"Miguel Sanders" wrote in message
news:1162725045.392694.47100@i42g2000cwa.googlegro ups.com...
> Hi
> I have been through many documents for several times but I just can't
> seem to find the problem.
> Here is the idea.
> Users are defined in Active Directory (domain/realm WINDOWS.COM)
> Host and service principals are defined in MIT Kerberos (realm
> UNIX.COM).
> Now I want the Windows users to be able to login to the Unix machines(
> and thus the UNIX.COM realm).
> Since users and host/service principals are in separated realms, cross
> realm authentication should be set up, right?
> So the point is that users XYZ (Windows Domain User) should be able to
> logon to the Unix Machines.
> 1) Does the Windows user XYZ need to be defined in MIT Kerberos? I
> presume that this is the case (although set with a random password).

You don't need the user in the MIT kdc. You either need a mapping like
auth_to_local = RULE:[1:$1@$0](.*@.WINDOWS.COM$)s/@.*//
auth_to_local = DEFAULT
as part of the realms UNIX.COM section or use a .k5login file.

> 2) Is something wrong with the given krb5.conf ?
> [libdefaults]
> default_realm = UNIX.COM
> default_keytab_name = FILE:/etc/krb5/krb5.keytab
> default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> default_tgs_enctypes = des-cbc-md5 des-cbc-crc
>
> [realms]
> UNIX.COM= {
> kdc = server1.unix.com:88
> admin_server = server1.unix.com:749
> default_domain = unix.com
> }
>
> WINDOWS.COM= {
> kdc = server1.windows.com:88
> admin_server = server1.windows.com:749
> default_domain = unix.com
> }
>
> [domain_realm]
> .windows.com = WINDOWS.COM
> windows.com = WINDOWS.COM
> .unix.com = UNIX.COM
> unix.com = UNIX.COM
>
> [capaths]
> WINDOWS.COM = {
> UNIX.COM = .
> }
>
> UNIX.COM = {
> WINDOWS.COM = .
> }
>
> 3) In kdc.conf I edited the following
> master_key_type = des-cbc-md5
> supported_enctypes = des-cbc-md5:normal des-cbc-crc:normal

You should use rc4-hmac. des is week and shouldn't be used.

>
> 4) In MIT Kerberos I defined krbtgt/WINDOWS.COM@UNIX.COM and
> krbtgt/UNIX.COM@WINDOWS.COM principals with password ABC
>
> 5) In Active Directory I defined the MIT realm and MIT kerberos master
> with ksetup
>>ksetup
> default realm = windows.com (NT Domain)
> UNIX.COM:
> kdc = server1.unix.com
> Realm Flags = 0x0 none
> Mapping XYZ@UNIX.COM to XYZ

The mapping is only needed when you login from Unix to Windows.

>
> 6) In Active Directory I defined the realm trust (one way, incoming)
> with the password ABC
> 7) In Active Directory Users and Computers I created the name mapping
> for user XYZ to XYZ@UNIX.COM (since the mapping set up by ksetup wasn't
> visible here, did this just to be sure)

I don't think you need this.

>
> Now why can't user XYZ@UNIX.COM login successfully with his Windows
> password?
> I am quite desperate on this one. What am I missing?
> Any help would be greatly appreciated.
>

You have to tell the Windows clients where to find the service principals
for the unix.com domain. This will be done with
trust WINDOWS.COM/ domain:UNIX.COM /addtln:unix.com
on Active Directory.

> Kind regards
>
> Miguel
>

Regards
Markus

1) You should use rc4-hmac. des is week and shouldn't be used.

Can that be used in combination with Active Directory? Which stanza's/
configuration items should be used in kdc.conf and krb5.conf?

2) Now why can't user XYZ@UNIX.COM login successfully with his Windows
password?

I meant on the Unix box, not on the Windows box, so sorry on that.


Markus Moeller wrote:
> "Miguel Sanders" wrote in message
> news:1162725045.392694.47100@i42g2000cwa.googlegro ups.com...
> > Hi
> > I have been through many documents for several times but I just can't
> > seem to find the problem.
> > Here is the idea.
> > Users are defined in Active Directory (domain/realm WINDOWS.COM)
> > Host and service principals are defined in MIT Kerberos (realm
> > UNIX.COM).
> > Now I want the Windows users to be able to login to the Unix machines(
> > and thus the UNIX.COM realm).
> > Since users and host/service principals are in separated realms, cross
> > realm authentication should be set up, right?
> > So the point is that users XYZ (Windows Domain User) should be able to
> > logon to the Unix Machines.
> > 1) Does the Windows user XYZ need to be defined in MIT Kerberos? I
> > presume that this is the case (although set with a random password).
>
> You don't need the user in the MIT kdc. You either need a mapping like
> auth_to_local = RULE:[1:$1@$0](.*@.WINDOWS.COM$)s/@.*//
> auth_to_local = DEFAULT
> as part of the realms UNIX.COM section or use a .k5login file.
>
> > 2) Is something wrong with the given krb5.conf ?
> > [libdefaults]
> > default_realm = UNIX.COM
> > default_keytab_name = FILE:/etc/krb5/krb5.keytab
> > default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> > default_tgs_enctypes = des-cbc-md5 des-cbc-crc
> >
> > [realms]
> > UNIX.COM= {
> > kdc = server1.unix.com:88
> > admin_server = server1.unix.com:749
> > default_domain = unix.com
> > }
> >
> > WINDOWS.COM= {
> > kdc = server1.windows.com:88
> > admin_server = server1.windows.com:749
> > default_domain = unix.com
> > }
> >
> > [domain_realm]
> > .windows.com = WINDOWS.COM
> > windows.com = WINDOWS.COM
> > .unix.com = UNIX.COM
> > unix.com = UNIX.COM
> >
> > [capaths]
> > WINDOWS.COM = {
> > UNIX.COM = .
> > }
> >
> > UNIX.COM = {
> > WINDOWS.COM = .
> > }
> >
> > 3) In kdc.conf I edited the following
> > master_key_type = des-cbc-md5
> > supported_enctypes = des-cbc-md5:normal des-cbc-crc:normal
>
>
>
> >
> > 4) In MIT Kerberos I defined krbtgt/WINDOWS.COM@UNIX.COM and
> > krbtgt/UNIX.COM@WINDOWS.COM principals with password ABC
> >
> > 5) In Active Directory I defined the MIT realm and MIT kerberos master
> > with ksetup
> >>ksetup
> > default realm = windows.com (NT Domain)
> > UNIX.COM:
> > kdc = server1.unix.com
> > Realm Flags = 0x0 none
> > Mapping XYZ@UNIX.COM to XYZ
>
> The mapping is only needed when you login from Unix to Windows.
>
> >
> > 6) In Active Directory I defined the realm trust (one way, incoming)
> > with the password ABC
> > 7) In Active Directory Users and Computers I created the name mapping
> > for user XYZ to XYZ@UNIX.COM (since the mapping set up by ksetup wasn't
> > visible here, did this just to be sure)
>
> I don't think you need this.
>
> >
> > Now why can't user XYZ@UNIX.COM login successfully with his Windows
> > password?
> > I am quite desperate on this one. What am I missing?
> > Any help would be greatly appreciated.
> >
>
> You have to tell the Windows clients where to find the service principals
> for the unix.com domain. This will be done with
> trust WINDOWS.COM/ domain:UNIX.COM /addtln:unix.com
> on Active Directory.
>
> > Kind regards
> >
> > Miguel
> >
>
> Regards
> Markus

"Miguel Sanders" wrote in message
news:1162737224.386797.216750@e3g2000cwe.googlegro ups.com...
> 1) You should use rc4-hmac. des is week and shouldn't be used.
>
> Can that be used in combination with Active Directory? Which stanza's/
> configuration items should be used in kdc.conf and krb5.conf?


My kdc.conf looks like:

[kdcdefaults]
kdc_ports = 750,88
[realms]
UNIX.COM = {
database_name = /var/lib/kerberos/krb5kdc/principal
admin_keytab = FILE:/var/lib/kerberos/krb5kdc/kadm5.keytab
acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl
key_stash_file = /var/lib/kerberos/krb5kdc/.k5.UNIX.COM
kdc_ports = 750,88
supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal
des-cbc-crc:normal des-cbc-md5:normal
kdc_supported_enctypes = rc4-hmac:normal
des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log


>
> 2) Now why can't user XYZ@UNIX.COM login successfully with his Windows
> password?
>
> I meant on the Unix box, not on the Windows box, so sorry on that.
>

I think here is some misunderstanding. I think you want that your Windows
user xyz can login to your Unix machine. Now you have to differentiate two
cases.

1) Use Kerberos credentials to login
If you use your Windows credentials (XYZ@WINDOWS.COM) the Unix server
will try to match the credentials XYZ@WINDOWS.COM with a unix user xyz and
the default domain defined in krb5.conf (in your case UNIX.COM), which is
XYZ@UNIX.COM and fails. This can only be avoided by using a mapping either
in krb5.conf via auth_to_local or a .k5login file in the user xyz's home
directory.

2) Use a password.

This usually doesn't work. The reason is that most applications don't allow
to use XYZ@WINDOWS.COM as a username and if you use xyz the default domain
UNIX.COM will be used again.


