
    > >> >> > Users are defined in Active Directory (domain/realm WINDOWS.COM)
    > >> >> > Host and service principals are defined in MIT Kerberos (realm
    > >> >> > UNIX.COM).
    > >> >> > Now I want the Windows users to be able to login to the Unix
    > >> >> > machines(
    > >> >> > and thus the UNIX.COM realm).
    > >> >> > Since users and host/service principals are in separated realms,
    > >> >> > cross
    > >> >> > realm authentication should be set up, right?
    > >> >> > So the point is that users XYZ (Windows Domain User) should be able
    > >> >> > to
    > >> >> > logon to the Unix Machines.
    > >> >> > 1) Does the Windows user XYZ need to be defined in MIT Kerberos? I
    > >> >> > presume that this is the case (although set with a random password).
    > >> >>
    > >> >> You don't need the user in the MIT kdc. You either need a mapping like
    > >> >> auth_to_local =
    > >> >> RULE:[1:$1@$0](.*@.WINDOWS.COM$)s/@.*//
    > >> >> auth_to_local = DEFAULT
    > >> >> as part of the realms UNIX.COM section or use a .k5login file.
    > >> >>
    > >> >> > 2) Is something wrong with the given krb5.conf ?
    > >> >> > [libdefaults]
    > >> >> > default_realm = UNIX.COM
    > >> >> > default_keytab_name = FILE:/etc/krb5/krb5.keytab
    > >> >> > default_tkt_enctypes = des-cbc-md5 des-cbc-crc
    > >> >> > default_tgs_enctypes = des-cbc-md5 des-cbc-crc
    > >> >> >
    > >> >> > [realms]
    > >> >> > UNIX.COM= {
    > >> >> > kdc = server1.unix.com:88
    > >> >> > admin_server = server1.unix.com:749
    > >> >> > default_domain = unix.com
    > >> >> > }
    > >> >> >
    > >> >> > WINDOWS.COM= {
    > >> >> > kdc = server1.windows.com:88
    > >> >> > admin_server = server1.windows.com:749
    > >> >> > default_domain = unix.com
    > >> >> > }
    > >> >> >
    > >> >> > [domain_realm]
    > >> >> > .windows.com = WINDOWS.COM
    > >> >> > windows.com = WINDOWS.COM
    > >> >> > .unix.com = UNIX.COM
    > >> >> > unix.com = UNIX.COM
    > >> >> >
    > >> >> > [capaths]
    > >> >> > WINDOWS.COM = {
    > >> >> > UNIX.COM = .
    > >> >> > }
    > >> >> >
    > >> >> > UNIX.COM = {
    > >> >> > WINDOWS.COM = .
    > >> >> > }
    > >> >> >
    > >> >> > 3) In kdc.conf I edited the following
    > >> >> > master_key_type = des-cbc-md5
    > >> >> > supported_enctypes = des-cbc-md5:normal des-cbc-crc:normal
    > >> >>
    > >> >>
    > >> >>
    > >> >> >
    > >> >> > 4) In MIT Kerberos I defined krbtgt/WINDOWS.COM@UNIX.COM and
    > >> >> > krbtgt/UNIX.COM@WINDOWS.COM principals with password ABC
    > >> >> >
    > >> >> > 5) In Active Directory I defined the MIT realm and MIT kerberos
    > >> >> > master
    > >> >> > with ksetup
    > >> >> >>ksetup
    > >> >> > default realm = windows.com (NT Domain)
    > >> >> > UNIX.COM:
    > >> >> > kdc = server1.unix.com
    > >> >> > Realm Flags = 0x0 none
    > >> >> > Mapping XYZ@UNIX.COM to XYZ
    > >> >>
    > >> >> The mapping is only needed when you login from Unix to Windows.
    > >> >>
    > >> >> >
    > >> >> > 6) In Active Directory I defined the realm trust (one way, incoming)
    > >> >> > with the password ABC
    > >> >> > 7) In Active Directory Users and Computers I created the name
    > >> >> > mapping
    > >> >> > for user XYZ to XYZ@UNIX.COM (since the mapping set up by ksetup
    > >> >> > wasn't
    > >> >> > visible here, did this just to be sure)
    > >> >>
    > >> >> I don't think you need this.
    > >> >>
    > >> >> >
    > >> >> > Now why can't user XYZ@UNIX.COM login successfully with his Windows
    > >> >> > password?
    > >> >> > I am quite desperate on this one. What am I missing?
    > >> >> > Any help would be greatly appreciated.
    > >> >> >
    > >> >>
    > >> >> You have to tell the Windows clients where to find the service
    > >> >> principals
    > >> >> for the unix.com domain. This will be done with
    > >> >> trust WINDOWS.COM/ domain:UNIX.COM /addtln:unix.com
    > >> >> on Active Directory.
    > >> >>
    > >> >> > Kind regards
    > >> >> >
    > >> >> > Miguel
    > >> >> >
    > >> >>
    > >> >> Regards
    > >> >> Markus
    > >> >
    > >>
    > >> Regards
    > >> Markus

    > >



+ Reply to Thread