Auth problem while interop with win2k3

Song Du freewizard at gmail.com
Wed Sep 22 22:27:53 EDT 2004 

In short, I want to use foreign realm in windows domain login.
kdc on RH9/krb5-server-1.2.7-14
Active Directory Domain Controller on Win2k3
Client PC is WinXP Sp2

I followed the steps in
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp#heading5
but when i try to logon as user bone on WinXP into domain
REALM.GEEK.STUDENT.XXX, I got:
Sep 23 09:48:20 SERVER krb5kdc[11586](info): AS_REQ (7 etypes {23 -133
-128 3 1 24 -135}) 10.30.15.16(12920): ISSUE: authtime 1095904100,
etypes {rep=3 tkt=16 ses=1}, bone at REALM.GEEK.STUDENT.XXX for
krbtgt/REALM.GEEK.STUDENT.XXX at REALM.GEEK.STUDENT.XXX
Even with wrong password used, i still got the same msg above in
/var/log/krb5kdc.log

my conf files on RH9:
# cat /etc/krb5.conf 
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = REALM.GEEK.STUDENT.XXX
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 REALM.GEEK.STUDENT.XXX = {
  kdc = kdc.realm.geek.student.XXX:88
  admin_server = kdc.realm.geek.student.XXX:749
  default_domain = realm.geek.student.XXX
 }

[domain_realm]
 .realm.geek.student.xxx = REALM.GEEK.STUDENT.XXX
 realm.geek.student.xxx = REALM.GEEK.STUDENT.XXX

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
 
# cat /var/kerberos/krb5kdc/kdc.conf 
[kdcdefaults]
 acl_file = /var/kerberos/krb5kdc/kadm5.acl
 dict_file = /usr/share/dict/words
 admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
 v4_mode = nopreauth

[realms]
 REALM.GEEK.STUDENT.XXX = {
  master_key_type = des-cbc-crc
  supported_enctypes = des3-cbc-sha1:normal des3-cbc-sha1:norealm
des3-cbc-sha1:onlyrealm des-cbc-crc:v4 des-cbc-crc:afs3
des-cbc-crc:normal des-cbc-crc:norealm des-cbc-crc:onlyrealm
des-cbc-md4:v4 des-cbc-md4:afs3 des-cbc-md4:normal des-cbc-md4:norealm
des-cbc-md4:onlyrealm des-cbc-md5:v4 des-cbc-md5:afs3
des-cbc-md5:normal des-cbc-md5:norealm des-cbc-md5:onlyrealm
des-cbc-sha1:v4 des-cbc-sha1:afs3 des-cbc-sha1:normal
des-cbc-sha1:norealm des-cbc-sha1:onlyrealm
 }
 
# /usr/kerberos/sbin/kadmin.local 
Authenticating as principal root/admin at REALM.GEEK.STUDENT.XXX with password.
kadmin.local:  listprincs
K/M at REALM.GEEK.STUDENT.XXX
admin/admin at REALM.GEEK.STUDENT.XXX
bone at REALM.GEEK.STUDENT.XXX
kadmin/admin at REALM.GEEK.STUDENT.XXX
kadmin/changepw at REALM.GEEK.STUDENT.XXX
kadmin/history at REALM.GEEK.STUDENT.XXX
krbtgt/GEEK.STUDENT.XXX at REALM.GEEK.STUDENT.XXX
krbtgt/REALM.GEEK.STUDENT.XXX at GEEK.STUDENT.XXX
krbtgt/REALM.GEEK.STUDENT.XXX at REALM.GEEK.STUDENT.XXX

my conf on W2k3:
C:\>ksetup
default domain = geek.student.xxx (NT Domain)
REALM.GEEK.STUDENT.XXX:
        kdc = kdc.realm.geek.student.xxx
        Realm Flags = 0x0 none
No user mappings defined.

trust added: 2-way trust, non-trans
Name Mapping also set

--
freewizard (at) gmail.com 
http://blog.tsing.org/freewizard/

More information about the Kerberos mailing list