How to setup trust between 2003 SP1/R2 and MIT 1.4.3 ?
Markus Moeller
huaraz at moeller.plus.com
Mon May 1 19:04:24 EDT 2006
I should have research better in the old archives. With ktpass
/MITRealmName SUSE.HOME /trustencryp rc4 run on the Windows kdc I get now a
trust with RC4 encryption.
Markus
"Markus Moeller" <huaraz at moeller.plus.com> wrote in message
news:44567655$0$23156$ed2e19e4 at ptn-nntp-reader04.plus.net...
> If I change the encryption type on my OpenSuse kdc to DES only and do the
> mapping on the use in AD and not via ksetup I can login with markus from
> domain SUSE.HOME.
>
> Does this mean there is still no trust with rc4-hmac possible ??
>
> Thanks
> Markus
>
> "Markus Moeller" <huaraz at moeller.plus.com> wrote in message
> news:44566da3$0$2565$ed2619ec at ptn-nntp-reader02.plus.net...
>> Three further observations
>>
>> => 1) User WINDOWS2003\markus-a CAN NOT connect with putty from Win XP to
>> opensuse.suse.home (no port 88 traffic)
>> I can connect as user WINDOWS2003\markus-a with putty 0.58 with
>> GSSAPI (e.g. MIT libraries) from Win XP to
>> opensuse.suse.home
>> => 10) User markus at SUSE.HOME CAN NOT connect with Firefox from OpenSuse
>> to
>> http://w2k3.windows2003.home. I get a KRB5KDC_ERR_ETYPE_NOSUPP
>> error (see below capture of AS-REQ,
>> AS-REP, TGS-REQ, TGS-REP)
>> It works when I change the encryption types in krb5.conf to only
>> des on OpenSuse.
>>
>> and I CAN NOT login to the Win XP box as markus from domain SUSE.HOME. I
>> tried ksetup /mapuser * * with no suceess.
>>
>> Any idea what I need to change ?
>>
>> Thank you
>> Markus
>>
>> "Markus Moeller" <huaraz at moeller.plus.com> wrote in message
>> news:4456216c$0$2562$ed2619ec at ptn-nntp-reader02.plus.net...
>>>I searched a bit more and found some hints how to set it up. But I still
>>>have a couple of problems. Does anybody have an idea why I get a
>>>KRB5KDC_ERR_ETYPE_NOSUPP error when I try to access a webserver in the
>>>WINDOWS domain from a MIT domain ?
>>>
>>> Thank you
>>> Markus
>>>
>>> My sample setup:
>>>
>>> 1. OpenSuse with kdc opensuse.suse.home for SUSE.HOME realm for all
>>> systems in *.suse.home domain (which is based on MIT 1.4.1)
>>> 2. Windows 2003 R2 kdc w2k3.windows2003.home for WINDOWS2003.HOME realm
>>> for all systems in *.windows2003.home domain
>>> 3. Run Apache2 with mod_spnego on opensuse.suse.home allows all valid
>>> users (the same host as kdc for testing only)
>>> 4. Run Apache2 with mod_spnego on w2k3.windows.home allows all valid
>>> users (the same host as the kdc for testing with kfw 3.0 installed too
>>> to build mod_spnego)
>>> 5. Windows XP system winxp.windows2003.home in realm WINDOWS2003.HOME
>>> 6. Run putty 0.57 fromVintela with SSPI support on Windows XP
>>>
>>> Both kdc's have a user markus. The Windows kdc has also a user markus-a
>>> which does not exist in the OpenSuse kdc
>>>
>>> On OpenSuse markus had a .k5login file with:
>>> markus at SUSE.HOME
>>> markus at WINDOWS2003.HOME
>>> markus-a at WINDOWS2003.HOME
>>>
>>> =======================================================================
