Problems integrating Kerberos 5-1.2.5 client into W2K AD

Anthony Brock abrock at georgefox.edu
Wed Sep 18 13:11:54 EDT 2002 

We're attempting to authenticate against a Windows 2000 Active Directory
using a Solaris 8 with Kerberos 5-1.2.5 client. However, I cannot seem
to get the authentication working. Since we're attempting to base other
software on the Kerberos authentication, I would greatly appreciate any
assistance.

I'm including a copy of the procedures I followed below,

Tony


I exported the UNIX Server's ticket on the Active Directory server with:

***** BEGIN *****

C:\Temp>ktpass -princ host/web.georgefox.edu at CAMPUS.GEORGEFOX.EDU -pass
mypassword -out test.keytab
Key created.
Output keytab to test.keytab:

Keytab version: 0x502
keysize 70 host/web.georgefox.edu at CAMPUS.GEORGEFOX.EDU ptype 1
(KRB5_NT_PRINCIPAL) vno 1 etype 0x1 (DES-CBC-CRC) keylength 8
(0xeac72f15ead37c4f)

***** END *****

Once exported, I then transferred the file to the UNIX Server through
scp. I then did:

***** BEGIN *****

# mv /export/home/abrock/test.keytab /etc/krb5.keytab
# chmod 600 /etc/krb5.keytab
# chown root:sys /etc/krb5.keytab
# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
------------------------------------------------------------------------
--
   1 host/web.georgefox.edu at CAMPUS.GEORGEFOX.EDU (DES cbc mode with
CRC-32) 
# exit
abrock at web ~ 519 $ kinit
Password for abrock at CAMPUS.GEORGEFOX.EDU: 
abrock at web ~ 520 $ klist
Ticket cache: FILE:/tmp/krb5cc_100
Default principal: abrock at CAMPUS.GEORGEFOX.EDU

Valid starting     Expires            Service principal
09/18/02 09:52:29  09/18/02 19:52:29
krbtgt/CAMPUS.GEORGEFOX.EDU at CAMPUS.GEORGEFOX.EDU
abrock at web ~ 521 $ telnet -xF web.georgefox.edu
Trying 209.170.224.7...
Connected to web.georgefox.edu (209.170.224.7).
Escape character is '^]'.
Waiting for encryption to be negotiated...
[ Kerberos V5 refuses authentication because telnetd: krb5_rd_req
failed: Decrypt integrity check failed ]
[ Kerberos V5 refuses authentication because telnetd: krb5_rd_req
failed: Decrypt integrity check failed ]
[ Kerberos V5 refuses authentication because telnetd: krb5_rd_req
failed: Decrypt integrity check failed ]

Authentication negotation has failed, which is required for
encryption.  Good bye.
abrock at web ~ 522 $ klist
Ticket cache: FILE:/tmp/krb5cc_100
Default principal: abrock at CAMPUS.GEORGEFOX.EDU

Valid starting     Expires            Service principal
09/18/02 09:52:29  09/18/02 19:52:29
krbtgt/CAMPUS.GEORGEFOX.EDU at CAMPUS.GEORGEFOX.EDU
09/18/02 09:52:36  09/18/02 19:52:29
host/web.georgefox.edu at CAMPUS.GEORGEFOX.EDU
abrock at web ~ 523 $ 

***** END *****


Anthony Brock
Director of Network Services
George Fox University

E-Mail: abrock at georgefox.edu
Phone:  (503) 554-2579
FAX:    (503) 554-3834

More information about the Kerberos mailing list