>
> Markus Moeller wrote:
>> "Miguel Sanders" wrote in message
>> news:1162725045.392694.47100@i42g2000cwa.googlegro ups.com...
>> > Hi
>> > I have been through many documents for several times but I just can't
>> > seem to find the problem.
>> > Here is the idea.
>> > Users are defined in Active Directory (domain/realm WINDOWS.COM)
>> > Host and service principals are defined in MIT Kerberos (realm
>> > UNIX.COM).
>> > Now I want the Windows users to be able to login to the Unix machines(
>> > and thus the UNIX.COM realm).
>> > Since users and host/service principals are in separated realms, cross
>> > realm authentication should be set up, right?
>> > So the point is that users XYZ (Windows Domain User) should be able to
>> > logon to the Unix Machines.
>> > 1) Does the Windows user XYZ need to be defined in MIT Kerberos? I
>> > presume that this is the case (although set with a random password).
>>
>> You don't need the user in the MIT kdc. You either need a mapping like
>> auth_to_local = RULE:[1:$1@$0](.*@.WINDOWS.COM$)s/@.*//
>> auth_to_local = DEFAULT
>> as part of the realms UNIX.COM section or use a .k5login file.
>>
>> > 2) Is something wrong with the given krb5.conf ?
>> > [libdefaults]
>> > default_realm = UNIX.COM
>> > default_keytab_name = FILE:/etc/krb5/krb5.keytab
>> > default_tkt_enctypes = des-cbc-md5 des-cbc-crc
>> > default_tgs_enctypes = des-cbc-md5 des-cbc-crc
>> >
>> > [realms]
>> > UNIX.COM= {
>> > kdc = server1.unix.com:88
>> > admin_server = server1.unix.com:749
>> > default_domain = unix.com
>> > }
>> >
>> > WINDOWS.COM= {
>> > kdc = server1.windows.com:88
>> > admin_server = server1.windows.com:749
>> > default_domain = unix.com
>> > }
>> >
>> > [domain_realm]
>> > .windows.com = WINDOWS.COM
>> > windows.com = WINDOWS.COM
>> > .unix.com = UNIX.COM
>> > unix.com = UNIX.COM
>> >
>> > [capaths]
>> > WINDOWS.COM = {
>> > UNIX.COM = .
>> > }
>> >
>> > UNIX.COM = {
>> > WINDOWS.COM = .
>> > }
>> >
>> > 3) In kdc.conf I edited the following
>> > master_key_type = des-cbc-md5
>> > supported_enctypes = des-cbc-md5:normal des-cbc-crc:normal
>>
>>
>>
>> >
>> > 4) In MIT Kerberos I defined krbtgt/WINDOWS.COM@UNIX.COM and
>> > krbtgt/UNIX.COM@WINDOWS.COM principals with password ABC
>> >
>> > 5) In Active Directory I defined the MIT realm and MIT kerberos master
>> > with ksetup
>> >>ksetup
>> > default realm = windows.com (NT Domain)
>> > UNIX.COM:
>> > kdc = server1.unix.com
>> > Realm Flags = 0x0 none
>> > Mapping XYZ@UNIX.COM to XYZ
>>
>> The mapping is only needed when you login from Unix to Windows.
>>
>> >
>> > 6) In Active Directory I defined the realm trust (one way, incoming)
>> > with the password ABC
>> > 7) In Active Directory Users and Computers I created the name mapping
>> > for user XYZ to XYZ@UNIX.COM (since the mapping set up by ksetup wasn't
>> > visible here, did this just to be sure)
>>
>> I don't think you need this.
>>
>> >
>> > Now why can't user XYZ@UNIX.COM login successfully with his Windows
>> > password?
>> > I am quite desperate on this one. What am I missing?
>> > Any help would be greatly appreciated.
>> >
>>
>> You have to tell the Windows clients where to find the service principals
>> for the unix.com domain. This will be done with
>> trust WINDOWS.COM/ domain:UNIX.COM /addtln:unix.com
>> on Active Directory.
>>
>> > Kind regards
>> >
>> > Miguel
>> >
>>
>> Regards
>> Markus
>

Regards
Markus

Thanks a lot Markus

Could you paste your krb5.conf aswell?

