[32692] in Kerberos
Re: MIT kdc with Windows 7 pc
daemon@ATHENA.MIT.EDU (Jean-Yves Avenard)
Tue Sep 21 15:53:51 2010
MIME-Version: 1.0
In-Reply-To: <C6BF43271ABC924B9A7057FAD2B4953F08991F2188@ITS-ExchMB02.stanford.edu>
Date: Wed, 22 Sep 2010 05:53:46 +1000
Message-ID: <AANLkTikzcL_qSauTojvx0Oos6c_zFnsF8uPW=MWtDr3=@mail.gmail.com>
From: Jean-Yves Avenard <jyavenard@gmail.com>
To: "Wilper, Ross A" <rwilper@stanford.edu>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi
On 22 September 2010 05:39, Wilper, Ross A <rwilper@stanford.edu> wrote:
> You must have the external (MIT) principal mapped to a Windows user for logon to succeed.
Pretty sure I did that:
I ran the command
ksetup /mapuser username@M.DOMAIN.COM username
>
> This can be done with an Active Directory/Cross-realm trust by using the AltSecurityIdentities property on AD users. For a machine in a Workgroup, this can be done by using "ksetup /mapuser"
>
> Windows supports AES256, AES128, RC4-HMAC and DES-CBC MD5 or CBC. The DES types are not available by default in Windows 7 (they have to be enabled).
>
The principal was created using:
ank -pw password -e rc4-hmac:normal host/minimepc.m.domain.com
For all account it seemed to work properly, by that I mean I see no
authentication error in the kdc logs.
Do the DES encryption types need to be enabled even for Windows 7 ?
I did see:
Sep 22 05:43:06 m.domain.com krb5kdc[68](info): AS_REQ (7 etypes {18
17 16 23 1 3 2}) 60.242.X.X: NEEDED_PREAUTH:
jeanyves_avenard@M.DOMAIN.COM for krbtgt/M.DOMAIN.COM@M.DOMAIN.COM,
Additional pre-authentication required
followed by proper authentication after, no password errors.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
