Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Is it possible to authenticate Windows clients against MIT Kerberos (no AD)?

189 views
Skip to first unread message

Cosimo La Torre

unread,
Apr 1, 2011, 8:21:41 AM4/1/11
to kerb...@mit.edu
Hi folks,
I have been trying to configure a WinXP client to authenticate against MIT
Kerberos V with no success (linux clients all work fine)...
I would be very grateful if anyone can help me. I have used ksetup.exe on
the windows clients to configure REALM, KDC and so on.
This is what I have configured so far:

========================== kdc.conf ===============================

[root@centos]# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
v4_mode = nopreauth
kdc_tcp_ports = 88

[realms]
EXAMPLE.COM = {
database_name = /var/kerberos/krb5kdc/principal
master_key_type = des3-hmac-sha1
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/krb5.keytab
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
des-cbc-crc:afs3
default_principal_flags = -preauth
}

=========================
[root@centos]# kadmin.local
Authenticating as principal root/ad...@EXAMPLE.COM with password.
kadmin.local: listprincs
K/M...@EXAMPLE.COM
*us...@EXAMPLE.COM
host/winxp.ex...@EXAMPLE.COM*
kadmin/ad...@EXAMPLE.COM
kadmin/chan...@EXAMPLE.COM
kadmin/his...@EXAMPLE.COM
krbtgt/EXAMP...@EXAMPLE.COM
root/ad...@EXAMPLE.COM

============================ named.conf =============================
centos IN A 172.24.16.97
winxp IN A 172.24.16.135
_ldap._tcp. IN SRV 0 0 389 centos
_ldap._tcp.dc._msdcs IN SRV 0 0 389 centos
_kerberos._tcp IN SRV 0 0 88 centos
_kerberos._tcp.dc._msdcs IN SRV 0 0 88 centos
_kerberos._udp IN SRV 0 0 88 centos
_kerberos._udp.dc._msdcs IN SRV 0 0 88 centos
kerberos IN CNAME centos

******FORWARD AND REVERSE LOOKUP WORK FINE*******

======================= ksetup (WindowsXP) =======================

C:\Documents and Settings\Administrator>hostname
winxp

C:\Documents and Settings\Administrator>*ksetup*
default realm = EXAMPLE.COM (external)
EXAMPLE.COM:
kdc = centos.example.com
Realm Flags = 0xf SendAddress TcpSupported Delegate NcSupported
Mapping us...@EXAMPLE.COM to guest.


======================= FAILED WINDOWS LOGIN ==========================

Apr 01 13:16:33 laptop61a krb5kdc[6812](info): AS_REQ (7 etypes {23 -133
-128 3 1 24 -135}) 172.24.16.136: ISSUE: authtime 1301660193, etypes {rep=23
tkt=16 ses=23}, us...@EXAMPLE.COM for krbtgt/EXAMP...@EXAMPLE.COM
Apr 01 13:16:33 laptop61a krb5kdc[6812](info): TGS_REQ (7 etypes {23 -133
-128 3 1 24 -135}) 172.24.16.136: ISSUE: authtime 1301660193, etypes {rep=23
tkt=16 ses=23}, us...@EXAMPLE.COM for host/winxp.ex...@EXAMPLE.COM

No logs found in MS Event Viewer

========================== LINUX CLIENT IS FINE
==============================
user@linuxclient:~$ kinit user
Password for us...@EXAMPLE.COM:

user@linuxclient:~$ klist -fe
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: us...@EXAMPLE.COM

Valid starting Expires Service principal
04/01/11 13:10:45 04/02/11 13:10:45 krbtgt/EXAMP...@EXAMPLE.COM
renew until 04/01/11 13:10:45, Flags: FPRI
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc
mode with HMAC/sha1

Jaap Winius

unread,
Apr 1, 2011, 9:01:32 PM4/1/11
to kerb...@mit.edu
Quoting Cosimo La Torre <latorre...@gmail.com>:

> I have been trying to configure a WinXP client to authenticate against MIT
> Kerberos V with no success (linux clients all work fine)...

