MIT KDC + W2K clients (please help!)

Lubos Kejzlar kejzlar at civ.zcu.cz
Fri Jul 19 10:06:56 EDT 2002 

Hi all,

   we are running mid-size (15000+) MIT kerberos realm for a couple of
years now. Currently we are using relatively old version of MIT Kerberos
(1.0.5 + AFS mig. kit running on Digital Tru64) to serve really heterogenous
choice of clients (several kind of MIT/Heimdal Unix, MIT Win32, AFS-based (V4) Unix/WIn32
and standalone/domain (cross-realm) W2k).

For myriad of reasons we would like to upgrade our Kerberos servers to
current (1.2.5) version as soon as possible. Everything seems to run fine
with one exception:

     we are unable to authenticate to new server from W2K machines (either
     standalone or domain with cross-realm trust configured).

New server is running with (hopefully) exactly same config files and
database as production one.

There are symptoms of authentication failure:

      - we are using pre-authentication flags for all principals
      - W2K machine send AS_REQ
      - KDC reply with KRB5KDC_ERR_PREAUTH_REQUIRED as expected

	  Jul 19 15:11:17 AS_REQ (7 etypes {23 -133 -128 3 1 24 -135})...NEEDED_PREAUTH

      - there is no other attempt from W2K machine to resend AS_REQ with
        requested preauth data :-((

As far as I can guess, there could be some problem with encryption types
(ETYPE_INFO) (?). Both servers using following config values:

krb5.conf:
    default_tkt_enctypes = des-cbc-md5 des-cbc-crc
    default_tgs_enctypes = des-cbc-md5 des-cbc-crc

kdc.conf:
supported_enctypes = des:normal des:onlyrealm des:norealm des-cbc-crc:v4 des-cbc-crc:afs3


Because I'm unable to find _any_ similar problem reported in this group
(and as I can understand, there are many sites running similar setup), I'm
pretty sure, I'm making some really basic error again and again :-((

Because it's really important for us to upgrade our servers ASAP, I would be
happy for _ANY HELP OR SUGGESTION_!!

Thanks in advance!
Best regards,
     Lubos

--------------------------------------------------------------------------
Lubos Kejzlar
System and Network Specialist

Laboratory for Computer Science                Tel.:      ++420-19-7491536
University of West Bohemia                                ++420-19-7421414
Univerzitni 8, 30614 Pilsen                    Fax:       ++420-19-7421419
Czech Republic                                 E-mail:  kejzlar at civ.zcu.cz

PGP Key fingerprint  =  5621 06DA 3EDE 5D15 F287  5408 9B8E C766 CD64 3A3F
--------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 1677 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20020719/14abe30e/attachment.bin

More information about the Kerberos mailing list