MIT to Windows 2k interoperability problems

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

MIT to Windows 2k interoperability problems

amiliv
Hi,

I've got small problem with Kerberos, and couldn't seem to be able to
find solution by simply Googling around...

I changed my Kerberos domain name.  Basically, I just wiped out old
KDC, and reinstalled from scratch (it was testing only, so no real
users on it anyhow).  There was one-way trust between old domain and
another Kerberos domain (part of Windows 2000 Active Directory).

Before the change, I had saslauthd running on Unix side, and it was
able to authenticate users against Active Directory (using Kerberos).
After the change, I did exactly the same steps, but things simply don't
work anymore.  Interesting thing is that I also added slave server, and
if saslauthd is going through the slave, it can successfully
authenticate users on Windows Kerberos domain.  My guess is that
there's some stale information about old domain and associated accounts
on Windows side (created with ktpass.exe) that needs to be wiped out
too.

All I could find on the web is how to initially make things to work.
In short, setup account for Unix host in Active Directory, associate
host Kerberos principal with that account and create key using
ktpass.exe, import the key into /etc/krb5.keytab on Unix side.  But no
info on how to undo it (the part on the Windows side, removing key from
krb5.keytab is trivial), so that I can recreate host principal for my
master KDC in clean way.  As I said, I guess my problems are due to
stale information for the host principal on the Windows side.

I hope somebody could give me a hint or two to get me going into right
direction.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: MIT to Windows 2k interoperability problems

Douglas E. Engert
Google for: cross-realm windows kerberos

Then read:
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp

[hidden email] wrote:

> Hi,
>
> I've got small problem with Kerberos, and couldn't seem to be able to
> find solution by simply Googling around...
>
> I changed my Kerberos domain name.  Basically, I just wiped out old
> KDC, and reinstalled from scratch (it was testing only, so no real
> users on it anyhow).  There was one-way trust between old domain and
> another Kerberos domain (part of Windows 2000 Active Directory).
>
> Before the change, I had saslauthd running on Unix side, and it was
> able to authenticate users against Active Directory (using Kerberos).
> After the change, I did exactly the same steps, but things simply don't
> work anymore.  Interesting thing is that I also added slave server, and
> if saslauthd is going through the slave, it can successfully
> authenticate users on Windows Kerberos domain.  My guess is that
> there's some stale information about old domain and associated accounts
> on Windows side (created with ktpass.exe) that needs to be wiped out
> too.
>
> All I could find on the web is how to initially make things to work.
> In short, setup account for Unix host in Active Directory, associate
> host Kerberos principal with that account and create key using
> ktpass.exe, import the key into /etc/krb5.keytab on Unix side.  But no
> info on how to undo it (the part on the Windows side, removing key from
> krb5.keytab is trivial), so that I can recreate host principal for my
> master KDC in clean way.  As I said, I guess my problems are due to
> stale information for the host principal on the Windows side.
>
> I hope somebody could give me a hint or two to get me going into right
> direction.
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: MIT to Windows 2k interoperability problems

jalbro

That is a very good document, but needs to be read REALLY carefully...

I'll add some hints:

To check that you cleaned things up correctly, you can use adsiedit.msc on
the windows side to make sure you don't have duplicate
serviceprincipalnames.

ktpass requires a new, made up password (most MS documementation doesn't
make this clear).

Also, ktpass documents suggest you can create a serviceprincipalname
WITHOUT mapping to a user (no -mapuser)  I have no idea what that
means.

-Jeff


-----------------------------------------------------------
Jeffrey Albro | Systems Administrator | Boston University
   - Department of Electrical and Computer Engineering -
[hidden email] |  Photonics, Room 305  | 617-358-2785
-----------------------------------------------------------



On Wed, 22 Jun 2005, Douglas E. Engert wrote:

> Google for: cross-realm windows kerberos
>
> Then read:
> http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
>
> [hidden email] wrote:
>
> > Hi,
> >
> > I've got small problem with Kerberos, and couldn't seem to be able to
> > find solution by simply Googling around...
> >
> > I changed my Kerberos domain name.  Basically, I just wiped out old
> > KDC, and reinstalled from scratch (it was testing only, so no real
> > users on it anyhow).  There was one-way trust between old domain and
> > another Kerberos domain (part of Windows 2000 Active Directory).
> >
> > Before the change, I had saslauthd running on Unix side, and it was
> > able to authenticate users against Active Directory (using Kerberos).
> > After the change, I did exactly the same steps, but things simply don't
> > work anymore.  Interesting thing is that I also added slave server, and
> > if saslauthd is going through the slave, it can successfully
> > authenticate users on Windows Kerberos domain.  My guess is that
> > there's some stale information about old domain and associated accounts
> > on Windows side (created with ktpass.exe) that needs to be wiped out
> > too.
> >
> > All I could find on the web is how to initially make things to work.
> > In short, setup account for Unix host in Active Directory, associate
> > host Kerberos principal with that account and create key using
> > ktpass.exe, import the key into /etc/krb5.keytab on Unix side.  But no
> > info on how to undo it (the part on the Windows side, removing key from
> > krb5.keytab is trivial), so that I can recreate host principal for my
> > master KDC in clean way.  As I said, I guess my problems are due to
> > stale information for the host principal on the Windows side.
> >
> > I hope somebody could give me a hint or two to get me going into right
> > direction.
> >
> > ________________________________________________
> > Kerberos mailing list           [hidden email]
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
> >
>
> --
>
>   Douglas E. Engert  <[hidden email]>
>   Argonne National Laboratory
>   9700 South Cass Avenue
>   Argonne, Illinois  60439
>   (630) 252-5444
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos