Auth problem while interop with win2k3
Song Du
freewizard at gmail.com
Fri Sep 24 04:15:55 EDT 2004
with krb5-1.2.7-14 removed rpms and 1.3.5 installed,
I could successfully pass AS_REQ, but stopped at stage TGS_REQ.
log below:
Sep 24 15:13:59 kdc.realm.geek.student.xxx krb5kdc[13942](info):
AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 10.30.15.241: ISSUE:
authtime 1096010039, etypes {rep=3 tkt=16 ses=1},
bone at REALM.GEEK.STUDENT.XXX for
krbtgt/REALM.GEEK.STUDENT.XXX at REALM.GEEK.STUDENT.XXX
Sep 24 15:14:00 kdc.realm.geek.xxx krb5kdc[13942](info): TGS_REQ (5
etypes {23 3 1 24 -135}) 10.30.15.241: ISSUE: authtime 1096010039,
etypes {rep=1 tkt=16 ses=1}, bone at REALM.GEEK.STUDENT.XXX for
krbtgt/GEEK.STUDENT.XXX at REALM.GEEK.STUDENT.XXX
in Windows Event Viewer:
vent Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 2004-9-24
Time: 14:30:54
User: N/A
Computer: AD
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 6:30:54.0000 9/24/2004 Z
Error Code: 0xe KDC_ERR_ETYPE_NOTSUPP
Extended Error:
Client Realm:
Client Name:
Server Realm: GEEK.STUDENT.XXX
Server Name: host/ad.geek.student.xxx
Target Name: host/ad.geek.student.xxx at GEEK.STUDENT.XXX
Error Text:
File: 9
Line: ab8
Error Data is in record data.
I tried to remove 3des enctypes from kdc.conf, bcz it's said windows
doesn't support 3des. but that didn't help.
anyone had similar problem before?
On Thu, 23 Sep 2004 10:27:53 +0800, Song Du <freewizard at gmail.com> wrote:
> In short, I want to use foreign realm in windows domain login.
> kdc on RH9/krb5-server-1.2.7-14
> Active Directory Domain Controller on Win2k3
> Client PC is WinXP Sp2
>
> I followed the steps in
> http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp#heading5
> but when i try to logon as user bone on WinXP into domain
> REALM.GEEK.STUDENT.XXX, I got:
> Sep 23 09:48:20 SERVER krb5kdc[11586](info): AS_REQ (7 etypes {23 -133
> -128 3 1 24 -135}) 10.30.15.16(12920): ISSUE: authtime 1095904100,
> etypes {rep=3 tkt=16 ses=1}, bone at REALM.GEEK.STUDENT.XXX for
> krbtgt/REALM.GEEK.STUDENT.XXX at REALM.GEEK.STUDENT.XXX
> Even with wrong password used, i still got the same msg above in
> /var/log/krb5kdc.log
>
> my conf files on RH9:
> # cat /etc/krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> ticket_lifetime = 24000
> default_realm = REALM.GEEK.STUDENT.XXX
> dns_lookup_realm = false
> dns_lookup_kdc = false
>
> [realms]
> REALM.GEEK.STUDENT.XXX = {
> kdc = kdc.realm.geek.student.XXX:88
> admin_server = kdc.realm.geek.student.XXX:749
> default_domain = realm.geek.student.XXX
> }
>
> [domain_realm]
> .realm.geek.student.xxx = REALM.GEEK.STUDENT.XXX
> realm.geek.student.xxx = REALM.GEEK.STUDENT.XXX
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> # cat /var/kerberos/krb5kdc/kdc.conf
> [kdcdefaults]
> acl_file = /var/kerberos/krb5kdc/kadm5.acl
> dict_file = /usr/share/dict/words
> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
> v4_mode = nopreauth
>
> [realms]
> REALM.GEEK.STUDENT.XXX = {
> master_key_type = des-cbc-crc
> supported_enctypes = des3-cbc-sha1:normal des3-cbc-sha1:norealm
> des3-cbc-sha1:onlyrealm des-cbc-crc:v4 des-cbc-crc:afs3
> des-cbc-crc:normal des-cbc-crc:norealm des-cbc-crc:onlyrealm
> des-cbc-md4:v4 des-cbc-md4:afs3 des-cbc-md4:normal des-cbc-md4:norealm
> des-cbc-md4:onlyrealm des-cbc-md5:v4 des-cbc-md5:afs3
> des-cbc-md5:normal des-cbc-md5:norealm des-cbc-md5:onlyrealm
> des-cbc-sha1:v4 des-cbc-sha1:afs3 des-cbc-sha1:normal
> des-cbc-sha1:norealm des-cbc-sha1:onlyrealm
> }
>
> # /usr/kerberos/sbin/kadmin.local
> Authenticating as principal root/admin at REALM.GEEK.STUDENT.XXX with password.
> kadmin.local: listprincs
> K/M at REALM.GEEK.STUDENT.XXX
> admin/admin at REALM.GEEK.STUDENT.XXX
> bone at REALM.GEEK.STUDENT.XXX
> kadmin/admin at REALM.GEEK.STUDENT.XXX
> kadmin/changepw at REALM.GEEK.STUDENT.XXX
> kadmin/history at REALM.GEEK.STUDENT.XXX
> krbtgt/GEEK.STUDENT.XXX at REALM.GEEK.STUDENT.XXX
> krbtgt/REALM.GEEK.STUDENT.XXX at GEEK.STUDENT.XXX
> krbtgt/REALM.GEEK.STUDENT.XXX at REALM.GEEK.STUDENT.XXX
>
> my conf on W2k3:
> C:\>ksetup
> default domain = geek.student.xxx (NT Domain)
> REALM.GEEK.STUDENT.XXX:
> kdc = kdc.realm.geek.student.xxx
> Realm Flags = 0x0 none
> No user mappings defined.
>
> trust added: 2-way trust, non-trans
> Name Mapping also set
>
> --
> freewizard (at) gmail.com
> http://blog.tsing.org/freewizard/
>
--
freewizard (at) gmail.com
http://blog.tsing.org/freewizard/
More information about the Kerberos
mailing list