Auth problem while interop with win2k3

Jeffrey Altman jaltman2 at nyc.rr.com
Fri Sep 24 08:54:55 EDT 2004


What are the enctypes associated with the bone at REALM...
and host/ad.geek.student.xxx at GEEK... principals
  in the KDB as listed by kadmin?

It does not make much sense that the KDC is issuing
a ticket protected by 3DES when 3DES is not in the list
of supported enctypes provided in the AS_REQ.

Jeffrey Altman


Song Du wrote:

> with krb5-1.2.7-14 removed rpms and 1.3.5 installed,
> I could successfully pass AS_REQ, but stopped at stage TGS_REQ.
> log below:
> Sep 24 15:13:59 kdc.realm.geek.student.xxx krb5kdc[13942](info):
> AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 10.30.15.241: ISSUE:
> authtime 1096010039, etypes {rep=3 tkt=16 ses=1},
> bone at REALM.GEEK.STUDENT.XXX for
> krbtgt/REALM.GEEK.STUDENT.XXX at REALM.GEEK.STUDENT.XXX
> Sep 24 15:14:00 kdc.realm.geek.xxx krb5kdc[13942](info): TGS_REQ (5
> etypes {23 3 1 24 -135}) 10.30.15.241: ISSUE: authtime 1096010039,
> etypes {rep=1 tkt=16 ses=1}, bone at REALM.GEEK.STUDENT.XXX for
> krbtgt/GEEK.STUDENT.XXX at REALM.GEEK.STUDENT.XXX
> in Windows Event Viewer:
> vent Type:	Error
> Event Source:	Kerberos
> Event Category:	None
> Event ID:	3
> Date:		2004-9-24
> Time:		14:30:54
> User:		N/A
> Computer:	AD
> Description:
> A Kerberos Error Message was received:
>          on logon session 
>  Client Time: 
>  Server Time: 6:30:54.0000 9/24/2004 Z
>  Error Code: 0xe KDC_ERR_ETYPE_NOTSUPP
>  Extended Error: 
>  Client Realm: 
>  Client Name: 
>  Server Realm: GEEK.STUDENT.XXX
>  Server Name: host/ad.geek.student.xxx
>  Target Name: host/ad.geek.student.xxx at GEEK.STUDENT.XXX
>  Error Text: 
>  File: 9
>  Line: ab8
>  Error Data is in record data.
> 
> I tried to remove 3des enctypes from kdc.conf, bcz it's said windows
> doesn't support 3des. but that didn't help.
> 
> anyone had similar problem before?
> 
> On Thu, 23 Sep 2004 10:27:53 +0800, Song Du <freewizard at gmail.com> wrote:
> 
>>In short, I want to use foreign realm in windows domain login.
>>kdc on RH9/krb5-server-1.2.7-14
>>Active Directory Domain Controller on Win2k3
>>Client PC is WinXP Sp2
>>
>>I followed the steps in
>>http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp#heading5
>>but when i try to logon as user bone on WinXP into domain
>>REALM.GEEK.STUDENT.XXX, I got:
>>Sep 23 09:48:20 SERVER krb5kdc[11586](info): AS_REQ (7 etypes {23 -133
>>-128 3 1 24 -135}) 10.30.15.16(12920): ISSUE: authtime 1095904100,
>>etypes {rep=3 tkt=16 ses=1}, bone at REALM.GEEK.STUDENT.XXX for
>>krbtgt/REALM.GEEK.STUDENT.XXX at REALM.GEEK.STUDENT.XXX
>>Even with wrong password used, i still got the same msg above in
>>/var/log/krb5kdc.log
>>
>>my conf files on RH9:
>># cat /etc/krb5.conf
>>[logging]
>>default = FILE:/var/log/krb5libs.log
>>kdc = FILE:/var/log/krb5kdc.log
>>admin_server = FILE:/var/log/kadmind.log
>>
>>[libdefaults]
>>ticket_lifetime = 24000
>>default_realm = REALM.GEEK.STUDENT.XXX
>>dns_lookup_realm = false
>>dns_lookup_kdc = false
>>
>>[realms]
>>REALM.GEEK.STUDENT.XXX = {
>> kdc = kdc.realm.geek.student.XXX:88
>> admin_server = kdc.realm.geek.student.XXX:749
>> default_domain = realm.geek.student.XXX
>>}
>>
>>[domain_realm]
>>.realm.geek.student.xxx = REALM.GEEK.STUDENT.XXX
>>realm.geek.student.xxx = REALM.GEEK.STUDENT.XXX
>>
>>[kdc]
>>profile = /var/kerberos/krb5kdc/kdc.conf
>>
>>[appdefaults]
>>pam = {
>>  debug = false
>>  ticket_lifetime = 36000
>>  renew_lifetime = 36000
>>  forwardable = true
>>  krb4_convert = false
>>}
>>
>># cat /var/kerberos/krb5kdc/kdc.conf
>>[kdcdefaults]
>>acl_file = /var/kerberos/krb5kdc/kadm5.acl
>>dict_file = /usr/share/dict/words
>>admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>>v4_mode = nopreauth
>>
>>[realms]
>>REALM.GEEK.STUDENT.XXX = {
>> master_key_type = des-cbc-crc
>> supported_enctypes = des3-cbc-sha1:normal des3-cbc-sha1:norealm
>>des3-cbc-sha1:onlyrealm des-cbc-crc:v4 des-cbc-crc:afs3
>>des-cbc-crc:normal des-cbc-crc:norealm des-cbc-crc:onlyrealm
>>des-cbc-md4:v4 des-cbc-md4:afs3 des-cbc-md4:normal des-cbc-md4:norealm
>>des-cbc-md4:onlyrealm des-cbc-md5:v4 des-cbc-md5:afs3
>>des-cbc-md5:normal des-cbc-md5:norealm des-cbc-md5:onlyrealm
>>des-cbc-sha1:v4 des-cbc-sha1:afs3 des-cbc-sha1:normal
>>des-cbc-sha1:norealm des-cbc-sha1:onlyrealm
>>}
>>
>># /usr/kerberos/sbin/kadmin.local
>>Authenticating as principal root/admin at REALM.GEEK.STUDENT.XXX with password.
>>kadmin.local:  listprincs
>>K/M at REALM.GEEK.STUDENT.XXX
>>admin/admin at REALM.GEEK.STUDENT.XXX
>>bone at REALM.GEEK.STUDENT.XXX
>>kadmin/admin at REALM.GEEK.STUDENT.XXX
>>kadmin/changepw at REALM.GEEK.STUDENT.XXX
>>kadmin/history at REALM.GEEK.STUDENT.XXX
>>krbtgt/GEEK.STUDENT.XXX at REALM.GEEK.STUDENT.XXX
>>krbtgt/REALM.GEEK.STUDENT.XXX at GEEK.STUDENT.XXX
>>krbtgt/REALM.GEEK.STUDENT.XXX at REALM.GEEK.STUDENT.XXX
>>
>>my conf on W2k3:
>>C:\>ksetup
>>default domain = geek.student.xxx (NT Domain)
>>REALM.GEEK.STUDENT.XXX:
>>       kdc = kdc.realm.geek.student.xxx
>>       Realm Flags = 0x0 none
>>No user mappings defined.
>>
>>trust added: 2-way trust, non-trans
>>Name Mapping also set
>>
>>--
>>freewizard (at) gmail.com
>>http://blog.tsing.org/freewizard/
>>
> 
> 
> 
> 

-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu


More information about the Kerberos mailing list