Fwd: Re: Kerberos error authenticating from Unix to Windows AD

Tyson Oswald oswaldt at ameritech.net
Fri Feb 20 12:05:00 EST 2004 

deengert at anl.gov ("Douglas E. Engert") wrote in message news:<4035172C.F60ACDFF at anl.gov>...
> Tyson Oswald wrote:
> > 
> > I did a manual comparision between the two files like this
> > 
> > on Windows ktpass -in my.keytab
> > 
> > on unix klist -k -K
> > 
> > they are identical.
> > 
> > Any idea what the ticket option FORWARDED means?
> 
> It means the ticket was issued based on a previous TGT. i.e. this
> is usually by delegations as done by GSSAPI.  That may not be the problem.
> 
> 
> When you setup the servic e principal for the machine, it should have
> had a name like host/myserver.ameritech.net at MY.REALM
> where myserver.ameritech.net is the FQDN of the host, and MY.REALM
> is the realm where hte host is registered. 
> 
> P.S. We have sun workstaions using pam_krb5 which allow one to login
> to the workstaion fromn the console. We are using the MIT Kerberos, not
> SEAM. 
> 
> Somethinhg else to try:  
> 
> login to the Sun using normal login. 
> 
>  Using the SEAM commands: 
>   
>   kinit user at realm
>   klist -f -e
> 
> Then try 
> 
>   kinit -S t/myserver.ameritech.net at MY.REALM
> 
> which will ask for your user and password, then try and get a service ticket
> for the host. 
> 
> Also look at the /etc/krb5.conf file. (I think SEAM uses the same locaiton.)
> 
> 
> > 
> > thanks,
> > 
> > Tyson Oswald
> > 
> > "Douglas E. Engert" <deengert at anl.gov> wrote:
> > 
> > Tyson Oswald wrote:
> > >
> > > Tyson Oswald wrote: I generated a host key on the a Windows
server and installed it on the Sun workstation with ktutil. The key
was generated with the same password as the user on windows. It was
setup with DES-CBC-CRC enctype, also krb5.conf is setup to use
des-cbc-crc for both tkt and tgs. One thing I did do was when I FTPed
the host key to the Sun box I used binary instead of ascii, if that
caused a problem I do not know. If you think this could cause this
issue I will re-copy it.
> > 
> > Anyother way to do it is when you run the ktpass /out ...
> > it will type out the entry on the console, and show the kvno and the
> > DES key in hex.
> > 
> > You can then use the ktutil "addent -key" and type in the DES key in
> > hex on the UNIX system. This avoids any string-to-key problems, as well
> > as any transfer problems.
> > 
> > If nothing else you cold verify if the key and kvno is as expected
> > by using klist -k -K ...
> > 
> > >
> > > thank you,
> > >
> > > Tyson Oswald
> > >
> > > Jeffrey Altman wrote:
> > > Do you have a host key for the Windows workstation?
> > >
> > > Does the Windows workstation know the name you have used for its host key?
> > >
> > > Is the host key restricted to use an enctype of DES-CBC-CRC?
> > >
> > > Did you create the host key with a password and not a random key?
> > >
> > > Did you install the password into the Workstation using KSETUP?
> > >
> > > Jeffrey Altman
> > >
> > > Tyson Oswald wrote:
> > > > Hello all,
> > > >
> > > > I read the white paper on the MS site
> > > > (http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp)
> > > > to setup AD authentication on Unix. It is based on MIT KDC, but I am
> > > > using SEAM. Since SEAM is based on MIT, I assumed it would work. I
> > > > am using SEAM 1.0.1 on SPARC Solaris 8. I followed the instructions
> > > > in the white paper, and according to the event log on our PDC the user
> > > > authenticates successfully. But, the Service Ticket is failing
> > > > authentication. I am troubled as to why. The event id I am getting
> > > > in the event log is 677. The failure code is 0x0d (bad option) and
> > > > the ticket option is 0x02. According the the RFC 0x02 menas FORWARDED.
> > > >
> > > > Has anyone run into this error or know what is wrong?
> > > >
> > > > thank you,
> > > >
> > > > Tyson Oswald
> > >
> > > ________________________________________________
> > > Kerberos mailing list Kerberos at mit.edu
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> > --
> > 
> > Douglas E. Engert
> > Argonne National Laboratory
> > 9700 South Cass Avenue
> > Argonne, Illinois 60439
> > (630) 252-5444
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>  
> -- 
> 
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439 
>  (630) 252-5444
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


I'd like to thank everyone for their assistance.  I decided to use the
pam_krb5 method which works very well.  The only minor issue I have is
if a user's  password has expired and requires them to change it, it 
does not inform them of that on the Unix machine.  If anyone knows how
to fix this it would be great.  I don't feel it is a big deal since
our user's have a Sun machine and a Window's machine.  In which case
they will discover their password has expired when they attempt to
login to Windows.

thank you,

Tyson Oswald

More information about the Kerberos mailing list