Yes, of course it is. Just use the Kerberos client for Windows:

http://web.mit.edu/kerberos/kfw-3.2/kfw-3.2.2.html

However, all this gets you is bare-bones Kerberos authentication; you
still need to log in to Windows first. So, you might consider
combining that with the pGina client...

http://www.pgina.org/index.php/Main_Page

... and the Kerberos plugin for it:

http://pages.cs.wisc.edu/~timc/pgina/

But, even if you get all that to work, your users will still need
local accounts on all the Windows workstations before they can log in;
local accounts are not created for them automatically, nor are they
stored on the network.

If you don't like that idea, it seems that currently your only other
options are either to buy a license for a M$ Windows server, or wait
for Samba4:

https://wiki.samba.org/index.php/Samba4

Cheers,

Jaap

Wilper, Ross A

unread,
Apr 2, 2011, 12:48:36 PM4/2/11
to kerb...@mit.edu
This is possible using the built-in Microsoft Kerberos as well without adding software. There are a few threads from this list about how to do it.

Basically, you need to:
Use KSetup to configure the Windows machine with settings about your MIT realm.
Create a host principal on the MIT KDC and set the same machine password with ksetup to "Join" the MIT realm.
Use Ksetup to map MIT users to local SAM users

Also remember that Windows does not support all enctypes, so your KDC will have to support at least one of:
DES-CBC-CRC
DES-CBC-MD5
RC4-HMAC
AES-128 (Vista +)
AES-256 (Vista +)

-Ross

http://web.mit.edu/kerberos/kfw-3.2/kfw-3.2.2.html

http://www.pgina.org/index.php/Main_Page

http://pages.cs.wisc.edu/~timc/pgina/

https://wiki.samba.org/index.php/Samba4

Cheers,

Jaap

________________________________________________
Kerberos mailing list Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Jaap Winius

unread,
Apr 2, 2011, 3:55:58 PM4/2/11
to kerb...@mit.edu
Quoting "Wilper, Ross A" <rwi...@stanford.edu>:

> This is possible using the built-in Microsoft Kerberos as well
> without adding software.

Since which version of Windows is this possible... Vista? I should
have mentioned that my advice was based on my experience with Windows
XP.

Cheers,

Jaap

Wilper, Ross A

unread,
Apr 2, 2011, 4:04:32 PM4/2/11
to Jaap Winius, kerb...@mit.edu
It has been possible since Windows 2000, though the process has gotten easier over time.

-Ross

-----Original Message-----
From: kerberos...@mit.edu [mailto:kerberos...@mit.edu] On Behalf Of Jaap Winius

Cheers,

Jaap

Luke Howard

unread,
Apr 3, 2011, 6:40:09 AM4/3/11
to Jaap Winius, kerb...@mit.edu
> If you don't like that idea, it seems that currently your only other
> options are either to buy a license for a M$ Windows server, or wait
> for Samba4:
>
> https://wiki.samba.org/index.php/Samba4

Novell Domain Services for Windows is a commercial alternative.

-- Luke

Douglas E. Engert

unread,
Apr 4, 2011, 11:49:31 AM4/4/11
to kerb...@mit.edu

On 4/2/2011 2:55 PM, Jaap Winius wrote:
> Quoting "Wilper, Ross A"<rwi...@stanford.edu>:
>
>> This is possible using the built-in Microsoft Kerberos as well
>> without adding software.
>
> Since which version of Windows is this possible... Vista? I should
> have mentioned that my advice was based on my experience with Windows
> XP.

It goes back to Windows 2000

http://technet.microsoft.com/en-us/library/bb742433.aspx
"Using an MIT KDC with a Standalone Windows 2000 Workstation"


The above is a good starting point to get the concepts...

>
> Cheers,
>
> Jaap
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

--

Douglas E. Engert <DEEn...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444

0 new messages