>>>
>>> Setup of kdc on OpenSuse with Apache2 and mod_spnego
>>>
>>> #!/bin/ksh
>>> DATE=`date +%Y%m%d.%H%M%S`
>>> #
>>> # OpenSuse binary locations
>>> #
>>> KDB5_UTIL=/usr/lib/mit/sbin/kdb5_util
>>> KADMINLOCAL=/usr/lib/mit/sbin/kadmin.local
>>> #
>>> # Directories and Files
>>> #
>>> VARDIR=/var/lib/kerberos/krb5kdc
>>> ETCDIR=/etc
>>> APACHEDIR=/etc/apache2
>>> KDC_CONF_DIR=${VARDIR}
>>> KADM5ACL=${VARDIR}/kadm5.acl
>>> #
>>> # Realms
>>> #
>>> REALM=SUSE.HOME
>>> REALM2=WINDOWS2003.HOME
>>> KDC=opensuse.suse.home
>>> KDC2=w2k3.windows2003.home
>>> DOMAIN=suse.home
>>> DOMAIN2=windows2003.home
>>> #
>>> PASS="UNIX000$"
>>> #
>>> # stop daemons
>>> #
>>> /etc/init.d/krb5kdc stop
>>> /etc/init.d/kadmind stop
>>> /etc/init.d/apache2 stop
>>> #
>>> # Save old configs
>>> #
>>> mkdir ${VARDIR}/version-${DATE}
>>> mv ${KDC_CONF_DIR}/kdc.conf ${KDC_CONF_DIR}/kdc.conf-${DATE}
>>> mv ${VARDIR}/principal* ${VARDIR}/version-${DATE}/
>>> mv ${VARDIR}/kadm5* ${VARDIR}/version-${DATE}/
>>> mv ${KADM5ACL} ${KADM5ACL}-${DATE}
>>> mv ${VARDIR}/.k5.* ${VARDIR}/version-${DATE}/
>>>
>>> mv ${ETCDIR}/krb5.conf ${ETCDIR}/krb5.conf-${DATE}
>>> mv ${ETCDIR}/krb5.keytab ${ETCDIR}/krb5.keytab-${DATE}
>>>
>>> mv ${APACHEDIR}/HTTP.keytab ${APACHEDIR}/HTTP.keytab-${DATE}
>>> #
>>> # Create kdc.conf
>>> #
>>> cat > ${KDC_CONF_DIR}/kdc.conf <<!
>>> [kdcdefaults]
>>> kdc_ports = 750,88
>>> [realms]
>>> ${REALM} = {
>>> database_name = ${VARDIR}/principal
>>> admin_keytab = FILE:${VARDIR}/kadm5.keytab
>>> acl_file = ${KADM5ACL}
>>> key_stash_file = ${VARDIR}/.k5.${REALM}
>>> kdc_ports = 750,88
>>> supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal
>>> des-cb
>>> c-crc:normal des-cbc-md5:normal
>>> kdc_supported_enctypes = rc4-hmac:normal
>>> des3-cbc-sha1:normal de
>>> s-cbc-crc:normal des-cbc-md5:normal
>>> max_life = 10h 0m 0s
>>> max_renewable_life = 7d 0h 0m 0s
>>> }
>>> [logging]
>>> kdc = FILE:/var/log/kdc.log
>>> admin_server = FILE:/var/log/kadmin.log
>>> !
>>> #
>>> # Create krb5.conf
>>> #
>>> cat > ${ETCDIR}/krb5.conf <<!
>>> [libdefaults]
>>> default_realm = ${REALM}
>>> dns_lookup_kdc = no
>>> dns_lookup_realm = no
>>> default_keytab_name = ${ETCDIR}/krb5.keytab
>>> default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
>>> des-cbc-md5
>>> default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
>>> des-cbc-md5
>>> permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
>>> des-cbc-md5
>>> [realms]
>>> ${REALM} = {
>>> kdc = ${KDC}
>>> admin_server = ${KDC}
>>> }
>>> ${REALM2} = {
>>> kdc = ${KDC2}
>>> admin_server = ${KDC2}
>>> }
>>> [domain_realm]
>>> .${DOMAIN} = ${REALM}
>>> ${DOMAIN} = ${REALM}
>>> .${DOMAIN2} = ${REALM2}
>>> ${DOMAIN2} = ${REALM2}
>>>
>>> [logging]
>>> kdc = FILE:/var/log/krb5kdc.log
>>> admin_server = FILE:/var/log/kadmin.log
>>> default = FILE:/var/log/krb5lib.log
>>> !
>>> #
>>> # Create database
>>> #
>>> ${KDB5_UTIL} create -r ${REALM} -s <<!
>>> ${REALM}00$
>>> ${REALM}00$
>>> !
>>> #
>>> # Create ACL file
>>> #
>>> cat > ${KADM5ACL} <<!
