Monday, December 30, 2019

windows server 2016 - Cross-Realm-Trust between Active Directory and MIT Kerberos

I am currently in the process of extending my development environment, which used to only run Linux servers so far, by adding machines running Windows Server 2016. The authentication process is handled by MIT Kerberos. For the new Windows machines, I am planning on using Active Directory. Since I don't want to manage users in two systems, I am setting up a cross-realm trust between the Windows AD and the already existing MIT Kerberos installation.



To do that, I have followed this guide: https://bluedata.zendesk.com/hc/en-us/articles/115007484067-How-To-Establish-Cross-Realm-Trust-from-MIT-KDC-to-AD.



Now, I have noticed that I can obtain a ticket from the Windows AD for a User from the AD on a linux machine just fine: Running kinit Administrator@AD.DOMAIN.LOCAL completes without any errors and gives me a ticket as expected.



On the other hand, I cannot login to any of the Windows machines using an account from the MIT Kerberos setup. Trying to log in using my test account (test@DOMAIN.LOCAL from the MIT realm DOMAIN.LOCAL) throws the following error:



"The security database on the server does not have a computer account for this workstation trust relationship".




Another thing I am noticing is that when I try to verify the trust relationship using the command netdom trust DOMAIN.LOCAL /Domain:AD.DOMAIN.LOCAL /Kerberos /verbose /verify, I am getting the following error message:



"Unable to contact the domain DOMAIN.LOCAL. The command failed to complete successfully."



Seems like the Windows AD is unable to communicate with the MIT Kerberos installation, which seems weird though, because it apparently does work the other way around. I have already double-checked that all the DNS records (domain.local, ad.domain.local and the FQDNs for the KDCs) resolve to the correct IP addresses. While researching the problem, I stumbled across this post https://stackoverflow.com/questions/45236577/using-mit-kerberos-as-account-domain-for-windows-ad-domain, which seemed promising at first, but couldn't help me fix my problem. Any help is greatly appreciated!

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...