Re: cross-realm trust MIT and Windows 2008 - Authentication issues

Thu, 02 Aug 2012 11:30:48 -0700 


On 8/2/2012 12:08 PM, [email protected] wrote:
> Greethings,
>
>       I have the following setup:
>
>       -A MIT-Kerberos Realm MITREALM containing user principals
> (user@MITREALM [1])
> -A Windows 2008 Active Directory ADS.NET which is configured on DC
> adsdc01.
> -A Windows 2008 Domain member admember within ADS.NET domain.
> -There is a crossrealm trust between ADS.NET and MIT Realm MITREALM
> -Local Windows Account has got Kerberos mapping
>
>       Login using pricipal user@MITREALM [2] works on all systems of
> ADS.NET Domain successfully.
> But access from adsdc01 to admember or from admember to network drive
> of adsdc01 (below) does not work.
>
>       Unexpectedly I see the following log entries on MIT Kerberos Server:
> Jul 23 17:39:05 mitkrb01 krb5kdc[20062](info): AS_REQ (6 etypes {18 17
> 23 24 -135 3}) 100.21.20.165: ISSUE: authtime 1343057945, etypes
> {rep=18 tkt=18 ses=18}, user@MITREALM [3] for krbtgt/MITREALM@MITREALM
> [4]
> Jul 23 17:39:05 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18
> 17 23 24 -135}) 100.21.20.165: ISSUE: authtime 1343057945, etypes
> {rep=18 tkt=18 ses=18}, user@MITREALM [5] for krbtgt/ADS.NET@MITREALM
> [6]
> Jul 23 17:39:20 mitkrb01 krb5kdc[20062](info): AS_REQ (6 etypes {18 17
> 23 24 -135 3}) 100.21.20.165: ISSUE: authtime 1343057960, etypes
> {rep=18 tkt=18 ses=18}, user@MITREALM [7] for krbtgt/MITREALM@MITREALM
> [8]
> Jul 23 17:39:20 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18
> 17 23 24 -135}) 100.21.20.165: ISSUE: authtime 1343057960, etypes
> {rep=18 tkt=18 ses=18}, user@MITREALM [9] for krbtgt/ADS.NET@MITREALM
> [10]
> Jul 23 17:39:20 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18
> 17 23 24 -135}) 100.21.20.165: UNKNOWN_SERVER: authtime 1343057960,
> user@MITREALM [11] for cifs/adsdc01.ads.net@MITREALM [12], Server not
> found in Kerberos database
> Jul 23 17:39:21 mitkrb01 krb5kdc[20062](info): TGS_REQ (1 etypes {18})
> 100.21.20.165: ISSUE: authtime 1343057960, etypes {rep=18 tkt=18
> ses=18}, user@MITREALM [13] for krbtgt/MITREALM@MITREALM [14]
> Jul 23 17:39:21 mitkrb01 krb5kdc[20062](info): AS_REQ (6 etypes {18 17
> 23 24 -135 3}) 100.21.20.165: ISSUE: authtime 1343057961, etypes
> {rep=18 tkt=18 ses=18}, user@MITREALM [15] for
> krbtgt/MITREALM@MITREALM [16]
> Jul 23 17:39:21 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18
> 17 23 24 -135}) 100.21.20.165: ISSUE: authtime 1343057961, etypes
> {rep=18 tkt=18 ses=18}, user@MITREALM [17] for krbtgt/ADS.NET@MITREALM
> [18]
> Jul 23 17:39:21 mitkrb01 krb5kdc[20062](info): TGS_REQ (1 etypes {18})
> 100.21.20.165: ISSUE: authtime 1343057961, etypes {rep=18 tkt=18
> ses=18}, user@MITREALM [19] for krbtgt/MITREALM@MITREALM [20]
> Jul 23 17:39:29 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18
> 17 23 24 -135}) 100.21.20.165: UNKNOWN_SERVER: authtime 1343057960,
> user@MITREALM [21] for ldap/adsdc01.ads.net@MITREALM [22], Server not
> found in Kerberos database
>
>       ==> I seems as if the Windows system looks for the service-pricipal
> on MIT system instead of Windows DC.


Sounds like referrals, this might work:

  http://web.mit.edu/kerberos/krb5-current/doc/krb_admins/realm_config.html
  "Mapping hostnames onto Kerberos realms" second method.

>
>       Do you understand this?
> Is there any general limitation of Windows related to cross-realm
> trusts and services like cifs, ldap?
> Can you please help me? Maybe it is just a misconfigureation, but I
> spent now several days with this issue without any progress.
>
>       Best regards
> Chris
>
> Links:
> ------
> [1] mailto:user@MITREALM
> [2] mailto:user@MITREALM
> [3] mailto:user@MITREALM
> [4] mailto:krbtgt/MITREALM@MITREALM
> [5] mailto:user@MITREALM
> [6] mailto:krbtgt/ADS.NET@MITREALM
> [7] mailto:user@MITREALM
> [8] mailto:krbtgt/MITREALM@MITREALM
> [9] mailto:user@MITREALM
> [10] mailto:krbtgt/ADS.NET@MITREALM
> [11] mailto:user@MITREALM
> [12] mailto:cifs/adsdc01.ads.net@MITREALM
> [13] mailto:user@MITREALM
> [14] mailto:krbtgt/MITREALM@MITREALM
> [15] mailto:user@MITREALM
> [16] mailto:krbtgt/MITREALM@MITREALM
> [17] mailto:user@MITREALM
> [18] mailto:krbtgt/ADS.NET@MITREALM
> [19] mailto:user@MITREALM
> [20] mailto:krbtgt/MITREALM@MITREALM
> [21] mailto:user@MITREALM
> [22] mailto:ldap/adsdc01.ads.net@MITREALM
> ________________________________________________
> Kerberos mailing list           [email protected]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

-- 

  Douglas E. Engert  <[email protected]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to