>>> ###############################################################################
>>> #Kerberos_principal permissions [target_principal]
>>> [restrictions]
>>> ###############################################################################
>>> #
>>> #*/admin at EXAMPLE.COM *
>>> */admin@${REALM} *
>>> !
>>> #
>>> # Create some principals
>>> #
>>> ${KADMINLOCAL} <<!
>>> addprinc -pw "${PASS}" krbtgt/${REALM}@${REALM2}
>>> addprinc -pw "${PASS}" krbtgt/${REALM2}@${REALM}
>>> addprinc -randkey host/${KDC}
>>> addprinc -pw "Root" root/admin
>>> addprinc -pw "Markus" markus/admin
>>> addprinc -pw "markus" markus
>>> addprinc -randkey HTTP/${KDC}
>>> ktadd -k ${VARDIR}/kadm5.keytab kadmin/admin kadmin/changepw
>>> ktadd -k ${ETCDIR}/krb5.keytab host/${KDC}
>>> ktadd -k ${APACHEDIR}/HTTP.keytab HTTP/${KDC}
>>> !
>>> #
>>> # Start daemons
>>> #
>>> /etc/init.d/krb5kdc start
>>> /etc/init.d/kadmind start
>>> chgrp www ${APACHEDIR}/HTTP.keytab
>>> chmod g+r ${APACHEDIR}/HTTP.keytab
>>> /etc/init.d/apache2 start
>>>
>>>
>>> ======================================================================================
>>>
>>> Setup of Windows 2003 R2 KDC
>>>
>>> Raise AD to Windows 2003 server forest functional level from AD
>>> Directory and Trust tool. Then run
>>>
>>> ksetup.exe /addkdc SUSE.HOME opensuse.suse.home
>>> ksetup.exe /addrealmflags SUSE.HOME tcpsupported
>>>
>>>
>>> netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /add /realm /twoway
>>> /PasswordT:UNIX000$
>>> netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /transitive:yes
>>> netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /foresttransitive:yes
>>> netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /addtln:suse.home
>>>
>>> create HTTP/w2k3.windows2003.home principal with msktutil.
>>>
>>> =======================================================================================
>>>
>>> Now what I got working and what not !!
>>>
>>> 1) User WINDOWS2003\markus can connect with putty from Win XP to
>>> opensuse.suse.home
>>> 2) User WINDOWS2003\markus can connect with IE from Win XP to
>>> http://w2k3.windows2003.home
>>> 3) User WINDOWS2003\markus can connect with IE from Win XP to
>>> http://opensuse.suse.home
>>>
>>> => 1) User WINDOWS2003\markus-a CAN NOT connect with putty from Win XP
>>> to opensuse.suse.home (no port 88 traffic)
>>> 2) User WINDOWS2003\markus-a can connect with IE from Win XP to
>>> http://w2k3.windows2003.home
>>> 3) User WINDOWS2003\markus-a can connect with IE from Win XP to
>>> http://opensuse.suse.home
>>>
>>> 4) User WINDOWS2003\markus can connect with putty from Windows 2003
>>> kdc to opensuse.suse.home
>>> 5) User WINDOWS2003\markus can connect with IE from Windows 2003 kdc
>>> to http://opensuse.suse.home
>>> => 6) User WINDOWS2003\markus CAN NOT connect with IE from Windows 2003
>>> kdc to http://w2k3.windows2003.home (no port 88 traffic)
>>>
>>> 7) User markus at SUSE.HOME can connect with Firefox from OpenSuse to
>>> http://opensuse.suse.home
>>> 8) User markus at WINDOWS2003.HOME can connect with Firefox from
>>> OpenSuse to http://opensuse.suse.home
>>> 9) User markus at WINDOWS2003.HOME can connect with Firefox from
>>> OpenSuse to http://w2k3.windows2003.home
>>> => 10) User markus at SUSE.HOME CAN NOT connect with Firefox from OpenSuse
>>> to http://w2k3.windows2003.home. I get a
>>> KRB5KDC_ERR_ETYPE_NOSUPP error (see below capture of AS-REQ, AS-REP,
>>> TGS-REQ, TGS-REP)
>>>
>>>
>>>
>>> No. Time Source Destination Protocol
>>> Info
>>> 435 51218.688966 opensuse.suse.home opensuse.suse.home KRB5
>>> AS-REQ
>>>
>>> Frame 435 (203 bytes on wire, 203 bytes captured)
>>> Arrival Time: May 1, 2006 13:51:23.964058000
