Win logon to a MIT Kerberos V KDC?
Turbo Fredriksson
turbo at bayour.com
Thu Sep 26 12:07:56 EDT 2002
>>>>> "Eric" == Eric Lee Steadle <esteadle at spinnakernet.com> writes:
Eric> Tell us more about your Windows client. Version, Service
Eric> Pack, etc. Does it participate in a domain? Have any
Eric> registry settings been adjusted? etc.
Windows 2000 5.00.2195, Service Pack 3.
>> Sep 26 15:58:32 rmgztk krb5kdc[1075](info): AS_REQ (2 etypes {3
>> 1}) <IP_OF_FIREWALL_AT_HOME>(88): ISSUE: authtime 1033048712,
>> etypes {rep=3 tkt=16 ses=1}, turbo@<MYREALM.TLD> for
>> krbtgt/<MYREALM.TLD>@<MYREALM.TLD>
Eric> This looks like a problem with clock skew. To eleminiate
Eric> this as a possibility, sync your client and KDC clocks.
I am. Before I started 'w32time' and configured it to sync via SNTP,
I got the expected clock skew error.
I have the MIT Kerberos V software installed as well, and there is
no problem getting a ticket THAT way.
The thing is that with 'kinit.exe', I specify '-5A' (Krb5 & address less).
If the winlogon process did mind, I'd get errors about this in the KDC
loggs...
Eric> Someone recently was having a problem with machines in
Eric> different time zones. Are yours in the same time zone?
Yes. This my problem. I think now that this is fixed (I haven't tried
the XP at work by following the step-by-step guide, but I will).
Eric> That's the standard Windows "failed login" message. It just
Eric> means that the authentication subsystem (Kerberos in this
Eric> case) failed to log you in.
Doh! Better with to much information, than not enough :)
>> I'm trying to login with my username (without the realm etc)
>> and Log on to: <MYREALM.TLD> (Kerberos Realm) But as the KDC
>> logs show, it seems like the login was successful.
Eric> Huh? I saw error messages. Where did you see "login
Eric> successful"?
I never get this!
This is what the KDC is telling me when I (successfully) login on my
Linux machine next to the Win2k machine:
----- s n i p -----
rmgztk:~# tail -f /var/log/kerberos/krb5kdc.log -n0
Sep 26 17:16:13 rmgztk krb5kdc[1075](info): AS_REQ (3 etypes {16 1 3}) <IP_OF_FIREWALL_AT_HOME>(88): ISSUE: authtime 1033053373, etypes {rep=16 tkt=16 ses=16}, turbo@<MYREALM.TLD> for krbtgt/<MYREALM.TLD>@<MYREALM.TLD>
Sep 26 17:16:15 rmgztk krb5kdc[1075](info): TGS_REQ (3 etypes {16 1 3}) <IP_OF_FIREWALL_AT_HOME>(88): ISSUE: authtime 1033053373, etypes {rep=16 tkt=16 ses=16}, turbo@<MYREALM.TLD> for host/tuzjfi.<MYDOMAIN.TLD>@<MYREALM.TLD>
----- s n i p -----
The differences from this and the login from 'majorskan':
----- s n i p -----
Sep 26 16:00:47 rmgztk krb5kdc[1075](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) <IP_OF_FIREWALL_AT_HOME>(88): NEEDED_PREAUTH: turbo@<MYREALM.TLD> for krbtgt/<MYREALM.TLD>@<MYREALM.TLD>, Additional pre-authentication required
Sep 26 16:00:47 rmgztk krb5kdc[1075](info): AS_REQ (2 etypes {3 1}) <IP_OF_FIREWALL_AT_HOME>(88): ISSUE: authtime 1033048847, etypes {rep=3 tkt=16 ses=1}, turbo@<MYREALM.TLD> for krbtgt/<MYREALM.TLD>@<MYREALM.TLD>
Sep 26 16:00:52 rmgztk krb5kdc[1075](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) <IP_OF_FIREWALL_AT_HOME>(88): ISSUE: authtime 1033048847, etypes {rep=1 tkt=16 ses=1}, turbo@<MYREALM.TLD> for host/majorskan.<MYDOMAIN.TLD>@<MYREALM.TLD>
----- s n i p -----
What I can see is that the encryption types differ (quite radically).
Also 'rep=' and 'ses=' (whatever that is). But why does the KDC require
pre-auth from win, but not from lin?
The Linux machine is named 'tuzjfi' and the Windows machine is named
'majorskan' (character from a Astrid Lindgren book - Swedish/original
name).
Turbo> Do I have to have something more (Samba comes to mind)?
Eric> Nope. All you need is a version of Windows that supports
Eric> Kerberos and a properly configured KDC. Samba will give you
Eric> file services, but I don't think that's what you're
Eric> after. Is it?
Nope. See other mail (in reply to Luke).
Eric> Do you have Ethereal and/or Netmon installed? Can you get a
Eric> packet trace of the login attempt? That might be helpful.
I'll try to do that later tonight... Thanx.
More information about the Kerberos
mailing list