Unfortunately, there are a lot of reasons that this could fail.
1) Incorrect passphrase for one of the three trust accounts
2) Enctype mismatch (by default, a new trust will only support RC4-HMAC)
3) Client machine cannot resolve the MIT KDCs
4) Duplicate mappings on user accounts in the same AD domain
(do an ldap search on altSecurityIdentities)
5) You may need to set TLN mappings (referrals) on one side or the other
6) If you have multiple domains, is the realm trust set transitive?
Probably more. The only times I've had failures were case #1 and #3
Also note that MIT credentials will always fail to logon to RDP when NLA is in
use.
-Ross
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of N
K
Sent: Tuesday, August 03, 2010 3:19 PM
To: [email protected]
Subject: Establishing and verifying a trust between Unix MIT KDC and Windows
Server 2003 AD
Hi all,
I followed the steps for a cross-realm setup between the MIT KDC and AD
according to O'reilly's Definitive Guide book:
- specifying KDC's using ksetup on the participating Windows machines
- creating principals krbtgt/dom...@realm and krbtgt/re...@domain in the MIT
KDC
- creating a 2 way trust in the AD
- mapping an AD user to a user in the MIT KDC
However, when I try to logon to the Kerberos realm from a Windows machine
using the credentials of the MIT KDC user, I get an error that the system
could not log me on because the username or domain is incorrect.
Has anyone come across a similar problem before?
Thanks much in advance,
Nivedita.
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