>>> Time delta from previous packet: 217.931451000 seconds
>>> Time since reference or first frame: 51218.688966000 seconds
>>> Frame Number: 435
>>> Packet Length: 203 bytes
>>> Capture Length: 203 bytes
>>> Protocols in frame: sll:ip:udp:kerberos
>>> Linux cooked capture
>>> Packet type: Unicast to us (0)
>>> Link-layer address type: 772
>>> Link-layer address length: 0
>>> Source: <MISSING>
>>> Protocol: IP (0x0800)
>>> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
>>> opensuse.suse.home (192.168.1.7)
>>> Version: 4
>>> Header length: 20 bytes
>>> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
>>> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
>>> .... ..0. = ECN-Capable Transport (ECT): 0
>>> .... ...0 = ECN-CE: 0
>>> Total Length: 187
>>> Identification: 0x34ac (13484)
>>> Flags: 0x04 (Don't Fragment)
>>> 0... = Reserved bit: Not set
>>> .1.. = Don't fragment: Set
>>> ..0. = More fragments: Not set
>>> Fragment offset: 0
>>> Time to live: 64
>>> Protocol: UDP (0x11)
>>> Header checksum: 0x8227 [correct]
>>> Good: True
>>> Bad : False
>>> Source: opensuse.suse.home (192.168.1.7)
>>> Destination: opensuse.suse.home (192.168.1.7)
>>> User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88)
>>> Source port: 32885 (32885)
>>> Destination port: kerberos (88)
>>> Length: 167
>>> Checksum: 0x8417 [incorrect, should be 0x1303]
>>> Kerberos AS-REQ
>>> Pvno: 5
>>> MSG Type: AS-REQ (10)
>>> KDC_REQ_BODY
>>> Padding: 0
>>> KDCOptions: 00000010 (Renewable OK)
>>> .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT
>>> use forwardable tickets
>>> ..0. .... .... .... .... .... .... .... = Forwarded: This is
>>> NOT a forwarded ticket
>>> ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT
>>> use proxiable tickets
>>> .... 0... .... .... .... .... .... .... = Proxy: This ticket
>>> has NOT been proxied
>>> .... .0.. .... .... .... .... .... .... = Allow Postdate: We
>>> do NOT allow the ticket to be postdated
>>> .... ..0. .... .... .... .... .... .... = Postdated: This
>>> ticket is NOT postdated
>>> .... .... 0... .... .... .... .... .... = Renewable: This
>>> ticket is NOT renewable
>>> .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
>>> .... .... .... ...0 .... .... .... .... = Canonicalize: This
>>> is NOT a canonicalized ticket request
>>> .... .... .... .... .... .... ..0. .... = Disable Transited
>>> Check: Transited checking is NOT disabled
>>> .... .... .... .... .... .... ...1 .... = Renewable OK: We
>>> accept RENEWED tickets
>>> .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do
>>> NOT encrypt the tkt inside the skey
>>> .... .... .... .... .... .... .... ..0. = Renew: This is NOT
>>> a request to renew a ticket
>>> .... .... .... .... .... .... .... ...0 = Validate: This is
>>> NOT a request to validate a postdated ticket
>>> Client Name (Principal): markus
>>> Name-type: Principal (1)
>>> Name: markus
>>> Realm: SUSE.HOME
>>> Server Name (Unknown): krbtgt/SUSE.HOME
>>> Name-type: Unknown (0)
>>> Name: krbtgt
>>> Name: SUSE.HOME
>>> from: 2006-05-01 12:51:23 (Z)
>>> till: 2006-05-02 12:51:23 (Z)
>>> Nonce: 1146487883
>>> Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
>>> Encryption type: rc4-hmac (23)
>>> Encryption type: des3-cbc-sha1 (16)
>>> Encryption type: des-cbc-crc (1)
>>> Encryption type: des-cbc-md5 (3)
>>>
>>> No. Time Source Destination Protocol
>>> Info
>>> 436 51218.693811 opensuse.suse.home opensuse.suse.home KRB5
>>> AS-REP
>>>
>>> Frame 436 (598 bytes on wire, 598 bytes captured)
>>> Arrival Time: May 1, 2006 13:51:23.968903000
>>> Time delta from previous packet: 0.004845000 seconds
>>> Time since reference or first frame: 51218.693811000 seconds
