Win logon to a MIT Kerberos V KDC?

Tony Hoyle tmh at nodomain.org
Tue Oct 1 14:58:58 EDT 2002 

On Tue, 01 Oct 2002 05:44:05 +0000, Turbo Fredriksson wrote:

>>>>>> "Tony" == Tony Hoyle <tmh at nodomain.org> writes:
> 
>     Tony> Win2k still doesn't connect directly at all:
> 
> Did you recreate the 'host/data.nodomain.org' principal (so that
> it only have ONE key)?
> 
Yes.  More details... (probably *way* too much but everything's firewalled
ATM).

1. There are no V4 keys AFAIK (I wouldn't know how to create these
anyway).  I don't think V4 is installed/configured as leash32 doesn't work
and that's V4 only.  The /etc/krb.conf and /etc/krb.realms files don't
exist.
2. The times are definately in sync (since the MIT V5 client can connect).
The KDC is also the local NTP server and the Win box is synced from it
using the Windows time service.
3. 90% of the config is the default that debian installs (since I'm
assuming the package maintainer knows better than me how to configure
things).  I think most of the realm stuff in /etc/krb5.conf is
unnnecessary.

These are the relevant keys:

Principal: host/data.nodomain.org at NODOMAIN.ORG
Expiration date: [never]
Last password change: Sat Sep 28 19:20:58 BST 2002
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Sep 30 22:21:01 BST 2002 (tmh/admin at NODOMAIN.ORG)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes: REQUIRES_PRE_AUTH
Policy: [none]

Principal: tmh at NODOMAIN.ORG
Expiration date: [never]
Last password change: Sat Sep 28 02:45:44 BST 2002
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Sep 30 22:20:54 BST 2002 (tmh/admin at NODOMAIN.ORG)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with RSA-MD5, Version 4
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
Attributes: REQUIRES_PRE_AUTH
Policy: [none]

Principal: krbtgt/NODOMAIN.ORG at NODOMAIN.ORG
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat Sep 28 02:44:26 BST 2002 (db_creation at NODOMAIN.ORG)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 3
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with RSA-MD5, no salt
Attributes: REQUIRES_PRE_AUTH
Policy: [none]

My /etc/krb5.conf:

[libdefaults]
        default_realm = NODOMAIN.ORG
# The following krb5.conf variables are only for MIT Kerberos.
        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
[realms]
NODOMAIN.ORG = {
         kdc = sisko.nodomain.org
        admin_server = sisko.nodomain.org
}

        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu:88
                kdc = kerberos-1.mit.edu:88
                kdc = kerberos-2.mit.edu:88
                kdc = kerberos-3.mit.edu:88
                admin_server = kerberos.mit.edu
                default_domain = mit.edu
        }
        MEDIA-LAB.MIT.EDU = {
                kdc = kerberos.media.mit.edu
                admin_server = kerberos.media.mit.edu
        }
        ZONE.MIT.EDU = {
                kdc = casio.mit.edu
                kdc = seiko.mit.edu
                admin_server = casio.mit.edu
        }
        MOOF.MIT.EDU = {
                kdc = three-headed-dogcow.mit.edu:88
                kdc = three-headed-dogcow-1.mit.edu:88
                admin_server = three-headed-dogcow.mit.edu
        }
        CYGNUS.COM = {
                kdc = KERBEROS.CYGNUS.COM
                kdc = KERBEROS-1.CYGNUS.COM
                admin_server = KERBEROS.CYGNUS.COM
        }
        GREY17.ORG = {
                kdc = kerberos.grey17.org
                admin_server = kerberos.grey17.org
        }
        IHTFP.ORG = {
                kdc = kerberos.ihtfp.org
                admin_server = kerberos.ihtfp.org
        }
        GNU.ORG = {
                kdc = kerberos.gnu.org
                kdc = kerberos-2.gnu.org
                kdc = kerberos-3.gnu.org
                admin_server = kerberos.gnu.org
        }
        1TS.ORG = {
                kdc = kerberos.1ts.org
                admin_server = kerberos.1ts.org
        }
        GRATUITOUS.ORG = {
                kdc = kerberos.gratuitous.org
                admin_server = kerberos.gratuitous.org
        }
        DOOMCOM.ORG = {
                kdc = kerberos.doomcom.org
                admin_server = kerberos.doomcom.org
        }
[domain_realm]
        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
        .media.mit.edu = MEDIA-LAB.MIT.EDU
        media.mit.edu = MEDIA-LAB.MIT.EDU
        .whoi.edu = ATHENA.MIT.EDU
        whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu

[login]
        krb4_convert = true
        krb4_get_tickets = true

/etc/krb5kdc/kdc.conf:

[kdcdefaults]
        kdc_ports = 750,88

[realms]
NODOMAIN.ORG = {
                database_name = /var/lib/krb5kdc/principal
                admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
                acl_file = /etc/krb5kdc/kadm5.acl
                key_stash_file = /etc/krb5kdc/stash
                kdc_ports = 750,88
                max_life = 10h 0m 0s
                max_renewable_life = 7d 0h 0m 0s
                master_key_type = des3-hmac-sha1
                supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal de
s:normal des:v4 des:norealm des:onlyrealm des:afs3
                default_principal_flags = +preauth
        }

/etc/krb5.keytab on KDC:
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   3 09/28/02 02:46:26 host/sisko.nodomain.org at NODOMAIN.ORG (Triple DES cbc mode with HMAC/sha1)
   3 09/28/02 02:46:26 host/sisko.nodomain.org at NODOMAIN.ORG (DES cbc mode with CRC-32)
   3 09/28/02 02:46:44 ldap/sisko.nodomain.org at NODOMAIN.ORG (Triple DES cbc mode with HMAC/sha1)
   3 09/28/02 02:46:44 ldap/sisko.nodomain.org at NODOMAIN.ORG (DES cbc mode with CRC-32)
   3 09/30/02 12:37:58 host/localhost at NODOMAIN.ORG (Triple DES cbc mode with HMAC/sha1)
   3 09/30/02 12:37:58 host/localhost at NODOMAIN.ORG (DES cbc mode with CRC-32)

More information about the Kerberos mailing list