Win logon to a MIT Kerberos V KDC?
Turbo Fredriksson
turbo at bayour.com
Thu Sep 26 10:04:55 EDT 2002
[let's keep this on the list]
Quoting "Eric Lee Steadle" <esteadle at spinnakernet.com>:
> Did you read this MS document?
> [...]
> http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
Yes, I found that eventually.
> I've followed the steps and it definitely works.
It only halfway for me. Looking at the MIT Kerberos V KDC logs, i see that
the win client seems to be getting a ticket:
----- s n i p -----
rmgztk:~# tail -f /var/log/kerberos/krb5kdc.log -n0
Sep 26 15:58:32 rmgztk krb5kdc[1075](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) <IP_OF_FIREWALL_AT_HOME>(88): NEEDED_PREAUTH: turbo@<MYREALM.TLD> for krbtgt/<MYREALM.TLD>@<MYREALM.TLD>, Additional pre-authentication required
Sep 26 15:58:32 rmgztk krb5kdc[1075](info): AS_REQ (2 etypes {3 1}) <IP_OF_FIREWALL_AT_HOME>(88): ISSUE: authtime 1033048712, etypes {rep=3 tkt=16 ses=1}, turbo@<MYREALM.TLD> for krbtgt/<MYREALM.TLD>@<MYREALM.TLD>
Sep 26 15:58:32 rmgztk krb5kdc[1075](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) <IP_OF_FIREWALL_AT_HOME>(88): ISSUE: authtime 1033048712, etypes {rep=1 tkt=16 ses=1}, turbo@<MYREALM.TLD> for host/majorskan.<MYDOMAIN.TLD>@<MYREALM.TLD>
----- s n i p -----
But I don't get logged in. The login say:
----- s n i p -----
The system could not log you on. Make sure your User name and domain are correct,
then type your password again. Letters in passwords must be typed using the correct
case. Make sure that Caps Lock is not accidentally on.
----- s n i p -----
I'm trying to login with my username (without the realm etc) and
Log on to: <MYREALM.TLD> (Kerberos Realm)
But as the KDC logs show, it seems like the login was successful. Do I have to
have something more (Samba comes to mind)?
Also, the KDC is on the 'Net, but the client is behind a masquerading Linux
firewall (have no problem with auth on a Linux client using LibNSS-LDAP/LibPAM-LDAP
with LibPAM-Krb5 etc).
More information about the Kerberos
mailing list