Win logon to a MIT Kerberos V KDC?

Eric Lee Steadle esteadle at spinnakernet.com
Thu Sep 26 14:17:50 EDT 2002


How about the encryption types? Windows only supports 2 types of encryption.
I didn't mention it before because I think one of them is the default for MIT
Kerberos.

Let's see... DES-CBC-CRC and DES-CBC-MD5 according to the "step by step"
guide.
Can you try removing all other encryption types from your KDC and trying
again?

I'm baffled by the inability to disable pre-authentication. Gotta see a packet
trace to understand that.


ERX



>-----Original Message-----
>From: kerberos-admin at mit.edu [mailto:kerberos-admin at mit.edu]On Behalf Of
>Turbo Fredriksson
>Sent: Thursday, September 26, 2002 1:51 PM
>To: kerberos at mit.edu
>Subject: Re: Win logon to a MIT Kerberos V KDC?
>
>
>>>>>> "Steve" == Steve Harper <s.harper at m.cc.utah.edu> writes:
>
>    Steve> Definately remove the "REQUIRES_PRE_AUTH" flag from the
>    Steve> principal for majorskan (which is your windows 2000
>    Steve> machine, if I'm not mistaken).
>
>    Steve> kadmin: modify_principal -requires_preauth
>    Steve> host/majorskan.<MYDOMAIN.TLD>
>
>I've tried that, but it didn't help. I then tought of removing and
>then re-adding the principal again. No change.
>
>----- s n i p -----
>kadmin.local:  delprinc host/majorskan.bayour.com
>kadmin.local:  ank -pw <SECRET> -requires_preauth
>host/majorskan.<MYDOMAIN.TLD>
>kadmin.local:  getprinc host/majorskan.<MYDOMAIN.TLD>
>Principal: host/majorskan.<MYDOMAIN.TLD>@<MYREALM.TLD>
>Number of keys: 6
>Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
>Key: vno 1, DES cbc mode with CRC-32, no salt
>Key: vno 1, DES cbc mode with RSA-MD5, Version 4
>Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
>Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
>Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
>Attributes:
>Policy: [none]
>kadmin.local:  q
>rmgztk:~# tail -f /var/log/kerberos/krb5kdc.log -n0
>Sep 26 19:28:21 rmgztk krb5kdc[1075](info): AS_REQ (7 etypes {23
>-133 -128 3 1 24 -135}) <IP_OF_FIREWALL_AT_HOME>(88):
>NEEDED_PREAUTH: turbo@<MYREALM.TLD> for
>krbtgt/<MYREALM.TLD>@<MYREALM.TLD>, Additional pre-authentication required
>Sep 26 19:28:21 rmgztk krb5kdc[1075](info): AS_REQ (2 etypes {3 1})
><IP_OF_FIREWALL_AT_HOME>(88): ISSUE: authtime 1033061301, etypes
>{rep=3 tkt=16 ses=1}, turbo@<MYREALM.TLD> for
>krbtgt/<MYREALM.TLD>@<MYREALM.TLD>
>Sep 26 19:28:21 rmgztk krb5kdc[1075](info): TGS_REQ (7 etypes {23
>-133 -128 3 1 24 -135}) <IP_OF_FIREWALL_AT_HOME>(88): ISSUE:
>authtime 1033061301, etypes {rep=1 tkt=16 ses=1},
>turbo@<MYREALM.TLD> for host/majorskan.<MYREALM.TLD>@<MYREALM.TLD>
>----- s n i p -----
>
>It _STILL_ require pre-auth! I even tried removing the
>
>        default_principal_flags = +preauth
>
>from the kdc.conf (and restarted the KDC)!!
>
>Oh, and I also removed pre-auth requirements from the 'krbtgt/<MYREALM.TLD>'
>and 'turbo' principals... Then it don't request/require pre-auth:
>
>----- s n i p -----
>rmgztk:~# tail -f /var/log/kerberos/krb5kdc.log -n0
>Sep 26 19:49:38 rmgztk krb5kdc[1075](info): AS_REQ (7 etypes {23
>-133 -128 3 1 24 -135}) <IP_OF_FIREWALL_AT_HOME>(88): ISSUE:
>authtime 1033062578, etypes {rep=3 tkt=16 ses=1},
>turbo@<MYREALM.TLD> for krbtgt/<MYREALM.TLD>@<MYREALM.TLD>
>Sep 26 19:49:43 rmgztk krb5kdc[1075](info): TGS_REQ (7 etypes {23
>-133 -128 3 1 24 -135}) <IP_OF_FIREWALL_AT_HOME>(88): ISSUE:
>authtime 1033062578, etypes {rep=1 tkt=16 ses=1},
>turbo@<MYREALM.TLD> for host/majorskan.<MYDOMAIN.TLD>@<MYREALM.TLD>
>----- s n i p -----
>
>Closer. I don't get the pre-auth any more. But I'm still not logged in... :(
>
>    Steve> When  the  KDC is  forcing  the  WIN2K  client to  generate
>    Steve> PRE_AUTH data the client includes additional information (I
>    Steve> think  it's SID)  in  the Authorization_Data  field of  the
>    Steve> ticket.  One way  or the other the Logon  will fail because
>    Steve> MIT's KDC  does not support these  microsoft extensions.  I
>    Steve> can guarentee  that preauth on  a principal will  make your
>    Steve> login fail when  that login is coming from  a Win2K machine
>    Steve> to an MIT KDC.
>
>Sounds reasonable (well, 'understanding' anyway :).
>
>
>So, re-cap. The principals 'krbtgt/<MYREALM.TLD>',
>'host/majorskan.<MYDOMAIN.TLD>'
>and 'turbo' all have been modified with '-requires_preauth'...
>
>Windows have been restarted after all this had been done... Naturaly :)
>(and had 'ksetup /setcomputerpassword <SECRET>' done).
>
>    Steve> http://home.xnet.com/~catena/ms-kerberos.shtml
>    Steve> If you want to wade through that, feel free, but I would
>    Steve> reccomend just removing the REQUIRES_PRE_AUTH:
>
>I'll read that when I have more time :)
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>http://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list