Auth problem while interop with win2k3

Song Du freewizard at gmail.com
Fri Sep 24 04:15:55 EDT 2004


with krb5-1.2.7-14 removed rpms and 1.3.5 installed,
I could successfully pass AS_REQ, but stopped at stage TGS_REQ.
log below:
Sep 24 15:13:59 kdc.realm.geek.student.xxx krb5kdc[13942](info):
AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 10.30.15.241: ISSUE:
authtime 1096010039, etypes {rep=3 tkt=16 ses=1},
bone at REALM.GEEK.STUDENT.XXX for
krbtgt/REALM.GEEK.STUDENT.XXX at REALM.GEEK.STUDENT.XXX
Sep 24 15:14:00 kdc.realm.geek.xxx krb5kdc[13942](info): TGS_REQ (5
etypes {23 3 1 24 -135}) 10.30.15.241: ISSUE: authtime 1096010039,
etypes {rep=1 tkt=16 ses=1}, bone at REALM.GEEK.STUDENT.XXX for
krbtgt/GEEK.STUDENT.XXX at REALM.GEEK.STUDENT.XXX
in Windows Event Viewer:
vent Type:	Error
Event Source:	Kerberos
Event Category:	None
Event ID:	3
Date:		2004-9-24
Time:		14:30:54
User:		N/A
Computer:	AD
Description:
A Kerberos Error Message was received:
         on logon session 
 Client Time: 
 Server Time: 6:30:54.0000 9/24/2004 Z
 Error Code: 0xe KDC_ERR_ETYPE_NOTSUPP
 Extended Error: 
 Client Realm: 
 Client Name: 
 Server Realm: GEEK.STUDENT.XXX
 Server Name: host/ad.geek.student.xxx
 Target Name: host/ad.geek.student.xxx at GEEK.STUDENT.XXX
 Error Text: 
 File: 9
 Line: ab8
 Error Data is in record data.

I tried to remove 3des enctypes from kdc.conf, bcz it's said windows
doesn't support 3des. but that didn't help.

anyone had similar problem before?

On Thu, 23 Sep 2004 10:27:53 +0800, Song Du <freewizard at gmail.com> wrote:
> In short, I want to use foreign realm in windows domain login.
> kdc on RH9/krb5-server-1.2.7-14
> Active Directory Domain Controller on Win2k3
> Client PC is WinXP Sp2
> 
> I followed the steps in
> http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp#heading5
> but when i try to logon as user bone on WinXP into domain
> REALM.GEEK.STUDENT.XXX, I got:
> Sep 23 09:48:20 SERVER krb5kdc[11586](info): AS_REQ (7 etypes {23 -133
> -128 3 1 24 -135}) 10.30.15.16(12920): ISSUE: authtime 1095904100,
> etypes {rep=3 tkt=16 ses=1}, bone at REALM.GEEK.STUDENT.XXX for
> krbtgt/REALM.GEEK.STUDENT.XXX at REALM.GEEK.STUDENT.XXX
> Even with wrong password used, i still got the same msg above in
> /var/log/krb5kdc.log
> 
> my conf files on RH9:
> # cat /etc/krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
> ticket_lifetime = 24000
> default_realm = REALM.GEEK.STUDENT.XXX
> dns_lookup_realm = false
> dns_lookup_kdc = false
> 
> [realms]
> REALM.GEEK.STUDENT.XXX = {
>  kdc = kdc.realm.geek.student.XXX:88
>  admin_server = kdc.realm.geek.student.XXX:749
>  default_domain = realm.geek.student.XXX
> }
> 
> [domain_realm]
> .realm.geek.student.xxx = REALM.GEEK.STUDENT.XXX
> realm.geek.student.xxx = REALM.GEEK.STUDENT.XXX
> 
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
> 
> [appdefaults]
> pam = {
>   debug = false
>   ticket_lifetime = 36000
>   renew_lifetime = 36000
>   forwardable = true
>   krb4_convert = false
> }
> 
> # cat /var/kerberos/krb5kdc/kdc.conf
> [kdcdefaults]
> acl_file = /var/kerberos/krb5kdc/kadm5.acl
> dict_file = /usr/share/dict/words
> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
> v4_mode = nopreauth
> 
> [realms]
> REALM.GEEK.STUDENT.XXX = {
>  master_key_type = des-cbc-crc
>  supported_enctypes = des3-cbc-sha1:normal des3-cbc-sha1:norealm
> des3-cbc-sha1:onlyrealm des-cbc-crc:v4 des-cbc-crc:afs3
> des-cbc-crc:normal des-cbc-crc:norealm des-cbc-crc:onlyrealm
> des-cbc-md4:v4 des-cbc-md4:afs3 des-cbc-md4:normal des-cbc-md4:norealm
> des-cbc-md4:onlyrealm des-cbc-md5:v4 des-cbc-md5:afs3
> des-cbc-md5:normal des-cbc-md5:norealm des-cbc-md5:onlyrealm
> des-cbc-sha1:v4 des-cbc-sha1:afs3 des-cbc-sha1:normal
> des-cbc-sha1:norealm des-cbc-sha1:onlyrealm
> }
> 
> # /usr/kerberos/sbin/kadmin.local
> Authenticating as principal root/admin at REALM.GEEK.STUDENT.XXX with password.
> kadmin.local:  listprincs
> K/M at REALM.GEEK.STUDENT.XXX
> admin/admin at REALM.GEEK.STUDENT.XXX
> bone at REALM.GEEK.STUDENT.XXX
> kadmin/admin at REALM.GEEK.STUDENT.XXX
> kadmin/changepw at REALM.GEEK.STUDENT.XXX
> kadmin/history at REALM.GEEK.STUDENT.XXX
> krbtgt/GEEK.STUDENT.XXX at REALM.GEEK.STUDENT.XXX
> krbtgt/REALM.GEEK.STUDENT.XXX at GEEK.STUDENT.XXX
> krbtgt/REALM.GEEK.STUDENT.XXX at REALM.GEEK.STUDENT.XXX
> 
> my conf on W2k3:
> C:\>ksetup
> default domain = geek.student.xxx (NT Domain)
> REALM.GEEK.STUDENT.XXX:
>        kdc = kdc.realm.geek.student.xxx
>        Realm Flags = 0x0 none
> No user mappings defined.
> 
> trust added: 2-way trust, non-trans
> Name Mapping also set
> 
> --
> freewizard (at) gmail.com
> http://blog.tsing.org/freewizard/
> 



-- 
freewizard (at) gmail.com 
http://blog.tsing.org/freewizard/


More information about the Kerberos mailing list