Set up a Windows 10 Client for a Linux KDC Realm
I set up a KDC Server and created a Realm EXAMPLE.COM
. Here is my krb5.conf file:
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = EXAMPLE.COM
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
EXAMPLE.COM = {
admin_server = my.linux-server.de
kdc = my.linux-server.de
}
I also added a user testuser
with password abc
via kadmin.local
:
kadmin.local: addprinc [email protected]
I can successfully log in on my Ubuntu VM:
[root@ubuntu-vm ~]# kinit testuser
Password for [email protected]:
Then klist
shows:
[root@ubuntu-vm ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
01.12.2016 14:58:40 02.12.2016 14:58:40 krbtgt/[email protected]
and I can open my Kererized Hadoop UI.
========================================================================
Problem makes my Windows client. I set it up by copying the krb5.conf
file from the KDC machine to the Windows client and renamed it to kdc5.ini
.
I also set the computer's domain:
C:> Ksetup /setdomain EXAMPLE.COM
After a restart I tried to connect to my KDC Realm via
C:> kinit [email protected]
Password for [email protected]:
<empty row>
Everything looked fine so far, but when I call klist
I get only the following result:
Aktuelle Anmelde-ID ist 0:0x7eca34
Zwischengespeicherte Tickets: (0)
In English something like ... cached tickets: (0)
I'm also unable to open my website on the Windows client, so I guess that there's an interoperability issue as I didn't have any problems connection via my Ubuntu client.
My browser (Firefox) should be correctly configured on both machines (Ubuntu & Windows), I set the network.negotiate-auth.trusted-uris
property to http://my.linux-server.de
(since I did this, the Ubuntu client can open the site). Curl also works for Ubuntu, but don't for Windows.
UPDATE: Also tried a second Windows client without any success...
Solution 1:
Finally I got it working! I made the following steps on a Windows 7 (64-bit) machine, should also work on Windows 10:
- Install the MIT Kerberos from here. I took the actual Windows Version which is
MIT Kerberos for Windows 4.1
and installed it with default settings. - Open the file
C:\ProgramData\MIT\Kerberos\krb5.ini
and insert following settings:
New content of the file:
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
admin_server = your.admin.server.de
kdc = your.kdc.server.de
}
- Download and install actual Firefox Browser
- Type
about:config
in the address bar of the Firefox browser and set the following parameters:
Parameter = Value pairs:
network.negotiate-auth.delegation-uris = http://your.kdc.server.de
network.negotiate-auth.trusted-uris = http://your.kdc.server.de
network.auth.use-sspi = false
- Restart your PC
Use the
MIT Kerberos Ticket Manager
to obtain a new ticket for your user:-
You should see your ticket in the manager:
8 . Now you should be able to open the web-page that needs authentication: