[32693] in Kerberos
RE: MIT kdc with Windows 7 pc
daemon@ATHENA.MIT.EDU (Wilper, Ross A)
Tue Sep 21 16:08:00 2010
From: "Wilper, Ross A" <rwilper@stanford.edu>
To: Jean-Yves Avenard <jyavenard@gmail.com>
Date: Tue, 21 Sep 2010 13:07:54 -0700
Message-ID: <C6BF43271ABC924B9A7057FAD2B4953F08991F218E@ITS-ExchMB02.stanford.edu>
In-Reply-To: <AANLkTikzcL_qSauTojvx0Oos6c_zFnsF8uPW=MWtDr3=@mail.gmail.com>
Content-Language: en-US
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I've never personally attached a Windows box directly to an MIT realm, only read the instructions.
If you have created the principal for the Windows machine and set the password in the Windows machine, then mapped the user's principal to a local account, then you are past what I have done for a Windows machine in a workgroup.
You do not have to turn on the DES encryption types in Windows 7 as long as at least one of the stronger enctypes is available on the principals. It looks like you set up the host with RC4, so I would not enable DES.
-Ross
-----Original Message-----
From: Jean-Yves Avenard [mailto:jyavenard@gmail.com]
Sent: Tuesday, September 21, 2010 12:54 PM
To: Wilper, Ross A
Cc: kerberos@mit.edu
Subject: Re: MIT kdc with Windows 7 pc
Hi
On 22 September 2010 05:39, Wilper, Ross A <rwilper@stanford.edu> wrote:
> You must have the external (MIT) principal mapped to a Windows user for logon to succeed.
Pretty sure I did that:
I ran the command
ksetup /mapuser username@M.DOMAIN.COM username
>
> This can be done with an Active Directory/Cross-realm trust by using the AltSecurityIdentities property on AD users. For a machine in a Workgroup, this can be done by using "ksetup /mapuser"
>
> Windows supports AES256, AES128, RC4-HMAC and DES-CBC MD5 or CBC. The DES types are not available by default in Windows 7 (they have to be enabled).
>
The principal was created using:
ank -pw password -e rc4-hmac:normal host/minimepc.m.domain.com
For all account it seemed to work properly, by that I mean I see no
authentication error in the kdc logs.
Do the DES encryption types need to be enabled even for Windows 7 ?
I did see:
Sep 22 05:43:06 m.domain.com krb5kdc[68](info): AS_REQ (7 etypes {18
17 16 23 1 3 2}) 60.242.X.X: NEEDED_PREAUTH:
jeanyves_avenard@M.DOMAIN.COM for krbtgt/M.DOMAIN.COM@M.DOMAIN.COM,
Additional pre-authentication required
followed by proper authentication after, no password errors.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
