Fwd: Re: Kerberos error authenticating from Unix to Windows AD

Tyson Oswald oswaldt at ameritech.net
Thu Feb 19 14:36:37 EST 2004 

I did a manual comparision between the two files like this
 
on Windows ktpass -in my.keytab
 
on unix klist -k -K
 
they are identical.

Any idea what the ticket option FORWARDED means?
 
thanks,
 
Tyson Oswald

"Douglas E. Engert" <deengert at anl.gov> wrote:


Tyson Oswald wrote:
> 
> Tyson Oswald wrote: I generated a host key on the a Windows server and installed it on the Sun workstation with ktutil. The key was generated with the same password as the user on windows. It was setup with DES-CBC-CRC enctype, also krb5.conf is setup to use des-cbc-crc for both tkt and tgs. One thing I did do was when I FTPed the host key to the Sun box I used binary instead of ascii, if that caused a problem I do not know. If you think this could cause this issue I will re-copy it.

Anyother way to do it is when you run the ktpass /out ...
it will type out the entry on the console, and show the kvno and the
DES key in hex. 

You can then use the ktutil "addent -key" and type in the DES key in
hex on the UNIX system. This avoids any string-to-key problems, as well 
as any transfer problems.

If nothing else you cold verify if the key and kvno is as expected
by using klist -k -K ...


> 
> thank you,
> 
> Tyson Oswald
> 
> Jeffrey Altman wrote:
> Do you have a host key for the Windows workstation?
> 
> Does the Windows workstation know the name you have used for its host key?
> 
> Is the host key restricted to use an enctype of DES-CBC-CRC?
> 
> Did you create the host key with a password and not a random key?
> 
> Did you install the password into the Workstation using KSETUP?
> 
> Jeffrey Altman
> 
> Tyson Oswald wrote:
> > Hello all,
> >
> > I read the white paper on the MS site
> > (http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp)
> > to setup AD authentication on Unix. It is based on MIT KDC, but I am
> > using SEAM. Since SEAM is based on MIT, I assumed it would work. I
> > am using SEAM 1.0.1 on SPARC Solaris 8. I followed the instructions
> > in the white paper, and according to the event log on our PDC the user
> > authenticates successfully. But, the Service Ticket is failing
> > authentication. I am troubled as to why. The event id I am getting
> > in the event log is 677. The failure code is 0x0d (bad option) and
> > the ticket option is 0x02. According the the RFC 0x02 menas FORWARDED.
> >
> > Has anyone run into this error or know what is wrong?
> >
> > thank you,
> >
> > Tyson Oswald
> 
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

Douglas E. Engert 
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439 
(630) 252-54444From deengert at anl.gov Thu Feb 19 15:05:38 2004
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
	[18.7.21.83])
	by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i1JK5cqb010161
	for <kerberos at PCH.mit.edu>; Thu, 19 Feb 2004 15:05:38 -0500 (EST)
Received: from hermes.ctd.anl.gov (hermes.ctd.anl.gov [130.202.113.27])
	i1JK5bCD022293
	for <kerberos at mit.edu>; Thu, 19 Feb 2004 15:05:37 -0500 (EST)
Received: from hermes.ctd.anl.gov (localhost [127.0.0.1])
	by hermes.ctd.anl.gov (8.9.1a/8.9.1) with ESMTP id OAA12759
	for <kerberos at mit.edu>; Thu, 19 Feb 2004 14:05:36 -0600 (CST)
Received: from anl.gov (atalanta.ctd.anl.gov [146.137.194.4])
	by hermes.ctd.anl.gov (8.9.1a/8.9.1) with ESMTP id OAA12752;
	Thu, 19 Feb 2004 14:05:36 -0600 (CST)
Message-ID: <4035172C.F60ACDFF at anl.gov>
Date: Thu, 19 Feb 2004 14:06:04 -0600
From: "Douglas E. Engert" <deengert at anl.gov>
X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Tyson Oswald <oswaldt at ameritech.net>
References: <20040219193637.32528.qmail at web80603.mail.yahoo.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
cc: kerberos at mit.edu
Subject: Re: Fwd: Re: Kerberos error authenticating from Unix to Windows AD
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Thu, 19 Feb 2004 20:05:38 -0000



