w2k client login to kerberos realm
Brian Thompson
non-windows kerberos realm from a w2k
workstation. The same realm username/password
works fine on the AD server due to a trust
and the w2k workstation can log in using
either a local account or an AD domain account.
The non-windows realm is on the domain pull-down
on the w2k workstation but logins don't work
unless I create a local account on the w2k
workstation with the same name as the kerberos
username. If I delete the local account it
doesn't work. There is an account in the AD
server with the same username which is the
proxy account that I really want to use.
Without the local account, I get two different
symptoms depending on whether or not I have
a "ksetup /mapuser * *" defined on the w2k
workstation. If username mapping is defined, I
get an error message about not being able to
map a SID to the username. If username mapping
isn't defined, I get the regular failed login
message.
Any assistance would be greatly appreciated!
Thanks,
Brian
Tony Hoyle
> username. If I delete the local account it
> doesn't work. There is an account in the AD
> server with the same username which is the
> proxy account that I really want to use.
>
If you're logging into a non-Windows kerberos account there *must*
be a local account mapped so that Windows can retrieve a valid SID
for the user. When you log into Active Directory this is done
automatically (via some extra data sent from the server). Logging
into an MIT domain is the same as logging in locally except the password
authentication is done via kerberos (all other authentication eg. network
shares is done as if you had logged in locally).
Tony
Brian Thompson
Thanks Tony but I'm wondering if and/or why at has to
be _local_. I'd really like the shadow SID account to be
an AD domain account, not local to the workstation.
According to Luke this is theoretically possible:
I'm using Heimdal as the KDC and the workstations
do belong to an AD domain.
-Brian
Sam Hartman
Tony> On Sun, 10 Nov 2002 13:36:39 +0000, Brian Thompson wrote:
>> username. If I delete the local account it doesn't work. There
>> is an account in the AD server with the same username which is
>> the proxy account that I really want to use.
>>
Tony> If you're logging into a non-Windows kerberos account there
Tony> *must* be a local account mapped so that Windows can
Tony> retrieve a valid SID for the user. When you log into Active
Tony> Directory this is done automatically (via some extra data
Tony> sent from the server). Logging into an MIT domain is the
Tony> same as logging in locally except the password
Tony> authentication is done via kerberos (all other
Tony> authentication eg. network shares is done as if you had
Tony> logged in locally).
Impirical evidence suggests you're giving an incomplete answer here.
I have a W2K box on my desk for which I log into an MIT account which
is mapped by the domain to a domain account. No local account exists.
________________________________________________
Kerberos mailing list Kerb...@mit.edu
http://mailman.mit.edu/mailman/listinfo/kerberos
Tony Hoyle
> According to Luke this is theoretically possible:
>
> http://groups.google.com/groups?dq=&hl=en&lr=&ie=UTF-8&frame=right&rnum=11&thl=1010052362,1009746294,1011410969,1011406245,1011372638,1011287500,1011279568,1011265813,1011263816,1011252848,1011250716,1011242826&seekm=anfmmn%243f3%241%40sisko.nodomain.org#link12
>
I can't see how, based on the Microsoft documentation, although Luke knows
more about what the protocol is capable of.
In any case it would be the KDC that would have to pass the AD
authentication information - maybe he was referring to the patched heimdal
he did for samba?
Tony
Sam Hartman
Tony> In any case it would be the KDC that would have to pass the
Tony> AD authentication information - maybe he was referring to
Tony> the patched heimdal he did for samba?
No, it is simply required that the host service ticket obtained to
verify the user include the AD information. Provided that the
machine's account is with an AD KDC everything can be made to work.
Nathan Ward
- Setup my KDC with des-cbc-crc encryption.
- Used the ksetup.exe util as per the Microsoft Kerberos Interoperability Steps document (exact name may differ) to:
Set my kerberos realm
Set my kdc
Map all accounts (* & *@realm) to "Administrator"
- Got a tool called Wake, (http://www.rose-hulman.edu/TSC/software/wake/) which converts MSKRB5 tickets to MITKRB5 tickets (so I can use OpenAFS etc. an my windows workstations).
Why map all to administrator? There is little security implication here, as all users store there data on the AFS server and each user has thier own workstation.
If you must use AD, somewhere at padl.com there is a project in progress to make an OpenLDAP extension to talk as an ADC.
The Microsoft documents on UNIX interoperability are starting to get good as well, so instead of ignoring all MS links in your google searches, check them out. They are good.
Nathan
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Nathan Ward
System Administrator
Esphion Ltd.
PH: +64 9 4142060
MOB: +64 9 21 431675
EMail: nw...@esphion.com
Web: www.esphion.com
Tony Hoyle
> Impirical evidence suggests you're giving an incomplete answer here.
> I have a W2K box on my desk for which I log into an MIT account which
> is mapped by the domain to a domain account. No local account exists.
Hmm not sure how you did that as it conflicts directly with the
documentation on the microsoft website, and my own experience.
If there's a way to get it to work it'd be useful to me, as at the moment
I have to choose between kerberos or domain login when logging in.
Tony
Nathan Ward
I forget if the realm is needed or not:
ksetup.exe /mapuser *@realm Administrator
ksetup.exe /mapuser * Administrator
--
Nathan Ward
System Administrator
Esphion Ltd.
PH: +64 9 4142060
MOB: +64 9 21 431675
EMail: nw...@esphion.com
Web: www.esphion.com
Brian Thompson
Sam, it sounds like you already have working
exactly what I'm trying to get working. Can
you cut/paste/annotate an output of your
workstation ksetup?
I'm not clear on whether the client machines
need mapping enabled or not and whether to point
them at the Heimdal KDC machine or the AD machine
for access to the Heimdal KDC realm.
Thanks for any info!
-Brian
f...@commerceflow.com
> > I have a W2K box on my desk for which I log into an MIT account which
> > is mapped by the domain to a domain account. No local account exists.
>
> Hmm not sure how you did that as it conflicts directly with the
> documentation on the microsoft website, and my own experience.
>
> If there's a way to get it to work it'd be useful to me, as at the moment
> I have to choose between kerberos or domain login when logging in.
Microsoft did document this, in the kerbsteps.asp file. look at the
"Setting Trust with a Kerberos Realm" section of
http://www.microsoft.com/WINDOWS2000/techinfo/planning/security/kerbsteps.asp
I set up a test network that did something like this awhile ago. It's
long gone, so I can't pull configs off it, but here's what I remember
from my notes: (it appears the same as what's at the URL I listed)
the AD realm is WOFFICE, the kerberos realm is OFFICE
the workstations need a krb5.conf equivlent entry for OFFICE, use
ksetup /addkdc to make it.
the realms need a shared key (I think)
each account needs a mapping account mapping between the realms. use
"Active Directory Users and Computers" to map foo@WOFFICE to
foo@WOFFICE
the workstation's login screen will have 2 realms. the kerberos one,
and the AD one. Users shouldn't know the passwords in the AD realm,
and if they select the kerberos one all the right things
happen. (they can also just login as foo@OFFICE, and it'll figure
out the right realm)
seph
Brian Thompson
I ran into the same document and went through
this a while ago. It works for the Windows server
but not for the Windows workstations. As you stated,
the server has two realms (the AD one, and the
Kerberos one) and the logins do work as you
described.
On the workstations there are _three_ domains
(one AD, one Kerberos, one local ws). I'm trying to
tie the first and second together without creating
a shadow account in the third and log in using the
kerberos domain password.
It sounds like Sam has it working but I'm very
curious to see what "ksetup" outputs on his
workstation.
-Brian
Actually davidchr
It sounds like you've got local mappings (ksetup /mapuser * *) but you
really want domain mappings (either or both will work, depending on your
needs).
If you want AD domain accounts to serve as proxy accounts for purposes
of authorizing principals from trusted non-Windows realms, then you can
use ksetup to configure each proxy account (you can't ksetup /mapuser *
* at the domain level-- it only works for local accounts):
ksetup /domain WINDOWS.DOMAIN.COM /mapuser f...@REALM.COM
windows-accountname
This is explained in greater depth in our whitepapers somewhere, though
I don't have a bookmark handy to provide reference.
-----
This message is provided "AS IS" with no warranties, and confers no
rights.
Message may originate from an unmonitored alias ("davespam"). If so,
use "davidchr" if a direct reply is required.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer.
I reside in Washington, USA, where Title 19 declares that sending me
Unsolicited Commercial Email can result in a $500 fine.
Harvesting of this address for purposes of bulk email (spam and UCE) is
expressly prohibited unless by my explicit prior request. I retaliate
viciously against spammers and spam sites.
> -----Original Message-----
> From: Brian Thompson [mailto:bri...@ghidra.eng.wayne.edu]
> Sent: Sunday, November 10, 2002 1:37 PM
> To: kerb...@mit.edu
>
> Hi all, I'm having a problem logging into a
> non-windows kerberos realm from a w2k
> workstation. The same realm username/password
> works fine on the AD server due to a trust
> and the w2k workstation can log in using
> either a local account or an AD domain account.
> The non-windows realm is on the domain pull-down
> on the w2k workstation but logins don't work
> unless I create a local account on the w2k
> workstation with the same name as the kerberos
> username. If I delete the local account it
> doesn't work. There is an account in the AD
> server with the same username which is the
> proxy account that I really want to use.
>
> Without the local account, I get two different
> symptoms depending on whether or not I have
> a "ksetup /mapuser * *" defined on the w2k
> workstation. If username mapping is defined, I
> get an error message about not being able to
> map a SID to the username. If username mapping
> isn't defined, I get the regular failed login
> message.
>
> Any assistance would be greatly appreciated!
>
> Thanks,
> Brian
Brian Thompson
Thanks all! That basically did the trick. For some
reason specifying the domain name croaked but using
the /domain argument without specifying an actual
domain name worked.
Here's a cut/paste of what the results were:
E:\t>
E:\t>ksetup /domain igloo.wayne.edu /mapuser kbr...@WAYNE.EDU kbrian
Connecting to specified domain igloo.wayne.edu...
Ldap open failed for \\aeolus.igloo.wayne.edu: 0x3a.
Could not guess user's domain.
Please specify domain on command line and try again.
/Domain failed: 0xc0000001.
E:\t>
E:\t>
E:\t>ksetup /domain /mapuser kbr...@WAYNE.EDU kbrian
Using domain IGLOO.WAYNE.EDU.
Mapping created successfully.
E:\t>
Thanks again for everyone's help! Problem solved.
-Brian