<no subject>

Mark Hendricks mdh3 at humboldt.edu
Tue Mar 30 12:20:57 EST 2004


I posted a message earlier this week with what I believe to be a similar
problem.

The solution appears to be to set the following in the kdc.conf file.

Added the following line to kdc.conf
supported_enctypes = des-cbc-crc:normal

Added the following lines to krb5.conf
        default_etypes = des-cbc-crc
        default_etypes_des = des-cbc-crc

Remove all krbtgt principals and re-create using:
addprinc -e des:normal krbtgt/<AD><REALM>


I hope this helps

Mark


Date: Mon, 29 Mar 2004 09:10:07 -0800 (PST)
From: Lara Adianto <m1r4cle_26 at yahoo.com>
To: kerberos at mit.edu
Subject: Problem with cross-realm authentication (Kerberos Realm & Win2K
    domain)
Message-ID: <20040329171007.62340.qmail at web80802.mail.yahoo.com>
Content-Type: text/plain; charset=us-ascii
MIME-Version: 1.0
Precedence: list
Message: 1

Hello,
 
I have a question about the cross-realm authentication (Kerberos Realm &
Win2K)
My scenario is as follows:
a user using a Win2K professional machine authenticates to a Kerberos Realm.
This user then wants to access resources in a Win2K domain. I believe that
this is possible by configuring trust-relationship between the Kerberos
Realm and Win2K domain which I have done following the guidance in Step by
step Guide to Kerberos 5 Interoperability article.
.
However, when the user sends a TGS-REQ to the KDC in the Kerberos Realm for
service located in Win2K domain, the Kerberos Realm returns KDC_ERR_S
_PRINCIPAL_UNKNOWN. After sniffing the packet using ethereal, I noticed that
the client sent a TGS_REQ with the canonicalize bit not set. Based on my
understanding from the 'Generating KDC Referrals to locate Kerberos realms'
draft, the client should send a TGS_REQ with canonicalize bit set so that
the KDC can returns a TGS_REP containing PA-SERVER-REFERRAL-INFO.
 
Does anybody have any idea how to solve this problem ?
Is there any other configuration (besides the following) that I should do in
the client machine or in the KDC so that the windows client that
authenticates to Kerberos realm can access win2k resources in other domain:
In KDC Kerberos Realm:
- ank -pw password krbtgt/NT_REALM.COM at KERB_REALM.COM
- ank -pw password krbtgt/KERB_REALM.COM at NT_REALM.COM
In Win2K domain:
- Add inter-realm keys in the Active Directory Domains and Trusts (Trusts
tab)
- Create account mappings using the AltSecurityId property

Thanks,
Lara




More information about the Kerberos mailing list