kerberos simulation

Nhi Tonnu ntonnu at uoguelph.ca
Mon Jun 28 19:00:59 EDT 2004 

Hi everyone,
    I'm a student at University of Guelph. I have a project that need some data such as the time approximately for getting ticket-granting-ticket from Authentication Server or time since client send message to Ticket-Granting Server asking for ticket to receiving the session key from TGS. 

   I need the roughly timeframe to use in my simulation program. Anyone have any sugguestion where I can find those information? 

Any help is greatly appreciated. Thanks in advance.

Regards,
Nhi..From m1r4cle_26 at yahoo.com Tue Jun 29 04:04:55 2004
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
	[18.7.7.76])
	by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i5T84sl1000800
	for <kerberos at PCH.mit.edu>; Tue, 29 Jun 2004 04:04:54 -0400 (EDT)
Received: from web50205.mail.yahoo.com (web50205.mail.yahoo.com
	[206.190.38.46])i5T84rr6007015
	for <kerberos at mit.edu>; Tue, 29 Jun 2004 04:04:53 -0400 (EDT)
Message-ID: <20040629080453.32827.qmail at web50205.mail.yahoo.com>
Received: from [202.172.55.246] by web50205.mail.yahoo.com via HTTP;
	Tue, 29 Jun 2004 01:04:53 PDT
Date: Tue, 29 Jun 2004 01:04:53 -0700 (PDT)
From: Lara Adianto <m1r4cle_26 at yahoo.com>
To: jaltman at columbia.edu
In-Reply-To: <40E02274.6080502 at nyc.rr.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
cc: kerberos at mit.edu
Subject: Re: change password expired because domain is not found
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Tue, 29 Jun 2004 08:04:55 -0000

Wow, you're right...
Thanks a lot for your help, Jeffrey ! I really
appreciate it...

-lara-

--- Jeffrey Altman <jaltman2 at nyc.rr.com> wrote:
> According to a contact at Microsoft, this is a bug
> in Win2000's winlogin.exe
>  which will not be fixed.  Instead users should
> enter their login name as
> 
>     lara at ADIANTO.COM
> 
> or upgrade to XP.   This should be published as a
> Knowledgebase
> article soon.
> 
> Jeffrey Altman
> 
> Lara Adianto wrote:
> 
> >I've added kpasswd using ksetup:
> >C:/>ksetup
> >default realm > >ADIANTO.COM:
> >    kdc > >    kpasswd > >Mapping lara at ADIANTO.COM to lara
> >But it didn't work.
> >
> >I've changed the DNS server (from Win2k server to
> >linux), and added _kpasswd._udp.ADIANTO.COM, but it
> >didn't work as well...
> >
> >This is what happened (as captured by ethereal):
> >1. AS-REQ from win client (Testw2k8) to MIT KDC
> >2. KRB-ERR from MIT KDC to client (Testw2k8) that
> key
> >is expired
> >3. DNS query from win client to DNS server for
> >_ldap._tcp.dc._msdcs.ADIANTO.COM type SRV class
> inet
> >(why did it query for msdcs ???, I added the entry
> >finally, but it still didn't work out )
> >4. CLDAP query from client to DNS server with
> >Filter(&(DnsDomain > >Testw2k8)(NtVer=\006) attr=NetLogon
> >5. NBIPX: Find name ADIANTO.COM
> >6. NBNS: Name query NB ADIANTO.COM
> >7. NetLogon: Query for PDC from Testw2k8
> >
> >Where did it go wrong ?
> >
> >This is my Dns entries:
> >;
> >; Zone file for adianto.com
> >;
> >; The full zone file
> >;
> >$TTL 3D
> >@       IN      SOA     kserver.adianto.com.
> >hostmaster.adianto.com. (
> >                        199802151       ; serial,
> >todays date + todays serial #
> >                        8H              ; refresh,
> >seconds
> >                        2H              ; retry,
> >seconds
> >                        4W              ; expire,
> >seconds
> >                        1D )            ; minimum,
> >seconds
> >;
> >                NS      kserver         ; Inet
> Address
> >of name server
> >;
> >localhost       A       127.0.0.1
> >kerberos        A       192.168.168.106
> >testw2k8        A       192.168.168.94
> >;
> >; Master setup
> >_kerberos._udp          IN      SRV     0 0 88
> >kerberos.adianto.com.
> >_kerberos._tcp          IN      SRV     0 0 88
> >kerberos.adianto.com.
> >_kpasswd._udp           IN      SRV     0 0 464
> >kerberos.adianto.com.
> >_ldap._tcp.dc._msdcs    IN      SRV     0 0 389
> >kerberos.adianto.com.
> >;
> >; Round-robin setup
> >_kerberos._udp          IN      SRV     0 0 88
> >kerberos
> >
> >regards,
> >lara
> >
> >--- Jeffrey Altman <jaltman at columbia.edu> wrote:
> >  
> >
> >>Define the kpasswd entries with KSETUP or add
> >>_kpasswd._udp.<realm> SRV  
> >>records
> >>to DNS.  Otherwise, Windows is probably using LDAP
> >>to try to find the 
> >>change password
> >>service.
> >>
> >>
> >>
> >>Lara Adianto wrote:
> >>
> >>    
> >>
> >>>--- Jeffrey Altman <jaltman2 at nyc.rr.com> wrote:
> >>> 
> >>>
> >>>      
> >>>
> >>>>MIT.REALM.COM is an external realm.
> >>>>   
> >>>>
> >>>>        
> >>>>
> >>>Yes, I'm authenticating windows machine to a
> >>>non-windows KDC
> >>>
> >>> 
> >>>
> >>>      
> >>>
> >>>>External realms are not searched for using LDAP.
> >>>>Once again:
> >>>>
> >>>>	What is the configuration of the machine with
> >>>>KSETUP?
> >>>>   
> >>>>
> >>>>        
> >>>>
> >>>default realm > >>>ADIANTO.COM:
> >>>       kdc > >>>Mapping lara at ADIANTO.COM to lara
> >>>
> >>>I also added: RealmFlags > >>>
> >>> 
> >>>
> >>>      
> >>>
> >>>>	Do you have entries for kdc and kpasswd in the
> >>>>KSETUP 		
> >>>>	configuration?
> >>>>   
> >>>>
> >>>>        
> >>>>
> >>>kdc yes, kpasswd no. Is it necessary to have
> >>>      
> >>>
> >>kpasswd ?
> >>    
> >>
> >>>I have no problem changing the password when it's
> >>>      
> >>>
> >>not
> >>    
> >>
> >>>expired yet.
> >>>
> >>> 
> >>>
> >>>      
> >>>
> >>>>	If yes, do they map to valid DNS addresses?
> >>>>
> >>>>	Are those addresses reachable?
> >>>>   
> >>>>
> >>>>        
> >>>>
> >>>Well, I set up a DNS server on a win2k server,
> and
> >>>      
> >>>
> >>I'm
> >>    
> >>
> >>>able to ping kerberos.adianto.com from the win2k
> >>>      
> >>>
> >>prof
> >>    
> >>
> >>>client.
> >>>
> >>> 
> >>>
> >>>      
> >>>
> >>>>Windows will only try the first address returned
> >>>>        
> >>>>
> >>for
> 
=

==------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------


		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail

More information about the Kerberos mailing list