Problem with cross-realm authentication (Kerberos Realm & Win2Kdomain)
Lara Adianto
m1r4cle_26 at yahoo.com
Tue Mar 30 09:13:20 EST 2004
I'm using Heimdal since I heard that MIT Kerberos is
not thread safe for my openldap. I hope that MIT
Kerberos experts don't mind to give me any hints since
I haven't got any reply from the Heimdal mailing list.
I believe that the basic mechanism should be similar
in both implementations.
Currently, the windows env consists of a single domain
only, but I might extend it to a forest or something
more complicated after this experiment.
I use 2 domains:
- LARA_HMD (Kerberos Realm)
- LARA_W2K (Win2K domain)
and user lara (using a w2k prof machine named
testw2k8) in LARA_HMD wants to access a computer named
test_w2kserver in LARA_W2K through network
neighborhood. The access seemed to be allowed (it can
access the files being shared by the computer), but
event logs the following error:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 594
Date: 3/30/2004
Time: 11:29:25 AM
User: N/A
Computer: TESTW2K8
Description:
A Kerberos Error Message was received:
on logon session InitializeSecurityContext
Client Time:
Server Time:
Error Code: 3:28:5.0000 3/30/2004 (null) 0x7
Extended Error: KDC_ERR_S_PRINCIPAL_UNKNOWN
Client Realm: LARA_HMD.COM
Client Name: lara
Server Realm: LARA_HMD.COM
Server Name: HOST/Test_w2kserver
Target Name: HOST/Test_w2kserver at LARA_HMD.COM
Error Text:
File:
Line:
Error Data is in record data.
I have a doubt on the following line:
Target Name: HOST/Test_w2kserver at DSSSASIA.COM
Shouldn't the client send a TGS_REQ for
HOST/Test_w2kserver at LARA_W2K instead ?
But if my doubt is correct, how can the client know
that test_w2kserver is in LARA_W2K realm and not
LARA_HMD ?
Please shed some lights for me, I've been stucked with
this problem for 2 days...arggh :-(
-lara-
--- "Paul B. Hill" <pbh at MIT.EDU> wrote:
> Hi,
>
>
> You don't mention what type of KDC is used for
> initial authentication. Also,
> you need to let people know if the Windows
> environment consists of a single
> domain or is it a full forest with the resources
> that you are attempting to
> access located in a child domain.
>
> These details do impact the answer.
>
>
> -----Original Message-----
> From: kerberos-bounces at MIT.EDU
> [mailto:kerberos-bounces at MIT.EDU] On Behalf
> Of Lara Adianto
> Sent: Monday, March 29, 2004 12:10 PM
> To: kerberos at mit.edu
> Subject: Problem with cross-realm authentication
> (Kerberos Realm &
> Win2Kdomain)
>
> Hello,
>
> I have a question about the cross-realm
> authentication (Kerberos Realm &
> Win2K)
> My scenario is as follows:
> a user using a Win2K professional machine
> authenticates to a Kerberos Realm.
> This user then wants to access resources in a Win2K
> domain. I believe that
> this is possible by configuring trust-relationship
> between the Kerberos
> Realm and Win2K domain which I have done following
> the guidance in Step by
> step Guide to Kerberos 5 Interoperability article.
> .
> However, when the user sends a TGS-REQ to the KDC in
> the Kerberos Realm for
> service located in Win2K domain, the Kerberos Realm
> returns KDC_ERR_S
> _PRINCIPAL_UNKNOWN. After sniffing the packet using
> ethereal, I noticed that
> the client sent a TGS_REQ with the canonicalize bit
> not set. Based on my
> understanding from the 'Generating KDC Referrals to
> locate Kerberos realms'
> draft, the client should send a TGS_REQ with
> canonicalize bit set so that
> the KDC can returns a TGS_REP containing
> PA-SERVER-REFERRAL-INFO.
>
>
> Does anybody have any idea how to solve this problem
> ?
> Is there any other configuration (besides the
> following) that I should do in
> the client machine or in the KDC so that the windows
> client that
> authenticates to Kerberos realm can access win2k
> resources in other domain:
> In KDC Kerberos Realm:
> - ank -pw password
> krbtgt/NT_REALM.COM at KERB_REALM.COM
> - ank -pw password
> krbtgt/KERB_REALM.COM at NT_REALM.COM
> In Win2K domain:
> - Add inter-realm keys in the Active Directory
> Domains and Trusts (Trusts
> tab)
> - Create account mappings using the AltSecurityId
> property
>
> Thanks,
> Lara
>
>
>
----------------------------------------------------------------------------
> --------
> La vie, voyez-vous, ca n'est jamais si bon ni si
> mauvais qu'on croit
>
> -
> Guy de Maupassant -
>
----------------------------------------------------------------------------
> --------
>
> ---------------------------------
> Do you Yahoo!?
> Yahoo! Finance Tax Center - File online. File on
> time.
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
=====
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------
__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html
More information about the Kerberos
mailing list