Problems integrating Kerberos 5-1.2.5 client into W2K AD
Anthony Brock
abrock at georgefox.edu
Wed Sep 18 13:11:54 EDT 2002
We're attempting to authenticate against a Windows 2000 Active Directory
using a Solaris 8 with Kerberos 5-1.2.5 client. However, I cannot seem
to get the authentication working. Since we're attempting to base other
software on the Kerberos authentication, I would greatly appreciate any
assistance.
I'm including a copy of the procedures I followed below,
Tony
I exported the UNIX Server's ticket on the Active Directory server with:
***** BEGIN *****
C:\Temp>ktpass -princ host/web.georgefox.edu at CAMPUS.GEORGEFOX.EDU -pass
mypassword -out test.keytab
Key created.
Output keytab to test.keytab:
Keytab version: 0x502
keysize 70 host/web.georgefox.edu at CAMPUS.GEORGEFOX.EDU ptype 1
(KRB5_NT_PRINCIPAL) vno 1 etype 0x1 (DES-CBC-CRC) keylength 8
(0xeac72f15ead37c4f)
***** END *****
Once exported, I then transferred the file to the UNIX Server through
scp. I then did:
***** BEGIN *****
# mv /export/home/abrock/test.keytab /etc/krb5.keytab
# chmod 600 /etc/krb5.keytab
# chown root:sys /etc/krb5.keytab
# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
------------------------------------------------------------------------
--
1 host/web.georgefox.edu at CAMPUS.GEORGEFOX.EDU (DES cbc mode with
CRC-32)
# exit
abrock at web ~ 519 $ kinit
Password for abrock at CAMPUS.GEORGEFOX.EDU:
abrock at web ~ 520 $ klist
Ticket cache: FILE:/tmp/krb5cc_100
Default principal: abrock at CAMPUS.GEORGEFOX.EDU
Valid starting Expires Service principal
09/18/02 09:52:29 09/18/02 19:52:29
krbtgt/CAMPUS.GEORGEFOX.EDU at CAMPUS.GEORGEFOX.EDU
abrock at web ~ 521 $ telnet -xF web.georgefox.edu
Trying 209.170.224.7...
Connected to web.georgefox.edu (209.170.224.7).
Escape character is '^]'.
Waiting for encryption to be negotiated...
[ Kerberos V5 refuses authentication because telnetd: krb5_rd_req
failed: Decrypt integrity check failed ]
[ Kerberos V5 refuses authentication because telnetd: krb5_rd_req
failed: Decrypt integrity check failed ]
[ Kerberos V5 refuses authentication because telnetd: krb5_rd_req
failed: Decrypt integrity check failed ]
Authentication negotation has failed, which is required for
encryption. Good bye.
abrock at web ~ 522 $ klist
Ticket cache: FILE:/tmp/krb5cc_100
Default principal: abrock at CAMPUS.GEORGEFOX.EDU
Valid starting Expires Service principal
09/18/02 09:52:29 09/18/02 19:52:29
krbtgt/CAMPUS.GEORGEFOX.EDU at CAMPUS.GEORGEFOX.EDU
09/18/02 09:52:36 09/18/02 19:52:29
host/web.georgefox.edu at CAMPUS.GEORGEFOX.EDU
abrock at web ~ 523 $
***** END *****
Anthony Brock
Director of Network Services
George Fox University
E-Mail: abrock at georgefox.edu
Phone: (503) 554-2579
FAX: (503) 554-3834
More information about the Kerberos
mailing list