Kind regards

Miguel
Markus Moeller wrote:
> "Miguel Sanders" wrote in message
> news:1162737224.386797.216750@e3g2000cwe.googlegro ups.com...
> > 1) You should use rc4-hmac. des is week and shouldn't be used.
> >
> > Can that be used in combination with Active Directory? Which stanza's/
> > configuration items should be used in kdc.conf and krb5.conf?
>
>
> My kdc.conf looks like:
>
> [kdcdefaults]
> kdc_ports = 750,88
> [realms]
> UNIX.COM = {
> database_name = /var/lib/kerberos/krb5kdc/principal
> admin_keytab = FILE:/var/lib/kerberos/krb5kdc/kadm5.keytab
> acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl
> key_stash_file = /var/lib/kerberos/krb5kdc/.k5.UNIX.COM
> kdc_ports = 750,88
> supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal
> des-cbc-crc:normal des-cbc-md5:normal
> kdc_supported_enctypes = rc4-hmac:normal
> des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal
> max_life = 10h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
> }
> [logging]
> kdc = FILE:/var/log/kdc.log
> admin_server = FILE:/var/log/kadmin.log
>
>
> >
> > 2) Now why can't user XYZ@UNIX.COM login successfully with his Windows
> > password?
> >
> > I meant on the Unix box, not on the Windows box, so sorry on that.
> >
>
> I think here is some misunderstanding. I think you want that your Windows
> user xyz can login to your Unix machine. Now you have to differentiate two
> cases.
>
> 1) Use Kerberos credentials to login
> If you use your Windows credentials (XYZ@WINDOWS.COM) the Unix server
> will try to match the credentials XYZ@WINDOWS.COM with a unix user xyz and
> the default domain defined in krb5.conf (in your case UNIX.COM), which is
> XYZ@UNIX.COM and fails. This can only be avoided by using a mapping either
> in krb5.conf via auth_to_local or a .k5login file in the user xyz's home
> directory.
>
> 2) Use a password.
>
> This usually doesn't work. The reason is that most applications don't allow
> to use XYZ@WINDOWS.COM as a username and if you use xyz the default domain
> UNIX.COM will be used again.
>
>
> >
> > Markus Moeller wrote:
> >> "Miguel Sanders" wrote in message
> >> news:1162725045.392694.47100@i42g2000cwa.googlegro ups.com...
> >> > Hi
> >> > I have been through many documents for several times but I just can't
> >> > seem to find the problem.
> >> > Here is the idea.
> >> > Users are defined in Active Directory (domain/realm WINDOWS.COM)
> >> > Host and service principals are defined in MIT Kerberos (realm
> >> > UNIX.COM).
> >> > Now I want the Windows users to be able to login to the Unix machines(
> >> > and thus the UNIX.COM realm).
> >> > Since users and host/service principals are in separated realms, cross
> >> > realm authentication should be set up, right?
> >> > So the point is that users XYZ (Windows Domain User) should be able to
> >> > logon to the Unix Machines.
> >> > 1) Does the Windows user XYZ need to be defined in MIT Kerberos? I
> >> > presume that this is the case (although set with a random password).
> >>
> >> You don't need the user in the MIT kdc. You either need a mapping like
> >> auth_to_local = RULE:[1:$1@$0](.*@.WINDOWS.COM$)s/@.*//
> >> auth_to_local = DEFAULT
> >> as part of the realms UNIX.COM section or use a .k5login file.
> >>
> >> > 2) Is something wrong with the given krb5.conf ?
> >> > [libdefaults]
> >> > default_realm = UNIX.COM
> >> > default_keytab_name = FILE:/etc/krb5/krb5.keytab
> >> > default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> >> > default_tgs_enctypes = des-cbc-md5 des-cbc-crc
> >> >
> >> > [realms]
> >> > UNIX.COM= {
> >> > kdc = server1.unix.com:88
> >> > admin_server = server1.unix.com:749
> >> > default_domain = unix.com
> >> > }
> >> >
> >> > WINDOWS.COM= {
> >> > kdc = server1.windows.com:88
> >> > admin_server = server1.windows.com:749
> >> > default_domain = unix.com
> >> > }
> >> >
> >> > [domain_realm]
> >> > .windows.com = WINDOWS.COM
> >> > windows.com = WINDOWS.COM
> >> > .unix.com = UNIX.COM
> >> > unix.com = UNIX.COM
> >> >
> >> > [capaths]
> >> > WINDOWS.COM = {
> >> > UNIX.COM = .
> >> > }
> >> >
> >> > UNIX.COM = {
> >> > WINDOWS.COM = .
> >> > }
> >> >
> >> > 3) In kdc.conf I edited the following
> >> > master_key_type = des-cbc-md5
> >> > supported_enctypes = des-cbc-md5:normal des-cbc-crc:normal
> >>
> >>
> >>
> >> >
> >> > 4) In MIT Kerberos I defined krbtgt/WINDOWS.COM@UNIX.COM and
> >> > krbtgt/UNIX.COM@WINDOWS.COM principals with password ABC
> >> >
> >> > 5) In Active Directory I defined the MIT realm and MIT kerberos master
> >> > with ksetup
> >> >>ksetup
> >> > default realm = windows.com (NT Domain)
> >> > UNIX.COM:
> >> > kdc = server1.unix.com
> >> > Realm Flags = 0x0 none
> >> > Mapping XYZ@UNIX.COM to XYZ
> >>
> >> The mapping is only needed when you login from Unix to Windows.
> >>
> >> >
> >> > 6) In Active Directory I defined the realm trust (one way, incoming)
> >> > with the password ABC
> >> > 7) In Active Directory Users and Computers I created the name mapping
> >> > for user XYZ to XYZ@UNIX.COM (since the mapping set up by ksetup wasn't
> >> > visible here, did this just to be sure)
> >>
> >> I don't think you need this.
> >>
> >> >
> >> > Now why can't user XYZ@UNIX.COM login successfully with his Windows
> >> > password?
> >> > I am quite desperate on this one. What am I missing?
> >> > Any help would be greatly appreciated.
> >> >
> >>
> >> You have to tell the Windows clients where to find the service principals
> >> for the unix.com domain. This will be done with
> >> trust WINDOWS.COM/ domain:UNIX.COM /addtln:unix.com
> >> on Active Directory.
> >>
> >> > Kind regards
> >> >
> >> > Miguel
> >> >
> >>
> >> Regards
> >> Markus
> >
>
> Regards
> Markus