>>> Frame Number: 436
>>> Packet Length: 598 bytes
>>> Capture Length: 598 bytes
>>> Protocols in frame: sll:ip:udp:kerberos
>>> Linux cooked capture
>>> Packet type: Unicast to us (0)
>>> Link-layer address type: 772
>>> Link-layer address length: 0
>>> Source: <MISSING>
>>> Protocol: IP (0x0800)
>>> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
>>> opensuse.suse.home (192.168.1.7)
>>> Version: 4
>>> Header length: 20 bytes
>>> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
>>> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
>>> .... ..0. = ECN-Capable Transport (ECT): 0
>>> .... ...0 = ECN-CE: 0
>>> Total Length: 582
>>> Identification: 0x001e (30)
>>> Flags: 0x04 (Don't Fragment)
>>> 0... = Reserved bit: Not set
>>> .1.. = Don't fragment: Set
>>> ..0. = More fragments: Not set
>>> Fragment offset: 0
>>> Time to live: 64
>>> Protocol: UDP (0x11)
>>> Header checksum: 0xb52a [correct]
>>> Good: True
>>> Bad : False
>>> Source: opensuse.suse.home (192.168.1.7)
>>> Destination: opensuse.suse.home (192.168.1.7)
>>> User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885)
>>> Source port: kerberos (88)
>>> Destination port: 32885 (32885)
>>> Length: 562
>>> Checksum: 0x85a2 [incorrect, should be 0x84dc]
>>> Kerberos AS-REP
>>> Pvno: 5
>>> MSG Type: AS-REP (11)
>>> padata: Unknown:19
>>> Type: Unknown (19)
>>> Value: 30073005A003020117
>>> Client Realm: SUSE.HOME
>>> Client Name (Principal): markus
>>> Name-type: Principal (1)
>>> Name: markus
>>> Ticket
>>> Tkt-vno: 5
>>> Realm: SUSE.HOME
>>> Server Name (Unknown): krbtgt/SUSE.HOME
>>> Name-type: Unknown (0)
>>> Name: krbtgt
>>> Name: SUSE.HOME
>>> enc-part rc4-hmac
>>> Encryption type: rc4-hmac (23)
>>> Kvno: 1
>>> enc-part: 4057A7166A1CC59F143F9B74A72F0B16CA629616DD0E96F1...
>>> enc-part rc4-hmac
>>> Encryption type: rc4-hmac (23)
>>> enc-part: E0E5CF0DBFEF8C3326CE6F3CB5CFFD73A355696BCD0E95CB...
>>>
>>> No. Time Source Destination Protocol
>>> Info
>>> 443 51229.309113 opensuse.suse.home opensuse.suse.home KRB5
>>> TGS-REQ
>>>
>>> Frame 443 (652 bytes on wire, 652 bytes captured)
>>> Arrival Time: May 1, 2006 13:51:34.584205000
>>> Time delta from previous packet: 10.615302000 seconds
>>> Time since reference or first frame: 51229.309113000 seconds
>>> Frame Number: 443
>>> Packet Length: 652 bytes
>>> Capture Length: 652 bytes
>>> Protocols in frame: sll:ip:udp:kerberos
>>> Linux cooked capture
>>> Packet type: Unicast to us (0)
>>> Link-layer address type: 772
>>> Link-layer address length: 0
>>> Source: <MISSING>
>>> Protocol: IP (0x0800)
>>> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
>>> opensuse.suse.home (192.168.1.7)
>>> Version: 4
>>> Header length: 20 bytes
>>> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
>>> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
>>> .... ..0. = ECN-Capable Transport (ECT): 0
>>> .... ...0 = ECN-CE: 0
>>> Total Length: 636
>>> Identification: 0x3f0b (16139)
>>> Flags: 0x04 (Don't Fragment)
>>> 0... = Reserved bit: Not set
>>> .1.. = Don't fragment: Set
>>> ..0. = More fragments: Not set
>>> Fragment offset: 0
>>> Time to live: 64
>>> Protocol: UDP (0x11)
>>> Header checksum: 0x7607 [correct]
>>> Good: True
>>> Bad : False
>>> Source: opensuse.suse.home (192.168.1.7)
>>> Destination: opensuse.suse.home (192.168.1.7)
>>> User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88)
>>> Source port: 32885 (32885)
>>> Destination port: kerberos (88)
>>> Length: 616
>>> Checksum: 0x85d8 [incorrect, should be 0x7d06]
>>> Kerberos TGS-REQ
>>> Pvno: 5
>>> MSG Type: TGS-REQ (12)
>>> padata: PA-TGS-REQ
>>> Type: PA-TGS-REQ (1)
>>> Value: 6E82019D30820199A003020105A10302010EA20703050000...
