Hi. We have successfully set up cross realm login to our windows active domain where a user logs in as [EMAIL PROTECTED] ... this works fine if the user is logging onto the console of a Windows machine in the domain.
However, if a user has his own machine, not in the windows active directory domain, things do not work. So, the scenario is this: a user needs to map a windows printer share or a drive share, authenticating as [EMAIL PROTECTED] -- any thoughts on how to make this work? >From what we can tell, the windows client (we have been testing with XP SP2) requests the [EMAIL PROTECTED]@MIT.KERB.REALM, and then either: 1. does a second AS request for this same tgt or 2. does a TGS request for cifs/[EMAIL PROTECTED] in the case of 1, after the two successful AS requests, nothing else happens in the case of 2, this fails, of course, because the principal does not exist in the MIT kerberos db. Ok, so adding this princiapl to the MIT kerberos db is easy enough. But, there seems to be no documentation on how to then add this same principal to Windows with the same kvno/password. But, as I said, sometimes 1 happens, and sometimes 2 happens. I was expecting this to work the same, of course, as machines in the domain. That is, obtain krbtgt/[EMAIL PROTECTED], use this to do a TGS req for krbtgt/[EMAIL PROTECTED], and then present this. Any thoughts here? Thanks! -- ******************************** David William Botsch Consultant/Advisor II CCMR Computing Facility [EMAIL PROTECTED] ******************************** ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
