Win logon to a MIT Kerberos V KDC?
Eric Lee Steadle
esteadle at spinnakernet.com
Thu Sep 26 11:05:29 EDT 2002
>----- s n i p -----
>rmgztk:~# tail -f /var/log/kerberos/krb5kdc.log -n0
>Sep 26 15:58:32 rmgztk krb5kdc[1075](info): AS_REQ (7 etypes {23
>-133 -128 3 1 24 -135}) <IP_OF_FIREWALL_AT_HOME>(88):
>NEEDED_PREAUTH: turbo@<MYREALM.TLD> for
>krbtgt/<MYREALM.TLD>@<MYREALM.TLD>, Additional pre-authentication required
Well, my interpretation of this is that the Windows client is not supplying
pre-authentication data (or maybe wrong pre-auth data). That seems like a
problem. Windows KDCs require pre-auth data in the KRB_AS_REQ (see the doc for
Flag Bit 10 here:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q230669&), and so I'd
expect that all Kerberos-enabled Windows clients are set up to provide it by
default. I was unable to find any documentation on whether Windows clients
are, in fact, set up this way. Nor could I find anything documented about how
one might change this behavior.
Tell us more about your Windows client. Version, Service Pack, etc. Does it
participate in a domain? Have any registry settings been adjusted? etc.
>Sep 26 15:58:32 rmgztk krb5kdc[1075](info): AS_REQ (2 etypes {3 1})
><IP_OF_FIREWALL_AT_HOME>(88): ISSUE: authtime 1033048712, etypes
>{rep=3 tkt=16 ses=1}, turbo@<MYREALM.TLD> for
>krbtgt/<MYREALM.TLD>@<MYREALM.TLD>
This looks like a problem with clock skew. To eleminiate this as a
possibility, sync your client and KDC clocks. You can also widen the clock
skew setting in your krb5.conf file on your kdc. Just for testing purposes,
I'd set it to something ridiculous like 999999999.
Someone recently was having a problem with machines in different time zones.
Are yours in the same time zone?
>----- s n i p -----
>The system could not log you on. Make sure your User name and domain
>are correct, then type your password again. Letters in passwords must be
typed
>using the correct case. Make sure that Caps Lock is not accidentally on.
>----- s n i p -----
That's the standard Windows "failed login" message. It just means that the
authentication subsystem (Kerberos in this case) failed to log you in.
>I'm trying to login with my username (without the realm etc) and
>Log on to: <MYREALM.TLD> (Kerberos Realm)
>But as the KDC logs show, it seems like the login was successful.
Huh? I saw error messages. Where did you see "login successful"?
>Do I have to have something more (Samba comes to mind)?
Nope. All you need is a version of Windows that supports Kerberos and a
properly configured KDC. Samba will give you file services, but I don't think
that's what you're after. Is it?
>Also, the KDC is on the 'Net, but the client is behind a masquerading Linux
>firewall (have no problem with auth on a Linux client using
>LibNSS-LDAP/LibPAM-LDAP with LibPAM-Krb5 etc).
I don't think this is a problem since you're getting log messages that
indicate something is happening. If you have no problems with a linux client,
that's yet another indicator that your firewall is not the problem. Best not
to go down that path at this point.
Do you have Ethereal and/or Netmon installed? Can you get a packet trace of
the login attempt? That might be helpful.
ERX
More information about the Kerberos
mailing list