>>> AP-REQ
>>> Pvno: 5
>>> MSG Type: AP-REQ (14)
>>> Padding: 0
>>> APOptions: 00000000
>>> .0.. .... .... .... .... .... .... .... = Use Session
>>> Key: Do NOT use the session key to encrypt the ticket
>>> ..0. .... .... .... .... .... .... .... = Mutual
>>> required: Mutual authentication is NOT required
>>> Ticket
>>> Tkt-vno: 5
>>> Realm: SUSE.HOME
>>> Server Name (Unknown): krbtgt/SUSE.HOME
>>> Name-type: Unknown (0)
>>> Name: krbtgt
>>> Name: SUSE.HOME
>>> enc-part rc4-hmac
>>> Encryption type: rc4-hmac (23)
>>> Kvno: 1
>>> enc-part:
>>> 4057A7166A1CC59F143F9B74A72F0B16CA629616DD0E96F1...
>>> Authenticator rc4-hmac
>>> Encryption type: rc4-hmac (23)
>>> Authenticator data:
>>> B7008BD37B307572105D0107E309A30F6E89F74B4663A474...
>>> KDC_REQ_BODY
>>> Padding: 0
>>> KDCOptions: 00800000 (Renewable)
>>> .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT
>>> use forwardable tickets
>>> ..0. .... .... .... .... .... .... .... = Forwarded: This is
>>> NOT a forwarded ticket
>>> ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT
>>> use proxiable tickets
>>> .... 0... .... .... .... .... .... .... = Proxy: This ticket
>>> has NOT been proxied
>>> .... .0.. .... .... .... .... .... .... = Allow Postdate: We
>>> do NOT allow the ticket to be postdated
>>> .... ..0. .... .... .... .... .... .... = Postdated: This
>>> ticket is NOT postdated
>>> .... .... 1... .... .... .... .... .... = Renewable: This
>>> ticket is RENEWABLE
>>> .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
>>> .... .... .... ...0 .... .... .... .... = Canonicalize: This
>>> is NOT a canonicalized ticket request
>>> .... .... .... .... .... .... ..0. .... = Disable Transited
>>> Check: Transited checking is NOT disabled
>>> .... .... .... .... .... .... ...0 .... = Renewable OK: We do
>>> NOT accept renewed tickets
>>> .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do
>>> NOT encrypt the tkt inside the skey
>>> .... .... .... .... .... .... .... ..0. = Renew: This is NOT
>>> a request to renew a ticket
>>> .... .... .... .... .... .... .... ...0 = Validate: This is
>>> NOT a request to validate a postdated ticket
>>> Realm: SUSE.HOME
>>> Server Name (Unknown): krbtgt/WINDOWS2003.HOME
>>> Name-type: Unknown (0)
>>> Name: krbtgt
>>> Name: WINDOWS2003.HOME
>>> from: 2006-05-01 12:51:23 (Z)
>>> till: 2006-05-01 22:51:23 (Z)
>>> rtime: 2006-05-02 12:51:23 (Z)
>>> Nonce: 1146487891
>>> Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
>>> Encryption type: rc4-hmac (23)
>>> Encryption type: des3-cbc-sha1 (16)
>>> Encryption type: des-cbc-crc (1)
>>> Encryption type: des-cbc-md5 (3)
>>>
>>> No. Time Source Destination Protocol
>>> Info
>>> 444 51229.328348 opensuse.suse.home opensuse.suse.home KRB5
>>> TGS-REP
>>>
>>> Frame 444 (629 bytes on wire, 629 bytes captured)
>>> Arrival Time: May 1, 2006 13:51:34.603440000
>>> Time delta from previous packet: 0.019235000 seconds
>>> Time since reference or first frame: 51229.328348000 seconds
>>> Frame Number: 444
>>> Packet Length: 629 bytes
>>> Capture Length: 629 bytes
>>> Protocols in frame: sll:ip:udp:kerberos
>>> Linux cooked capture
>>> Packet type: Unicast to us (0)
>>> Link-layer address type: 772
>>> Link-layer address length: 0
>>> Source: <MISSING>
>>> Protocol: IP (0x0800)
