Problem with cross-realm authentication (Kerberos Realm & Win2Kdomain)

Lara Adianto m1r4cle_26 at yahoo.com
Tue Mar 30 09:13:20 EST 2004 

I'm using Heimdal since I heard that MIT Kerberos is
not thread safe for my openldap. I hope that MIT
Kerberos experts don't mind to give me any hints since
I haven't got any reply from the Heimdal mailing list.
I believe that the basic mechanism should be similar
in both implementations.

Currently, the windows env consists of a single domain
only, but I might extend it to a forest or something
more complicated after this experiment.

I use 2 domains:
- LARA_HMD (Kerberos Realm)
- LARA_W2K (Win2K domain)
and user lara (using a w2k prof machine named
testw2k8) in LARA_HMD wants to access a computer named
test_w2kserver in LARA_W2K through network
neighborhood. The access seemed to be allowed (it can
access the files being shared by the computer), but
event logs the following error:

Event Type:     Error
Event Source:   Kerberos
Event Category: None
Event ID:       594
Date:           3/30/2004
Time:           11:29:25 AM
User:           N/A
Computer:       TESTW2K8
Description:
A Kerberos Error Message was received:
         on logon session InitializeSecurityContext
 Client Time:
 Server Time:
 Error Code: 3:28:5.0000 3/30/2004 (null) 0x7
 Extended Error:  KDC_ERR_S_PRINCIPAL_UNKNOWN
 Client Realm: LARA_HMD.COM
 Client Name: lara
 Server Realm: LARA_HMD.COM
 Server Name: HOST/Test_w2kserver
 Target Name: HOST/Test_w2kserver at LARA_HMD.COM
 Error Text:
 File:
 Line:
 Error Data is in record data.

I have a doubt on the following line:
 Target Name: HOST/Test_w2kserver at DSSSASIA.COM
Shouldn't the client send a TGS_REQ for
HOST/Test_w2kserver at LARA_W2K instead ?

But if my doubt is correct, how can the client know
that test_w2kserver is in LARA_W2K realm and not
LARA_HMD ?

Please shed some lights for me, I've been stucked with
this problem for 2 days...arggh :-(
-lara-

--- "Paul B. Hill" <pbh at MIT.EDU> wrote:
> Hi,
> 
> 
> You don't mention what type of KDC is used for
> initial authentication. Also,
> you need to let people know if the Windows
> environment consists of a single
> domain or is it a full forest with the resources
> that you are attempting to
> access located in a child domain. 
> 
> These details do impact the answer.
> 
> 
> -----Original Message-----
> From: kerberos-bounces at MIT.EDU
> [mailto:kerberos-bounces at MIT.EDU] On Behalf
> Of Lara Adianto
> Sent: Monday, March 29, 2004 12:10 PM
> To: kerberos at mit.edu
> Subject: Problem with cross-realm authentication
> (Kerberos Realm &
> Win2Kdomain)
> 
> Hello,
>  
> I have a question about the cross-realm
> authentication (Kerberos Realm &
> Win2K)
> My scenario is as follows:
> a user using a Win2K professional machine
> authenticates to a Kerberos Realm.
> This user then wants to access resources in a Win2K
> domain. I believe that
> this is possible by configuring trust-relationship
> between the Kerberos
> Realm and Win2K domain which I have done following
> the guidance in Step by
> step Guide to Kerberos 5 Interoperability article.
> .
> However, when the user sends a TGS-REQ to the KDC in
> the Kerberos Realm for
> service located in Win2K domain, the Kerberos Realm
> returns KDC_ERR_S
> _PRINCIPAL_UNKNOWN. After sniffing the packet using
> ethereal, I noticed that
> the client sent a TGS_REQ with the canonicalize bit
> not set. Based on my
> understanding from the 'Generating KDC Referrals to
> locate Kerberos realms'
> draft, the client should send a TGS_REQ with
> canonicalize bit set so that
> the KDC can returns a TGS_REP containing
> PA-SERVER-REFERRAL-INFO.
> 
>  
> Does anybody have any idea how to solve this problem
> ?
> Is there any other configuration (besides the
> following) that I should do in
> the client machine or in the KDC so that the windows
> client that
> authenticates to Kerberos realm can access win2k
> resources in other domain: 
> In KDC Kerberos Realm:
> - ank -pw password
> krbtgt/NT_REALM.COM at KERB_REALM.COM
> - ank -pw password
> krbtgt/KERB_REALM.COM at NT_REALM.COM
> In Win2K domain:
> - Add inter-realm keys in the Active Directory
> Domains and Trusts (Trusts
> tab)
> - Create account mappings using the AltSecurityId
> property 
> 
> Thanks,
> Lara
> 
> 
>
----------------------------------------------------------------------------
> -------- 
> La vie, voyez-vous, ca n'est jamais si bon ni si
> mauvais qu'on croit
>                                                     
>                    -
> Guy de Maupassant -
>
----------------------------------------------------------------------------
> --------
> 
> ---------------------------------
> Do you Yahoo!?
> Yahoo! Finance Tax Center - File online. File on
> time.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 


=====
------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html

More information about the Kerberos mailing list