Win logon to a MIT Kerberos V KDC?
Turbo Fredriksson
turbo at bayour.com
Thu Sep 26 13:50:46 EDT 2002
>>>>> "Steve" == Steve Harper <s.harper at m.cc.utah.edu> writes:
Steve> Definately remove the "REQUIRES_PRE_AUTH" flag from the
Steve> principal for majorskan (which is your windows 2000
Steve> machine, if I'm not mistaken).
Steve> kadmin: modify_principal -requires_preauth
Steve> host/majorskan.<MYDOMAIN.TLD>
I've tried that, but it didn't help. I then tought of removing and
then re-adding the principal again. No change.
----- s n i p -----
kadmin.local: delprinc host/majorskan.bayour.com
kadmin.local: ank -pw <SECRET> -requires_preauth host/majorskan.<MYDOMAIN.TLD>
kadmin.local: getprinc host/majorskan.<MYDOMAIN.TLD>
Principal: host/majorskan.<MYDOMAIN.TLD>@<MYREALM.TLD>
Number of keys: 6
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with RSA-MD5, Version 4
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
Attributes:
Policy: [none]
kadmin.local: q
rmgztk:~# tail -f /var/log/kerberos/krb5kdc.log -n0
Sep 26 19:28:21 rmgztk krb5kdc[1075](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) <IP_OF_FIREWALL_AT_HOME>(88): NEEDED_PREAUTH: turbo@<MYREALM.TLD> for krbtgt/<MYREALM.TLD>@<MYREALM.TLD>, Additional pre-authentication required
Sep 26 19:28:21 rmgztk krb5kdc[1075](info): AS_REQ (2 etypes {3 1}) <IP_OF_FIREWALL_AT_HOME>(88): ISSUE: authtime 1033061301, etypes {rep=3 tkt=16 ses=1}, turbo@<MYREALM.TLD> for krbtgt/<MYREALM.TLD>@<MYREALM.TLD>
Sep 26 19:28:21 rmgztk krb5kdc[1075](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) <IP_OF_FIREWALL_AT_HOME>(88): ISSUE: authtime 1033061301, etypes {rep=1 tkt=16 ses=1}, turbo@<MYREALM.TLD> for host/majorskan.<MYREALM.TLD>@<MYREALM.TLD>
----- s n i p -----
It _STILL_ require pre-auth! I even tried removing the
default_principal_flags = +preauth
from the kdc.conf (and restarted the KDC)!!
Oh, and I also removed pre-auth requirements from the 'krbtgt/<MYREALM.TLD>'
and 'turbo' principals... Then it don't request/require pre-auth:
----- s n i p -----
rmgztk:~# tail -f /var/log/kerberos/krb5kdc.log -n0
Sep 26 19:49:38 rmgztk krb5kdc[1075](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) <IP_OF_FIREWALL_AT_HOME>(88): ISSUE: authtime 1033062578, etypes {rep=3 tkt=16 ses=1}, turbo@<MYREALM.TLD> for krbtgt/<MYREALM.TLD>@<MYREALM.TLD>
Sep 26 19:49:43 rmgztk krb5kdc[1075](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) <IP_OF_FIREWALL_AT_HOME>(88): ISSUE: authtime 1033062578, etypes {rep=1 tkt=16 ses=1}, turbo@<MYREALM.TLD> for host/majorskan.<MYDOMAIN.TLD>@<MYREALM.TLD>
----- s n i p -----
Closer. I don't get the pre-auth any more. But I'm still not logged in... :(
Steve> When the KDC is forcing the WIN2K client to generate
Steve> PRE_AUTH data the client includes additional information (I
Steve> think it's SID) in the Authorization_Data field of the
Steve> ticket. One way or the other the Logon will fail because
Steve> MIT's KDC does not support these microsoft extensions. I
Steve> can guarentee that preauth on a principal will make your
Steve> login fail when that login is coming from a Win2K machine
Steve> to an MIT KDC.
Sounds reasonable (well, 'understanding' anyway :).
So, re-cap. The principals 'krbtgt/<MYREALM.TLD>', 'host/majorskan.<MYDOMAIN.TLD>'
and 'turbo' all have been modified with '-requires_preauth'...
Windows have been restarted after all this had been done... Naturaly :)
(and had 'ksetup /setcomputerpassword <SECRET>' done).
Steve> http://home.xnet.com/~catena/ms-kerberos.shtml
Steve> If you want to wade through that, feel free, but I would
Steve> reccomend just removing the REQUIRES_PRE_AUTH:
I'll read that when I have more time :)
More information about the Kerberos
mailing list