Tyson Oswald wrote:
> 
> I did a manual comparision between the two files like this
> 
> on Windows ktpass -in my.keytab
> 
> on unix klist -k -K
> 
> they are identical.
> 
> Any idea what the ticket option FORWARDED means?

It means the ticket was issued based on a previous TGT. i.e. this
is usually by delegations as done by GSSAPI.  That may not be the problem.


When you setup the servic e principal for the machine, it should have
had a name like host/myserver.ameritech.net at MY.REALM
where myserver.ameritech.net is the FQDN of the host, and MY.REALM
is the realm where hte host is registered. 

P.S. We have sun workstaions using pam_krb5 which allow one to login
to the workstaion fromn the console. We are using the MIT Kerberos, not
SEAM. 

Somethinhg else to try:  

login to the Sun using normal login. 

 Using the SEAM commands: 
  
  kinit user at realm
  klist -f -e

Then try 

  kinit -S t/myserver.ameritech.net at MY.REALM

which will ask for your user and password, then try and get a service ticket
for the host. 

Also look at the /etc/krb5.conf file. (I think SEAM uses the same locaiton.)


> 
> thanks,
> 
> Tyson Oswald
> 
> "Douglas E. Engert" <deengert at anl.gov> wrote:
> 
> Tyson Oswald wrote:
> >
> > Tyson Oswald wrote: I generated a host key on the a Windows server and installed it on the Sun workstation with ktutil. The key was generated with the same password as the user on windows. It was setup with DES-CBC-CRC enctype, also krb5.conf is setup to use des-cbc-crc for both tkt and tgs. One thing I did do was when I FTPed the host key to the Sun box I used binary instead of ascii, if that caused a problem I do not know. If you think this could cause this issue I will re-copy it.
> 
> Anyother way to do it is when you run the ktpass /out ...
> it will type out the entry on the console, and show the kvno and the
> DES key in hex.
> 
> You can then use the ktutil "addent -key" and type in the DES key in
> hex on the UNIX system. This avoids any string-to-key problems, as well
> as any transfer problems.
> 
> If nothing else you cold verify if the key and kvno is as expected
> by using klist -k -K ...
> 
> >
> > thank you,
> >
> > Tyson Oswald
> >
> > Jeffrey Altman wrote:
> > Do you have a host key for the Windows workstation?
> >
> > Does the Windows workstation know the name you have used for its host key?
> >
> > Is the host key restricted to use an enctype of DES-CBC-CRC?
> >
> > Did you create the host key with a password and not a random key?
> >
> > Did you install the password into the Workstation using KSETUP?
> >
> > Jeffrey Altman
> >
> > Tyson Oswald wrote:
> > > Hello all,
> > >
> > > I read the white paper on the MS site
> > > (http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp)
> > > to setup AD authentication on Unix. It is based on MIT KDC, but I am
> > > using SEAM. Since SEAM is based on MIT, I assumed it would work. I
> > > am using SEAM 1.0.1 on SPARC Solaris 8. I followed the instructions
> > > in the white paper, and according to the event log on our PDC the user
> > > authenticates successfully. But, the Service Ticket is failing
> > > authentication. I am troubled as to why. The event id I am getting
> > > in the event log is 677. The failure code is 0x0d (bad option) and
> > > the ticket option is 0x02. According the the RFC 0x02 menas FORWARDED.
> > >
> > > Has anyone run into this error or know what is wrong?
> > >
> > > thank you,
> > >
> > > Tyson Oswald
> >
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> --
> 
> Douglas E. Engert
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list