kinit des and Win2k

melissa_benkyo wyl_lyf at yahoo.com
Tue May 25 09:08:46 EDT 2004


hello, thanks for the info

> Windows 2000 AD yes, but Windows 2003 AD maybe. krb5-1.2 does not support
> TCP but krb5-1.3.x does. If you user are in many groups, the ticket will 
> be big and require TCP. 

I think the user just belongs to one group so there should be a
problem. :(

> But what is in the krb5.conf? Have you set default_tkt_enctypes and 
> default_tgs_enctypes?

yup my default_xxx_enctypes are as follows

 default_tkt_enctypes = des-cbc-md5  des-cbc-crc
 default_tgs_enctypes = des-cbc-md5 des-cbc-crc

> You mean the kinit fails with some pre authentication message?
> What is the message?

the message I'm getting is from windows AD because it requires
authentication. But I think by setting the Use DES it should be able
to pre-authenticate. I'm insisting on doing pre-authentication since
this is actually an added security measure. :D

My error message is as follows:
Pre-authentication failed:
      UserName: mango
      UserID:   TESTING\mango
      ServiceName: krbtgt/TESTING.COM
      Pre-Authentication Type: 0x0
      Failure Code           : 0x19 
      Client Address         : <ip>

  
> If possible upgrade to krb5-1.3.x for better interoperability with Windows.

oki. just wanted to make sure if this version I have is lacking
interoperability features or its just my setup that's not right.

thanks for the help! much appreciated!


More information about the Kerberos mailing list