My krb5.conf file

[libdefaults]
default_realm = UNIX.COM
dns_lookup_kdc = no
dns_lookup_realm = no
default_keytab_name = /etc/krb5.keytab
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
des-cbc-md5
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
noaddresses = no
[realms]
UNIX.COM = {
kdc = opensuse.unix.com
admin_server = opensuse.unix.com
auth_to_local = RULE:[1:$1@$0](.*@WINDOWS.COM$)s/@.*//
auth_to_local = DEFAULT
}
WINDOWS.COM = {
kdc = w2k3.windows.com
admin_server = w2k3.windows.com
}
[domain_realm]
.unix.com = UNIX.COM
unix.com = UNIX.COM
.windows.com = WINDOWS.COM
windows.com = WINDOWS.COM

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

Regards
Markus


"Miguel Sanders" wrote in message
news:1162744296.180067.98070@m73g2000cwd.googlegro ups.com...
> Thanks a lot Markus
>
> Could you paste your krb5.conf aswell?
>
> Kind regards
>
> Miguel
> Markus Moeller wrote:
>> "Miguel Sanders" wrote in message
>> news:1162737224.386797.216750@e3g2000cwe.googlegro ups.com...
>> > 1) You should use rc4-hmac. des is week and shouldn't be used.
>> >
>> > Can that be used in combination with Active Directory? Which stanza's/
>> > configuration items should be used in kdc.conf and krb5.conf?
>>
>>
>> My kdc.conf looks like:
>>
>> [kdcdefaults]
>> kdc_ports = 750,88
>> [realms]
>> UNIX.COM = {
>> database_name = /var/lib/kerberos/krb5kdc/principal
>> admin_keytab =
>> FILE:/var/lib/kerberos/krb5kdc/kadm5.keytab
>> acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl
>> key_stash_file = /var/lib/kerberos/krb5kdc/.k5.UNIX.COM
>> kdc_ports = 750,88
>> supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal
>> des-cbc-crc:normal des-cbc-md5:normal
>> kdc_supported_enctypes = rc4-hmac:normal
>> des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal
>> max_life = 10h 0m 0s
>> max_renewable_life = 7d 0h 0m 0s
>> }
>> [logging]
>> kdc = FILE:/var/log/kdc.log
>> admin_server = FILE:/var/log/kadmin.log
>>
>>
>> >
>> > 2) Now why can't user XYZ@UNIX.COM login successfully with his Windows
>> > password?
>> >
>> > I meant on the Unix box, not on the Windows box, so sorry on that.
>> >
>>
>> I think here is some misunderstanding. I think you want that your Windows
>> user xyz can login to your Unix machine. Now you have to differentiate
>> two
>> cases.
>>
>> 1) Use Kerberos credentials to login
>> If you use your Windows credentials (XYZ@WINDOWS.COM) the Unix
>> server
>> will try to match the credentials XYZ@WINDOWS.COM with a unix user xyz
>> and
>> the default domain defined in krb5.conf (in your case UNIX.COM), which is
>> XYZ@UNIX.COM and fails. This can only be avoided by using a mapping
>> either
>> in krb5.conf via auth_to_local or a .k5login file in the user xyz's home
>> directory.
>>
>> 2) Use a password.
>>
>> This usually doesn't work. The reason is that most applications don't
>> allow
>> to use XYZ@WINDOWS.COM as a username and if you use xyz the default
>> domain
>> UNIX.COM will be used again.
>>
>>
>> >
>> > Markus Moeller wrote:
>> >> "Miguel Sanders" wrote in message
>> >> news:1162725045.392694.47100@i42g2000cwa.googlegro ups.com...
>> >> > Hi
>> >> > I have been through many documents for several times but I just
>> >> > can't
>> >> > seem to find the problem.
>> >> > Here is the idea.
>> >> > Users are defined in Active Directory (domain/realm WINDOWS.COM)
>> >> > Host and service principals are defined in MIT Kerberos (realm
