Win logon to a MIT Kerberos V KDC?

Steve Harper s.harper at m.cc.utah.edu
Thu Sep 26 13:11:55 EDT 2002 

Definately remove the "REQUIRES_PRE_AUTH" flag from the principal for
majorskan (which is your windows 2000 machine, if I'm not mistaken).  When
the KDC is forcing the WIN2K client to generate PRE_AUTH data the client
includes additional information (I think it's SID) in the
Authorization_Data field of the ticket.  One way or the other the Logon
will fail because MIT's KDC does not support these microsoft
extensions.  I can guarentee that preauth on a principal will make your
login fail when that login is coming from a Win2K machine to an MIT KDC.

I didn't have much luck finding the specification of the extension's on
MS's site, but here's a mirror I found off google searching on 
"Microsoft Authorization Data Specification":

http://home.xnet.com/~catena/ms-kerberos.shtml

If you want to wade through that, feel free, but I would reccomend
just removing the REQUIRES_PRE_AUTH:

kadmin: modify_principal -requires_preauth host/majorskan.<MYDOMAIN.TLD>

HTH,

Steve Harper
University of Utah

On Thu, 26 Sep 2002, Turbo Fredriksson wrote:

> 'a local or AD account'. I don't have AD, but I _DO_ have a local
> account.
> 
> The keytab on the KDC. I got the error
> 
> ----- s n i p -----
> Sep 26 08:02:19 rmgztk krb5kdc[1075](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) <IP_OF_FIREWALL_AT_HOME>(88): UNKNOWN_SERVER: authtime 1033020129,  turbo@<MYREALM.TLD> for host/majorskan.<MYDOMAIN.TLD>@<MYREALM.TLD>, Server not found in Kerberos database
> ----- s n i p -----
> 
> Previosly, I've solved this by adding the principal to the system
> keytab (on the host). This was obviosly wrong...
> 
> 
> 
> What are all those encryption types? Do I miss some?
> 
> ----- s n i p -----
> rmgztk:~# kadmin.local -q 'getprinc host/majorskan.<MYDOMAIN.TLD>'
> [...]
> Number of keys: 6
> Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
> Key: vno 2, DES cbc mode with CRC-32, no salt
> Key: vno 2, DES cbc mode with RSA-MD5, Version 4
> Key: vno 2, DES cbc mode with RSA-MD5, Version 5 - No Realm
> Key: vno 2, DES cbc mode with RSA-MD5, Version 5 - Realm Only
> Key: vno 2, DES cbc mode with RSA-MD5, AFS version 3
> Attributes: REQUIRES_PRE_AUTH
> ----- s n i p -----
> 
> Maybe I should remove the attributes? Would that help (I'll try, but...).
> -- 
> security Soviet subway 747 fissionable Qaddafi FBI Nazi Saddam Hussein
> Ft. Meade 767 Khaddafi arrangements BATF iodine
> [See http://www.aclu.org/echelonwatch/index.html for more about this]
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list