Win logon to a MIT Kerberos V KDC?

Turbo Fredriksson turbo at bayour.com
Thu Sep 26 12:14:24 EDT 2002 

>>>>> "Luke" == Luke Howard <lukeh at PADL.COM> writes:

    Luke> The Windows "solution" is, as previously mentioned, to have
    Luke> a local or Active Directory account for the user. That's
    Luke> where the authorization information comes from (in an AD
    Luke> domain it is included in the authorization data field of the
    Luke> ticket). Note that enhancing a KDC to supply the necessary
    Luke> authorization data is not sufficient to eliminate the need
    Luke> for an local or Active Directory account. It is, as one
    Luke> might expect, a significantly more involved problem.

'a local or AD account'. I don't have AD, but I _DO_ have a local
account.

    Luke> Did you set the machine password with ksetup and create a
    Luke> machine principal on your KDC with the same password?
    >>  Yes. I first tried with a random passwd and add that to the
    >> keytab.  I then found the link to the step-by-step guide, so I
    >> re-did it, this time without adding it to the keytab.

    Luke> Which keytab? There is no keytab on a Windows 2000
    Luke> workstation. You need to do ksetup /SetComputerPassword to
    Luke> set the machine password in the LSA secret store. You can
    Luke> verify this with lsadump2.

The keytab on the KDC. I got the error

----- s n i p -----
Sep 26 08:02:19 rmgztk krb5kdc[1075](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) <IP_OF_FIREWALL_AT_HOME>(88): UNKNOWN_SERVER: authtime 1033020129,  turbo@<MYREALM.TLD> for host/majorskan.<MYDOMAIN.TLD>@<MYREALM.TLD>, Server not found in Kerberos database
----- s n i p -----

Previosly, I've solved this by adding the principal to the system
keytab (on the host). This was obviosly wrong...



What are all those encryption types? Do I miss some?

----- s n i p -----
rmgztk:~# kadmin.local -q 'getprinc host/majorskan.<MYDOMAIN.TLD>'
[...]
Number of keys: 6
Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, DES cbc mode with CRC-32, no salt
Key: vno 2, DES cbc mode with RSA-MD5, Version 4
Key: vno 2, DES cbc mode with RSA-MD5, Version 5 - No Realm
Key: vno 2, DES cbc mode with RSA-MD5, Version 5 - Realm Only
Key: vno 2, DES cbc mode with RSA-MD5, AFS version 3
Attributes: REQUIRES_PRE_AUTH
----- s n i p -----

Maybe I should remove the attributes? Would that help (I'll try, but...).
-- 
security Soviet subway 747 fissionable Qaddafi FBI Nazi Saddam Hussein
Ft. Meade 767 Khaddafi arrangements BATF iodine
[See http://www.aclu.org/echelonwatch/index.html for more about this]

More information about the Kerberos mailing list