>> >> > UNIX.COM).
>> >> > Now I want the Windows users to be able to login to the Unix
>> >> > machines(
>> >> > and thus the UNIX.COM realm).
>> >> > Since users and host/service principals are in separated realms,
>> >> > cross
>> >> > realm authentication should be set up, right?
>> >> > So the point is that users XYZ (Windows Domain User) should be able
>> >> > to
>> >> > logon to the Unix Machines.
>> >> > 1) Does the Windows user XYZ need to be defined in MIT Kerberos? I
>> >> > presume that this is the case (although set with a random password).
>> >>
>> >> You don't need the user in the MIT kdc. You either need a mapping like
>> >> auth_to_local =
>> >> RULE:[1:$1@$0](.*@.WINDOWS.COM$)s/@.*//
>> >> auth_to_local = DEFAULT
>> >> as part of the realms UNIX.COM section or use a .k5login file.
>> >>
>> >> > 2) Is something wrong with the given krb5.conf ?
>> >> > [libdefaults]
>> >> > default_realm = UNIX.COM
>> >> > default_keytab_name = FILE:/etc/krb5/krb5.keytab
>> >> > default_tkt_enctypes = des-cbc-md5 des-cbc-crc
>> >> > default_tgs_enctypes = des-cbc-md5 des-cbc-crc
>> >> >
>> >> > [realms]
>> >> > UNIX.COM= {
>> >> > kdc = server1.unix.com:88
>> >> > admin_server = server1.unix.com:749
>> >> > default_domain = unix.com
>> >> > }
>> >> >
>> >> > WINDOWS.COM= {
>> >> > kdc = server1.windows.com:88
>> >> > admin_server = server1.windows.com:749
>> >> > default_domain = unix.com
>> >> > }
>> >> >
>> >> > [domain_realm]
>> >> > .windows.com = WINDOWS.COM
>> >> > windows.com = WINDOWS.COM
>> >> > .unix.com = UNIX.COM
>> >> > unix.com = UNIX.COM
>> >> >
>> >> > [capaths]
>> >> > WINDOWS.COM = {
>> >> > UNIX.COM = .
>> >> > }
>> >> >
>> >> > UNIX.COM = {
>> >> > WINDOWS.COM = .
>> >> > }
>> >> >
>> >> > 3) In kdc.conf I edited the following
>> >> > master_key_type = des-cbc-md5
>> >> > supported_enctypes = des-cbc-md5:normal des-cbc-crc:normal
>> >>
>> >>
>> >>
>> >> >
>> >> > 4) In MIT Kerberos I defined krbtgt/WINDOWS.COM@UNIX.COM and
>> >> > krbtgt/UNIX.COM@WINDOWS.COM principals with password ABC
>> >> >
>> >> > 5) In Active Directory I defined the MIT realm and MIT kerberos
>> >> > master
>> >> > with ksetup
>> >> >>ksetup
>> >> > default realm = windows.com (NT Domain)
>> >> > UNIX.COM:
>> >> > kdc = server1.unix.com
>> >> > Realm Flags = 0x0 none
>> >> > Mapping XYZ@UNIX.COM to XYZ
>> >>
>> >> The mapping is only needed when you login from Unix to Windows.
>> >>
>> >> >
>> >> > 6) In Active Directory I defined the realm trust (one way, incoming)
>> >> > with the password ABC
>> >> > 7) In Active Directory Users and Computers I created the name
>> >> > mapping
>> >> > for user XYZ to XYZ@UNIX.COM (since the mapping set up by ksetup
>> >> > wasn't
>> >> > visible here, did this just to be sure)
>> >>
>> >> I don't think you need this.
>> >>
>> >> >
>> >> > Now why can't user XYZ@UNIX.COM login successfully with his Windows
>> >> > password?
>> >> > I am quite desperate on this one. What am I missing?
>> >> > Any help would be greatly appreciated.
>> >> >
>> >>
>> >> You have to tell the Windows clients where to find the service
>> >> principals
>> >> for the unix.com domain. This will be done with
>> >> trust WINDOWS.COM/ domain:UNIX.COM /addtln:unix.com
>> >> on Active Directory.
>> >>
>> >> > Kind regards
>> >> >
>> >> > Miguel
>> >> >
>> >>
>> >> Regards
>> >> Markus
>> >
>>
>> Regards
>> Markus
>

