failed to create kerberos key: 5 (KRB5KDC_AP_ERR_MODIFIED)
Douglas E. Engert
deengert at anl.gov
Mon Aug 2 16:32:46 EDT 2004
Lara Adianto wrote:
>
> I have set that up before. Using name mapping in AD and registering lara at ADIANTO.COM as the kerberos name for lara. I also setup the cross-realm trust between windows AD and MIT KDC.
>
> It worked before !
If it worked before, and you setup your domain controller again, and does not work now,
it sounds like the cross realm keys don't match.
There are really two principals and keys, one for each direction. krbtgt/<realm1>@<realm2>
and krbtgt/<realm2>@<realm1>
The KDCs of each realm have to have the key. The user's realm, <realm1>, uses the key just
like any other key, to issue a ticket for the service, i.e. krbtgt/<realm2>@<realm1>
The other KDC uses its copy like a server would use a key in a keytab, but it looks in
its database instead, (which is what it does for its own krbtgt).
So you need to make sure you have the keys kvnos and enctypes in sync between the two
realms. I suspect that you need to add the keys again to the Kerberos realm. You may
have to delete the krbtgt/<realm1>@<realm2> and krbtgt/<realm2>@<realm1> principals
and then add again.
> See belw for the tickets cached in the windows client, using klist.exe. In this scenario user lara logged in to MIT REALM ADIANTO.COM using a win2000 machine (testw2k8.adianto.com) then accesses resource in test_w2kserver which is a member of windows domain LARASARI.COM (as opposed to ADIANTO.COM which is a workgroup). This is possible with cross realm setup (hence lara is not asked for password anymore to access test_w2kserver).
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list