I installed a cross realm between my MIT and an AD. I can open a session on
my AD server with a principal defined in my MIT Kerberos (eg user1).
I added a Windows Seven to my Microsoft Domain. I can open a session on this
station with the Domain Administrator Domain without problem.
When I try to open a session with user1 (MIT principal), that doesn't
work...
Any idea ?
Thanks,
JM
Regards,
JM
2011/8/24 Ranjith Murugan <muru...@vmware.com>
> Me having the same issue. Still trying to find a way out of it. Let me
> know if you find the solution.
>
> Regards,
> Ranjith.
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
Regards,
JM
2011/8/24 jm130794 <jm13...@gmail.com>
might be a dns error.
The Client (user) has to guess the realm to the service and often uses
dns (for example TXT records) or some registry entry (HostTorealm) to
determine the KRB REALM for the service (in this case the local login).
Try to wireshark what DNS request a win XP Machine does, when you try to
login using Cross Realm Trust
Do the same on the Windows 7 Machine.
When testing Cross-Realm trust several months ago I had the impression
MS changed something there, but i didn't really finish this.
Actually it doesn't read out TXT Records which worked fine for WinXP.
If you find out something, pleas tell me.
Robert.
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
86135 Augsburg .................................. Fax. (0821) 598-2028
That's works :)
I just removed the client from AD and add it again. I can now open a session
on my client with user1 (MIT Kerberos principal).
JM
2011/8/24 jm130794 <jm13...@gmail.com>
I tried with another client and I have the same problem !
I can't open a session with user1 (MIT principal).
JM
2011/8/24 Robert Wehn <rober...@rz.uni-augsburg.de>
> Hi JM
>
> might be a dns error.
> The Client (user) has to guess the realm to the service and often uses
> dns (for example TXT records) or some registry entry (HostTorealm) to
> determine the KRB REALM for the service (in this case the local login).
>
> Try to wireshark what DNS request a win XP Machine does, when you try to
> login using Cross Realm Trust
> Do the same on the Windows 7 Machine.
>
> When testing Cross-Realm trust several months ago I had the impression
> MS changed something there, but i didn't really finish this.
> Actually it doesn't read out TXT Records which worked fine for WinXP.
>
> If you find out something, pleas tell me.
>
> Robert.
>
> Am 24.08.2011 14:06, schrieb jm130794:
> > I used wireshark to find why my connection fails. It seems that AD
> returns
> > the error KDC_ERR_WRONG_REALM. It's weird that I can connect to the
> server and
> > not on the client!
> >
> > Regards,
> >
> >
> > JM
> >
> > 2011/8/24 jm130794 <jm13...@gmail.com>
> >
> >> Hello
> >>
> >> I installed a cross realm between my MIT and an AD. I can open a session
> on
> >> my AD server with a principal defined in my MIT Kerberos (eg user1).
> >>
> >> I added a Windows Seven to my Microsoft Domain. I can open a session on
> >> this station with the Domain Administrator Domain without problem.
> >>
> >> When I try to open a session with user1 (MIT principal), that doesn't
> >> work...
> >>
> >> Any idea ?
> >>
> >> Thanks,
> >>
> >> JM
> >>
> >>
-Ross
-----Original Message-----
From: kerberos...@mit.edu [mailto:kerberos...@mit.edu] On Behalf Of jm130794
With my first client, I added my computer in the Microsoft Domain. After
that, I could log in with my account MIT. I never change anything in the
registry.
Thanks,
JM
2011/8/26 Wilper, Ross A <rwi...@stanford.edu>
- I add my client (W7) into my AD.MYREALM (Microsoft Domain)
- on the client, I do : ksetup /AddKdc MYREALM
As you see, I don't give the address of the MIT KDC. I can open a session
with a MIT KDC user.
If I do : ksetup /AddKdc MYREALM kdc1.myrealm, that does not work.
What do you think about it ?
Jean-Michel
2011/8/26 jm130794 <jm13...@gmail.com>
If you don't do anything in the Registry then I'm quite sure there's a Group Policy which does the Job for you.
May be this doesn't work with Win7 anymore. Google for "GPO Kerberos win7", I think there were changes in the MS implementation of the settings.
Robert.
--
Robert Wehn
Hermanstraße 29
86150 Augsburg
rober...@googlemail.com
rob...@wehns.de
Am 27.08.2011 um 07:55 schrieb jm130794 <jm13...@gmail.com>:
> I found a solution (is it a good solution ?) :
>
> - I add my client (W7) into my AD.MYREALM (Microsoft Domain)
> - on the client, I do : ksetup /AddKdc MYREALM
If this is the Realm if your MIT Kerberos Domain, then this is correct. This is what Ross told you and actually adds the Registry Settings he pointed out.
This can also be done centralized by a GPO if you don't want to touch every client.
>
> As you see, I don't give the address of the MIT KDC. I can open a session with a MIT KDC user.
>
> If I do : ksetup /AddKdc MYREALM kdc1.myrealm, that does not work
What is dns name of your kdc? If it's different then it cannot work.
If you have a kdc service record for the MYREALM Realm in your DNS then making no local kdc setting is often a good idea
>
> What do you think about it ?
>
> Jean-Michel
>
> 2011/8/26 jm130794 <jm13...@gmail.com>