Thanks to Brent and Arden who have given me some insights, though I'm not fully successful yet, but I can see a progress...
Apparently, my biggest problem was the DNS server setup. I managed to come over the problem (phiughh) Now, the problem is when a client wants to login with the domain set to Kerberos Realm (I use Heimdal): username: lara password: password domain: MY_KERBEROS_REALM.COM (Kerberos Realm) the following windows login message pops up: The system can not log you on due to the following error: No mapping between account names and security IDs was done. Please try again or consult your system administrator. With reference from the following resources: -http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp -http://www.pdc.kth.se/heimdal/heimdal.html (there's one section about how to configure windows 2000 to use a Heimdal KDC) I have done the following steps: On W2K Server: 1. Create a domain W2K_DOMAIN_REALM in my W2K server 2. Add Inter-realm keys for W2K_DOMAIN_REALM (Domain Tree Management Tool --> W2K_DOMAIN_REALM --> Trusts tab --> add MY_KERBEROS_REALM.COM on both directions) 3. Create a user lara, and create account mappings to [EMAIL PROTECTED] 4. Use Ksetup to add kdc: C:> ksetup /addkdc MY_KERBEROS_REALM.COM kerberos.my_kerberos_realm.com 5. Use Netdom.exe to make it transitive (I'm not sure whether this is needed actually) On KDC (Linux machine): 1. Create a host principal in the kerberos realm shell% kadmin -l -r MY_KERBEROS_REALM.COM kadmin > ank -p password host/myhost.my_kerberos_realm.com (I'm not sure what's the purpose of creating this host principal, bec the client seems to search for server: host/[EMAIL PROTECTED] for the authentication) 2. Add Inter-realm keys: kadmin > add krbtgt/[EMAIL PROTECTED] kadmin > add krbtgt/[EMAIL PROTECTED] 3. Add [EMAIL PROTECTED] 4. Kinit [EMAIL PROTECTED] 3. Add host/CLIENT_MACHINE_NAME (If not, the client authentication failed, with the following error being logged: KDC_ERR_S_PRINCIPAL_UNKNOWN, for server: host/CLIENT_MACHINE_NAME) On W2K Client machine: 1. Use ksetup: C:> ksetup /setdomain MY_KERBEROS_REALM.COM C:> ksetup /addkdc MY_KERBEROS_REALM.COM kerberos.my_kerberos_realm.com C:> ksetup /setmachpassword password C:> ksetup /mapuser [EMAIL PROTECTED] lara And I have rebooted the client machine everytime I make changes....What else can I miss ? Did I do the right things ? I will really appreciate if someone can give a brief explanation how the authentication of W2K client using MIT/Heimdal Kerberos KDC works. It seems to me that it's the client who contacts the Kerberos Realm for authentication and not the W2K server...Is this the right way to go ? But if that's the way then when will the account mapping for kerberos realm created in AD be used in this authentication process ? What's the purpose of having the trusted relationship between W2K and Kerberos Realm ? Why does my client contact the host/[EMAIL PROTECTED] for authentication ? Hope somebody can help me, Lara --- Arden Pineda <[EMAIL PROTECTED]> wrote: > Do you have the RealmFlags value set for the > Kerberos domain on windows > machines (DCs & member machines)? I believe the > ksetup utility does not > have the option to set the realmflags setting, but I > could be wrong. You > need this setting, aside from the KpasswdNames and > KdcNames, especially for > non-MIT kerberos. In our environment, we have it > set to 8. For more > details, consult the regentry.chm file included in > the Windows 2000 Resource > Kit. > > I have included the list of Kerberos registry > entries that you need below. > > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ > Control\Lsa\Kerberos\Domains\EXAMPLE.COM] > > Key: RealmFlags > Type: DWORD > Value: 8 > > Key: KPasswdNames > Type: MULTI_SZ > Value: yourkpasswdserver.example.com > > Key: KdcNames > Type: MULTI_SZ > Value: yourkdc.example.com > yourkdc2.example.com > > > We used a custom adm to deploy these settings to all > our machines. I hope > this helps. > > Regards, > Arden > > _____ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Jackson Shaw > Sent: Tuesday, March 23, 2004 8:42 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Can Microsoft Active > Directory be configured to > authenticate to an external ldap server ?? > > > > http://www.vintela.com/products/vas/ > > > > does the job for you. > > > > > _____ > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Brent Westmoreland > Sent: Tuesday, March 23, 2004 9:01 AM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] Can Microsoft Active > Directory be configured to > authenticate to an external ldap server ?? > > > > Hmmm, > > > > sorry no experience with heimdal... > > > > did you follow the steps in the following article? > They are designed for an > mit realm, but if you consult your heimdal > documentation you should be able > to find equivalent commands. > > > > http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.as > p > > > > looks like you configured AD to trust the kerberos > realm, but not the > kerberos realm to trust AD. You will need to > configure what are called > cross-realm principals for this. > > > > example command for an MIT realm. > > > > % Kadmin -q "ank -pw password > krbtgt/[EMAIL PROTECTED]" > > % Kadmin -q "ank -pw password > krbtgt/[EMAIL PROTECTED]" > > Also if your clients are going to authenticate > directly to your kerberos > realm then you may have to create a host principal > (kerberos equivalent to a > computer account) in your kerberos realm for each > client that you are > directly authenticating. > > > > > > Brent Westmoreland > > > > On Mar 23, 2004, at 5:11 AM, Lara Adianto wrote: > > > > Thank you Robbie, but I still can't get it to work > :-( > > When a win2k client tries to log in using my linux > > kerberos realm, it fails with error message: > > The system could not log you on. Make sure that the > > username and password are correct. Letters in the > > password must be typed in the correct case...bla bla > > > bla > > > > So...I'm wondering if I have missed some steps. > > Let's say that I use the following values: > > Windows realm: EXAMPLE.COM > > Linux realm: EXAMPLE1.COM > > username: lara > > > > These are the steps that I followed: > > 1. Create an External trust for EXAMPLE.COM > > - On Active Directory Domains and Trusts, for domain > > > EXAMPLE.COM, I added EXAMPLE1.COM to 'Domains > trusted > > by this domain' > > 2. Create Account Mapping > > - On Active Directory Users and Computers, for user > > lara, I created the name mapping to kerberos realm: > > [EMAIL PROTECTED] > > 3. Configure client to log in using linux kerberos > > realm > > - On client machine: ksetup \addkdc EXAMPLE1.COM > > kerberos.example1.com > > > > That's it.. > > > > Do I miss something here ? like resolving DNS ? any > === message truncated === ===== ------------------------------------------------------------------------------------ La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - ------------------------------------------------------------------------------------ __________________________________ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
