Auth problem while interop with win2k3
Song Du
freewizard at gmail.com
Sun Sep 26 11:07:03 EDT 2004
Thx for ur advice
I removed and readded princs by
kadmin.local -e "des-cbd-crc:normal"
that works.
On Fri, 24 Sep 2004 12:54:55 GMT, Jeffrey Altman <jaltman2 at nyc.rr.com> wrote:
> What are the enctypes associated with the bone at REALM...
> and host/ad.geek.student.xxx at GEEK... principals
> in the KDB as listed by kadmin?
>
> It does not make much sense that the KDC is issuing
> a ticket protected by 3DES when 3DES is not in the list
> of supported enctypes provided in the AS_REQ.
>
> Jeffrey Altman
>
>
>
>
> Song Du wrote:
>
> > with krb5-1.2.7-14 removed rpms and 1.3.5 installed,
> > I could successfully pass AS_REQ, but stopped at stage TGS_REQ.
> > log below:
> > Sep 24 15:13:59 kdc.realm.geek.student.xxx krb5kdc[13942](info):
> > AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 10.30.15.241: ISSUE:
> > authtime 1096010039, etypes {rep=3 tkt=16 ses=1},
> > bone at REALM.GEEK.STUDENT.XXX for
> > krbtgt/REALM.GEEK.STUDENT.XXX at REALM.GEEK.STUDENT.XXX
> > Sep 24 15:14:00 kdc.realm.geek.xxx krb5kdc[13942](info): TGS_REQ (5
> > etypes {23 3 1 24 -135}) 10.30.15.241: ISSUE: authtime 1096010039,
> > etypes {rep=1 tkt=16 ses=1}, bone at REALM.GEEK.STUDENT.XXX for
> > krbtgt/GEEK.STUDENT.XXX at REALM.GEEK.STUDENT.XXX
> > in Windows Event Viewer:
> > vent Type: Error
> > Event Source: Kerberos
> > Event Category: None
> > Event ID: 3
> > Date: 2004-9-24
> > Time: 14:30:54
> > User: N/A
> > Computer: AD
> > Description:
> > A Kerberos Error Message was received:
> > on logon session
> > Client Time:
> > Server Time: 6:30:54.0000 9/24/2004 Z
> > Error Code: 0xe KDC_ERR_ETYPE_NOTSUPP
> > Extended Error:
> > Client Realm:
> > Client Name:
> > Server Realm: GEEK.STUDENT.XXX
> > Server Name: host/ad.geek.student.xxx
> > Target Name: host/ad.geek.student.xxx at GEEK.STUDENT.XXX
> > Error Text:
> > File: 9
> > Line: ab8
> > Error Data is in record data.
> >
> > I tried to remove 3des enctypes from kdc.conf, bcz it's said windows
> > doesn't support 3des. but that didn't help.
> >
> > anyone had similar problem before?
> >
> > On Thu, 23 Sep 2004 10:27:53 +0800, Song Du <freewizard at gmail.com> wrote:
> >
> >>In short, I want to use foreign realm in windows domain login.
