[32689] in Kerberos
RE: MIT kdc with Windows 7 pc
daemon@ATHENA.MIT.EDU (Wilper, Ross A)
Tue Sep 21 15:39:41 2010
From: "Wilper, Ross A" <rwilper@stanford.edu>
To: Jean-Yves Avenard <jyavenard@gmail.com>,
"kerberos@mit.edu"
<kerberos@mit.edu>
Date: Tue, 21 Sep 2010 12:39:33 -0700
Message-ID: <C6BF43271ABC924B9A7057FAD2B4953F08991F2188@ITS-ExchMB02.stanford.edu>
In-Reply-To: <AANLkTinj+hR83-Nah6Kse4hQU-TDcbCeh1nF=5wV3+Rx@mail.gmail.com>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
You must have the external (MIT) principal mapped to a Windows user for logon to succeed.
This can be done with an Active Directory/Cross-realm trust by using the AltSecurityIdentities property on AD users. For a machine in a Workgroup, this can be done by using "ksetup /mapuser"
Windows supports AES256, AES128, RC4-HMAC and DES-CBC MD5 or CBC. The DES types are not available by default in Windows 7 (they have to be enabled).
-Ross
-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Jean-Yves Avenard
Sent: Tuesday, September 21, 2010 11:56 AM
To: kerberos@mit.edu
Subject: MIT kdc with Windows 7 pc
Hi there.
I have tried to configure a Windows 7 machine to use our kerberos
realm. The KDC is MIT krb5 1.7.1.
When I try to login using my kerberos principal ; I get an error that
there are no logon server available.
In the Windows 7 logs, I see the error:
"The digitally signed Privilege Attribute Certificate (PAC) that
contains the authorization information for client jeanyves_avenard in
realm M.DOMAIN.COM could not be validated.
This error is usually caused by domain trust failures; please contact
your system administrator."
In the kdc logs, I can see that something is authenticating. Passwords
seem okay as if I type an incorrect password for my username, i get an
error about the password being incorrect.
Once I enter the right password, I get the error above.
I read http://www.faqs.org/faqs/kerberos-faq/general/ and about the
PAC microsoft put in. But it's a 10 years old article, not sure how
relevant it is today.
Am I to understand that it is not currently possible to authenticate
on a windows machine using a MIT kerberos KDC ? It would be a good
windows domain replacement
Kerberos from Windows seem to work fine, and I could use the
credential with Firefox.
And comments on the matter?
Thank you
JY
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
