Hi alls, Yesterday, I forget to Reply All :(
As I said to Simo : I realized my mistake. I tried to login as a normal user. It is prohibited by default on Windows Server 2008. For testing, I mapped on [email protected] [email protected]. It works. Now, I'll try to add a workstation Windows Seven to my domain... Thanks 2011/6/15 Douglas E. Engert <[email protected]> > > > On 6/14/2011 4:11 AM, jm130794 wrote: > > Hello, > > > > I have a little question : is it possible create a cross-realm between AD > > (Windows Server 2008 R2) and MIT Kerberos ? > > > > I tried but... > > Are you able to go the other way, with a Windows user accessing a server > in the Kerberos realm? > > You did not say how you set up cross realm. > > > > > When I try to connect on Windows Server with my Kerberos MIT user, I get > > these errors in krb5kdc.log : > > > > Jun 14 09:22:29 srv1 krb5kdc[979](info): AS_REQ (7 etypes {18 17 23 3 1 > 24 > > -135}) 192.168.2.2: NEEDED_PREAUTH: [email protected] for krbtgt/TEST.FR@ > TEST.FR, > > Additional pre-authentication required > > Jun 14 09:22:29 srv1 krb5kdc[979](info): AS_REQ (7 etypes {18 17 23 3 1 > 24 > > -135}) 192.168.2.2: ISSUE: authtime 1308036149, etypes {rep=18 tkt=18 > > ses=18}, [email protected] for krbtgt/[email protected] > > Jun 14 09:22:29 srv1 krb5kdc[979](info): TGS_REQ (7 etypes {18 17 23 3 1 > 24 > > -135}) 192.168.2.2: ISSUE: authtime 1308036149, etypes {rep=18 tkt=18 > > ses=18}, [email protected] for krbtgt/[email protected] > > This last one looks correct, but it is using an AES-256 key. If your W2008 > r2 > is still running at 2003 level, the AD may be expecting arcfour keys. > > A Wireshark trace of the KRB5 packets would show a lot more info, > such as what did the client do with this cross realm TGT? > Did it try and use it to get a service ticket from AD? > And what did AD do with it? > > For windows services, AD will want to add a PAC to the ticket, > with UUID and GUID info for the user. So the KRB5 users will need > accounts in AD to use AD services. > > > > > > Any ideas ? > > ________________________________________________ > > Kerberos mailing list [email protected] > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > -- > > Douglas E. Engert <[email protected]> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