> >>kdc on RH9/krb5-server-1.2.7-14
> >>Active Directory Domain Controller on Win2k3
> >>Client PC is WinXP Sp2
> >>
> >>I followed the steps in
> >>http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp#heading5
> >>but when i try to logon as user bone on WinXP into domain
> >>REALM.GEEK.STUDENT.XXX, I got:
> >>Sep 23 09:48:20 SERVER krb5kdc[11586](info): AS_REQ (7 etypes {23 -133
> >>-128 3 1 24 -135}) 10.30.15.16(12920): ISSUE: authtime 1095904100,
> >>etypes {rep=3 tkt=16 ses=1}, bone at REALM.GEEK.STUDENT.XXX for
> >>krbtgt/REALM.GEEK.STUDENT.XXX at REALM.GEEK.STUDENT.XXX
> >>Even with wrong password used, i still got the same msg above in
> >>/var/log/krb5kdc.log
> >>
> >>my conf files on RH9:
> >># cat /etc/krb5.conf
> >>[logging]
> >>default = FILE:/var/log/krb5libs.log
> >>kdc = FILE:/var/log/krb5kdc.log
> >>admin_server = FILE:/var/log/kadmind.log
> >>
> >>[libdefaults]
> >>ticket_lifetime = 24000
> >>default_realm = REALM.GEEK.STUDENT.XXX
> >>dns_lookup_realm = false
> >>dns_lookup_kdc = false
> >>
> >>[realms]
> >>REALM.GEEK.STUDENT.XXX = {
> >> kdc = kdc.realm.geek.student.XXX:88
> >> admin_server = kdc.realm.geek.student.XXX:749
> >> default_domain = realm.geek.student.XXX
> >>}
> >>
> >>[domain_realm]
> >>.realm.geek.student.xxx = REALM.GEEK.STUDENT.XXX
> >>realm.geek.student.xxx = REALM.GEEK.STUDENT.XXX
> >>
> >>[kdc]
> >>profile = /var/kerberos/krb5kdc/kdc.conf
> >>
> >>[appdefaults]
> >>pam = {
> >> debug = false
> >> ticket_lifetime = 36000
> >> renew_lifetime = 36000
> >> forwardable = true
> >> krb4_convert = false
> >>}
> >>
> >># cat /var/kerberos/krb5kdc/kdc.conf
> >>[kdcdefaults]
> >>acl_file = /var/kerberos/krb5kdc/kadm5.acl
> >>dict_file = /usr/share/dict/words
> >>admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
> >>v4_mode = nopreauth
> >>
> >>[realms]
> >>REALM.GEEK.STUDENT.XXX = {
> >> master_key_type = des-cbc-crc
> >> supported_enctypes = des3-cbc-sha1:normal des3-cbc-sha1:norealm
> >>des3-cbc-sha1:onlyrealm des-cbc-crc:v4 des-cbc-crc:afs3
> >>des-cbc-crc:normal des-cbc-crc:norealm des-cbc-crc:onlyrealm
> >>des-cbc-md4:v4 des-cbc-md4:afs3 des-cbc-md4:normal des-cbc-md4:norealm
> >>des-cbc-md4:onlyrealm des-cbc-md5:v4 des-cbc-md5:afs3
> >>des-cbc-md5:normal des-cbc-md5:norealm des-cbc-md5:onlyrealm
> >>des-cbc-sha1:v4 des-cbc-sha1:afs3 des-cbc-sha1:normal
> >>des-cbc-sha1:norealm des-cbc-sha1:onlyrealm
> >>}
> >>
> >># /usr/kerberos/sbin/kadmin.local
> >>Authenticating as principal root/admin at REALM.GEEK.STUDENT.XXX with password.
> >>kadmin.local: listprincs
> >>K/M at REALM.GEEK.STUDENT.XXX
> >>admin/admin at REALM.GEEK.STUDENT.XXX
> >>bone at REALM.GEEK.STUDENT.XXX
> >>kadmin/admin at REALM.GEEK.STUDENT.XXX
> >>kadmin/changepw at REALM.GEEK.STUDENT.XXX
> >>kadmin/history at REALM.GEEK.STUDENT.XXX
> >>krbtgt/GEEK.STUDENT.XXX at REALM.GEEK.STUDENT.XXX
> >>krbtgt/REALM.GEEK.STUDENT.XXX at GEEK.STUDENT.XXX
> >>krbtgt/REALM.GEEK.STUDENT.XXX at REALM.GEEK.STUDENT.XXX
> >>
> >>my conf on W2k3:
> >>C:\>ksetup
> >>default domain = geek.student.xxx (NT Domain)
> >>REALM.GEEK.STUDENT.XXX:
> >> kdc = kdc.realm.geek.student.xxx
> >> Realm Flags = 0x0 none
> >>No user mappings defined.
> >>
> >>trust added: 2-way trust, non-trans
> >>Name Mapping also set
> >>
> >>--
> >>freewizard (at) gmail.com
> >>http://blog.tsing.org/freewizard/
> >>
> >
> >
> >
> >
>
> --
> -----------------
> This e-mail account is not read on a regular basis.
> Please send private responses to jaltman at mit dot edu
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
freewizard (at) gmail.com
http://blog.tsing.org/freewizard/
More information about the Kerberos
mailing list