Win logon to a MIT Kerberos V KDC?
Turbo Fredriksson
turbo at bayour.com
Sat Sep 28 02:41:08 EDT 2002
>>>>> "Tony" == Tony Hoyle <tmh at nodomain.org> writes:
Tony> On Fri, 27 Sep 2002 13:47:47 +0000, Turbo Fredriksson wrote:
>>>>>>> "Turbo" == Turbo Fredriksson <turbo at bayour.com> writes:
>>
Turbo> Tried again, this time with all the principals having
Turbo> +require_preauth. Still work. Now I'm happy!
Turbo> This was even a requirenment! My girlfriend tried to login,
Turbo> didn't work. What differed was that I had REQUIRES_PRE_AUTH,
Turbo> but she didn't. Adding it to her principal allowed her to
Turbo> login. Wee (again :)
Tony> I'm coming in late to this discussion. I'm getting the same
Tony> 'Preauthentication required' error but can't see from the
Tony> thread what you did differently. What was the magic
Tony> incantation? I had just assumed the Win2k client didn't
Tony> support preauthentication (although I'm not happy about
Tony> switching it off because it lowers security).
Tony> I've recreated the host & user principals with des-cbc-crc
Tony> as default but still get the error.
There is three principals involved in ONE login. These are:
Principal: host/majorskan.domain.tld at REALM
Number of keys: 1
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
Principal: krbtgt/REALM at REALM
Number of keys: 3
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with RSA-MD5, no salt
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
Principal: turbo at REALM
Number of keys: 6
Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, DES cbc mode with CRC-32, no salt
Key: vno 2, DES cbc mode with RSA-MD5, Version 4
Key: vno 2, DES cbc mode with RSA-MD5, Version 5 - No Realm
Key: vno 2, DES cbc mode with RSA-MD5, Version 5 - Realm Only
Key: vno 2, DES cbc mode with RSA-MD5, AFS version 3
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
* Disabling REQUIRES_PRE_AUTH on any of the princ (or all three)
will allow me to login. So it don't seem to matter there.
- Rebooted and I can still login (with REQUIRES_PRE_AUTH
disabled on all three princ).
- Since REQUIRES_PRE_AUTH is "a good thing", I will have
them enabled.
* Removing the host princ, and creating it in the normal way
(like the turbo princ) - with 6 keys - will not let me login
but according to the logs in the KDC, it seems to work
(no errors are shown).
Principal: host/majorskan.bayour.com at BAYOUR.COM
Number of keys: 6
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with RSA-MD5, Version 4
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
Deleting it again, and creating it again, this time with the
command line:
kadmin.local -e des-cbc-crc:normal -q 'ank -pw SECRET host/majorskan.domain.tld'
Principal: host/majorskan.domain.tld at REALM
Number of keys: 1
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
This will allow me to login without rebooting the win host.
Now, it's important that 'SECRET' is used with the win
command (think this requires a reboot though, if it have
changed anyway):
ksetup.exe /setcomputerpassword SECRET
Wether or not any other encryption scheme work or is better
I don't know. But this one (des-cbc-crc) works for me...
I've tried the following options to the '-e' flag:
des-cbc-crc:normal -> Works
des3-hmac-sha1:normal -> Don't work
des-cbc-md5:normal -> Works
Can't seem to combine the two that works or modify the salt
though (don't know exactly how to use the '-e' flag).
More information about the Kerberos
mailing list