Authenticating Windows 7 against MIT Kerberos 5
I've been wracking my brains trying to get Windows 7 authenticating against a MIT Kerberos 5 Realm (which is running on an Arch Linux server).
I've done the following on the server (aka dc1):
- Installed and configured a NTP time server
- Installed and configured DHCP and DNS (setup for the domain tnet.loc)
- Installed Kerberos from source
- Setup the database
- Configured the keytab
- Setup the ACL file with: *@TNET.LOC *
- Added a policy for my user and my machine:
addpol users addpol admin addpol hosts ank -policy users [email protected] ank -policy admin tom/[email protected] ank -policy hosts host/wdesk3.tnet.loc -pw MYPASSWORDHERE
I then did the following to the windows 7 client (aka wdesk3):
- Made sure the ip address was supplied by my DHCP server and dc1.tnet.loc pings ok
- Set the internet time server to my linux server (aka dc1.tnet.loc)
- Used ksetup to configure the realm:
ksetup /SetRealm TNET.LOC ksetup /AddKdc dc1.tnet.loc ksetip /SetComputerPassword MYPASSWORDHERE ksetip /MapUser * *
- After some googl-ing I found that DES encryption was disabled by Windows 7 by default and I turned the policy on to support DES encryption over Kerberos
- Then I rebooted the windows client
However after doing all that I still cannot login from my Windows client. :(
Looking at the logs on the server; the request looks fine and everything works great, I think the issue is that the response from the KDC is not recognized by the Windows Client and a generic login error appears: "Login Failure: User name or password is invalid".
The log file for the server looks like this (I tail'ed this so I know it's happening when the Windows machine attempts the login): Screen-shot: http://dl.dropbox.com/u/577250/email/login_attempt.png
If I supply an invalid realm in the login window I get a completely different error message, so I don't think it's a connection problem from the client to the server? But I can't find any error logs on the Windows machine? (anyone know where these are?)
If I try: runas /netonly /user:[email protected] cmd.exe everything works (although I don't get anything appear in the server logs, so I'm wondering if it's not touching the server for this??), but if I run: runas /user:[email protected] cmd.exe I get the same authentication error.
Any Kerberos Gurus out there who can give me some ideas as to what to try next? pretty please?
Check out pGina. It doesn't have a Kerberos plugin, so you'll have to write one. Alternatively you can use OpenLDAP as a proxy and use the pGina LDAP plugin.
Apparently AD is absolutely required if you have Windows clients as the Windows clients require a small extension to the standard Kerberos ticket which AD appends.
MIT Kerberos Server cannot authenticate Windows clients on it's own at this time.
(Information retrieved on the MIT Kerberos Newsgroup)