Hi There,
I've been wracking my brains trying to get Windows 7 authenticating against a MIT Kerberos 5 Realm (which is running on an Arch Linux server).
I've done
the following on
the server (aka dc1):
Installed and configured a NTP time server
Installed and configured DHCP and DNS (setup for
the domain tnet.loc)
Installed Kerberos from source
Setup
the database
Configured
the keytab
Setup
the ACL file with: *@TNET.LOC *
Added a policy for my user and my machine:
addpol users
addpol admin
addpol hosts
ank -policy users
[email protected]
ank -policy admin tom/
[email protected]
ank -policy hosts host/wdesk3.tnet.loc -pw MYPASSWORDHERE
I then did
the following to
the windows 7 client (aka wdesk3):
Made sure
the ip address was supplied by my DHCP server and dc1.tnet.loc pings ok
Set
the internet time server to my linux server (aka dc1.tnet.loc)
Used ksetup to configure
the realm:
ksetup /SetRealm TNET.LOC
ksetup /AddKdc dc1.tnet.loc
ksetip /SetComputerPassword MYPASSWORDHERE
ksetip /MapUser * *
After some googl-ing I found that DES encryption was disabled by Windows 7 by default and I turned
the policy on to support DES encryption over Kerberos
Then I rebooted
the windows client
However after doing all that I still cannot login from my Windows client. :(
Looking at
the logs on
the server;
the request looks fine and everything works great, I think
the issue is that
the response from
the KDC is not recognized by
the Windows Client and a generic login error appears: "Login Failure: User name or password is invalid".
The log file for
the server looks like this (I tail'ed this so I know it's happening when
the Windows machine attempts
the login):
If I supply an invalid realm in
the login window I get a completely different error message, so I don't think it's a connection problem from
the client to
the server? But I can't find any error logs on
the Windows machine? (anyone know where these are?)
If I try: runas /netonly /user:
[email protected] cmd.exe everything works (although I don't get anything appear in
the server logs, so I'm wondering if it's not touching
the server for this??), but if I run: runas /user:
[email protected] cmd.exe I get
the same authentication error.
Any Kerberos Gurus out there who can give me some ideas as to what to try next? pretty please?