Thanks Markus

One final question: which version of Windows 2003 are you using and
which steps did you perform to set up the realm trust. Is it as I
described? Just asking to be sure
Markus Moeller wrote:
> My krb5.conf file
>
> [libdefaults]
> default_realm = UNIX.COM
> dns_lookup_kdc = no
> dns_lookup_realm = no
> default_keytab_name = /etc/krb5.keytab
> default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
> des-cbc-md5
> default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
> des-cbc-md5
> permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
> noaddresses = no
> [realms]
> UNIX.COM = {
> kdc = opensuse.unix.com
> admin_server = opensuse.unix.com
> auth_to_local = RULE:[1:$1@$0](.*@WINDOWS.COM$)s/@.*//
> auth_to_local = DEFAULT
> }
> WINDOWS.COM = {
> kdc = w2k3.windows.com
> admin_server = w2k3.windows.com
> }
> [domain_realm]
> .unix.com = UNIX.COM
> unix.com = UNIX.COM
> .windows.com = WINDOWS.COM
> windows.com = WINDOWS.COM
>
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
>
> Regards
> Markus
>
>
> "Miguel Sanders" wrote in message
> news:1162744296.180067.98070@m73g2000cwd.googlegro ups.com...
> > Thanks a lot Markus
> >
> > Could you paste your krb5.conf aswell?
> >
> > Kind regards
> >
> > Miguel
> > Markus Moeller wrote:
> >> "Miguel Sanders" wrote in message
> >> news:1162737224.386797.216750@e3g2000cwe.googlegro ups.com...
> >> > 1) You should use rc4-hmac. des is week and shouldn't be used.
> >> >
> >> > Can that be used in combination with Active Directory? Which stanza's/
> >> > configuration items should be used in kdc.conf and krb5.conf?
> >>
> >>
> >> My kdc.conf looks like:
> >>
> >> [kdcdefaults]
> >> kdc_ports = 750,88
> >> [realms]
> >> UNIX.COM = {
> >> database_name = /var/lib/kerberos/krb5kdc/principal
> >> admin_keytab =
> >> FILE:/var/lib/kerberos/krb5kdc/kadm5.keytab
> >> acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl
> >> key_stash_file = /var/lib/kerberos/krb5kdc/.k5.UNIX.COM
> >> kdc_ports = 750,88
> >> supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal
> >> des-cbc-crc:normal des-cbc-md5:normal
> >> kdc_supported_enctypes = rc4-hmac:normal
> >> des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal
> >> max_life = 10h 0m 0s
> >> max_renewable_life = 7d 0h 0m 0s
> >> }
> >> [logging]
> >> kdc = FILE:/var/log/kdc.log
> >> admin_server = FILE:/var/log/kadmin.log
> >>
> >>
> >> >
> >> > 2) Now why can't user XYZ@UNIX.COM login successfully with his Windows
> >> > password?
> >> >
> >> > I meant on the Unix box, not on the Windows box, so sorry on that.
> >> >
> >>
> >> I think here is some misunderstanding. I think you want that your Windows
> >> user xyz can login to your Unix machine. Now you have to differentiate
> >> two
> >> cases.
> >>
> >> 1) Use Kerberos credentials to login
> >> If you use your Windows credentials (XYZ@WINDOWS.COM) the Unix
> >> server
> >> will try to match the credentials XYZ@WINDOWS.COM with a unix user xyz
> >> and
> >> the default domain defined in krb5.conf (in your case UNIX.COM), which is
> >> XYZ@UNIX.COM and fails. This can only be avoided by using a mapping
> >> either
> >> in krb5.conf via auth_to_local or a .k5login file in the user xyz's home
> >> directory.
> >>
> >> 2) Use a password.
> >>
> >> This usually doesn't work. The reason is that most applications don't
> >> allow
> >> to use XYZ@WINDOWS.COM as a username and if you use xyz the default
> >> domain
> >> UNIX.COM will be used again.
> >>
> >>
> >> >
> >> > Markus Moeller wrote:
> >> >> "Miguel Sanders" wrote in message
> >> >> news:1162725045.392694.47100@i42g2000cwa.googlegro ups.com...
> >> >> > Hi
> >> >> > I have been through many documents for several times but I just
> >> >> > can't
> >> >> > seem to find the problem.
> >> >> > Here is the idea.
> >> >> > Users are defined in Active Directory (domain/realm WINDOWS.COM)
> >> >> > Host and service principals are defined in MIT Kerberos (realm
> >> >> > UNIX.COM).
> >> >> > Now I want the Windows users to be able to login to the Unix
> >> >> > machines(
> >> >> > and thus the UNIX.COM realm).
> >> >> > Since users and host/service principals are in separated realms,
> >> >> > cross
> >> >> > realm authentication should be set up, right?
> >> >> > So the point is that users XYZ (Windows Domain User) should be able
> >> >> > to
> >> >> > logon to the Unix Machines.
> >> >> > 1) Does the Windows user XYZ need to be defined in MIT Kerberos? I
> >> >> > presume that this is the case (although set with a random password).
> >> >>
> >> >> You don't need the user in the MIT kdc. You either need a mapping like
> >> >> auth_to_local =
> >> >> RULE:[1:$1@$0](.*@.WINDOWS.COM$)s/@.*//
> >> >> auth_to_local = DEFAULT
> >> >> as part of the realms UNIX.COM section or use a .k5login file.
> >> >>
> >> >> > 2) Is something wrong with the given krb5.conf ?
> >> >> > [libdefaults]
> >> >> > default_realm = UNIX.COM
> >> >> > default_keytab_name = FILE:/etc/krb5/krb5.keytab
> >> >> > default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> >> >> > default_tgs_enctypes = des-cbc-md5 des-cbc-crc
> >> >> >
> >> >> > [realms]
> >> >> > UNIX.COM= {
> >> >> > kdc = server1.unix.com:88
> >> >> > admin_server = server1.unix.com:749
> >> >> > default_domain = unix.com
> >> >> > }
> >> >> >
> >> >> > WINDOWS.COM= {
> >> >> > kdc = server1.windows.com:88
> >> >> > admin_server = server1.windows.com:749
> >> >> > default_domain = unix.com
> >> >> > }
> >> >> >
> >> >> > [domain_realm]
> >> >> > .windows.com = WINDOWS.COM
> >> >> > windows.com = WINDOWS.COM
> >> >> > .unix.com = UNIX.COM
> >> >> > unix.com = UNIX.COM
> >> >> >
> >> >> > [capaths]
> >> >> > WINDOWS.COM = {
> >> >> > UNIX.COM = .
> >> >> > }
> >> >> >
> >> >> > UNIX.COM = {
> >> >> > WINDOWS.COM = .
> >> >> > }
> >> >> >
> >> >> > 3) In kdc.conf I edited the following
> >> >> > master_key_type = des-cbc-md5
> >> >> > supported_enctypes = des-cbc-md5:normal des-cbc-crc:normal
> >> >>
> >> >>
> >> >>
> >> >> >
> >> >> > 4) In MIT Kerberos I defined krbtgt/WINDOWS.COM@UNIX.COM and
> >> >> > krbtgt/UNIX.COM@WINDOWS.COM principals with password ABC
> >> >> >
> >> >> > 5) In Active Directory I defined the MIT realm and MIT kerberos
> >> >> > master
> >> >> > with ksetup
> >> >> >>ksetup
> >> >> > default realm = windows.com (NT Domain)
> >> >> > UNIX.COM:
> >> >> > kdc = server1.unix.com
> >> >> > Realm Flags = 0x0 none
> >> >> > Mapping XYZ@UNIX.COM to XYZ
> >> >>
> >> >> The mapping is only needed when you login from Unix to Windows.
> >> >>
> >> >> >
> >> >> > 6) In Active Directory I defined the realm trust (one way, incoming)
> >> >> > with the password ABC
> >> >> > 7) In Active Directory Users and Computers I created the name
> >> >> > mapping
> >> >> > for user XYZ to XYZ@UNIX.COM (since the mapping set up by ksetup
> >> >> > wasn't
> >> >> > visible here, did this just to be sure)
> >> >>
> >> >> I don't think you need this.
> >> >>
> >> >> >
> >> >> > Now why can't user XYZ@UNIX.COM login successfully with his Windows
> >> >> > password?
> >> >> > I am quite desperate on this one. What am I missing?
> >> >> > Any help would be greatly appreciated.
> >> >> >
> >> >>
> >> >> You have to tell the Windows clients where to find the service
> >> >> principals
> >> >> for the unix.com domain. This will be done with
> >> >> trust WINDOWS.COM/ domain:UNIX.COM /addtln:unix.com
> >> >> on Active Directory.
> >> >>
> >> >> > Kind regards
> >> >> >
> >> >> > Miguel
> >> >> >
> >> >>
> >> >> Regards
> >> >> Markus
> >> >
> >>
> >> Regards
> >> Markus
> >