>>> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
>>> opensuse.suse.home (192.168.1.7)
>>> Version: 4
>>> Header length: 20 bytes
>>> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
>>> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
>>> .... ..0. = ECN-Capable Transport (ECT): 0
>>> .... ...0 = ECN-CE: 0
>>> Total Length: 613
>>> Identification: 0x001f (31)
>>> Flags: 0x04 (Don't Fragment)
>>> 0... = Reserved bit: Not set
>>> .1.. = Don't fragment: Set
>>> ..0. = More fragments: Not set
>>> Fragment offset: 0
>>> Time to live: 64
>>> Protocol: UDP (0x11)
>>> Header checksum: 0xb50a [correct]
>>> Good: True
>>> Bad : False
>>> Source: opensuse.suse.home (192.168.1.7)
>>> Destination: opensuse.suse.home (192.168.1.7)
>>> User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885)
>>> Source port: kerberos (88)
>>> Destination port: 32885 (32885)
>>> Length: 593
>>> Checksum: 0x85c1 [incorrect, should be 0x3f5c]
>>> Kerberos TGS-REP
>>> Pvno: 5
>>> MSG Type: TGS-REP (13)
>>> Client Realm: SUSE.HOME
>>> Client Name (Principal): markus
>>> Name-type: Principal (1)
>>> Name: markus
>>> Ticket
>>> Tkt-vno: 5
>>> Realm: SUSE.HOME
>>> Server Name (Unknown): krbtgt/WINDOWS2003.HOME
>>> Name-type: Unknown (0)
>>> Name: krbtgt
>>> Name: WINDOWS2003.HOME
>>> enc-part rc4-hmac
>>> Encryption type: rc4-hmac (23)
>>> Kvno: 1
>>> enc-part: 46B8A78EEFCA7160D04C0C723040660AF957F1C8AF3B4BDE...
>>> enc-part rc4-hmac
>>> Encryption type: rc4-hmac (23)
>>> enc-part: 981F6F1C48DBB164CDAB8E7C4439D8C29B9DD584929E8580...
>>>
>>> No. Time Source Destination Protocol
>>> Info
>>> 445 51229.329735 opensuse.suse.home windows2003.windows2003.home
>>> KRB5 TGS-REQ
>>>
>>> Frame 445 (651 bytes on wire, 651 bytes captured)
>>> Arrival Time: May 1, 2006 13:51:34.604827000
>>> Time delta from previous packet: 0.001387000 seconds
>>> Time since reference or first frame: 51229.329735000 seconds
>>> Frame Number: 445
>>> Packet Length: 651 bytes
>>> Capture Length: 651 bytes
>>> Protocols in frame: sll:ip:udp:kerberos
>>> Linux cooked capture
>>> Packet type: Sent by us (4)
>>> Link-layer address type: 1
>>> Link-layer address length: 6
>>> Source: Vmware_02:d5:f5 (00:0c:29:02:d5:f5)
>>> Protocol: IP (0x0800)
>>> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
>>> windows2003.windows2003.home (192.168.1.5)
>>> Version: 4
>>> Header length: 20 bytes
>>> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
>>> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
>>> .... ..0. = ECN-Capable Transport (ECT): 0
>>> .... ...0 = ECN-CE: 0
>>> Total Length: 635
>>> Identification: 0x3f10 (16144)
>>> Flags: 0x04 (Don't Fragment)
>>> 0... = Reserved bit: Not set
>>> .1.. = Don't fragment: Set
>>> ..0. = More fragments: Not set
>>> Fragment offset: 0
>>> Time to live: 64
>>> Protocol: UDP (0x11)
>>> Header checksum: 0x7605 [correct]
>>> Good: True
>>> Bad : False
>>> Source: opensuse.suse.home (192.168.1.7)
>>> Destination: windows2003.windows2003.home (192.168.1.5)
>>> User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88)
>>> Source port: 32885 (32885)
>>> Destination port: kerberos (88)
>>> Length: 615
>>> Checksum: 0x9902 [correct]
>>> Kerberos TGS-REQ
>>> Pvno: 5
>>> MSG Type: TGS-REQ (12)
>>> padata: PA-TGS-REQ
>>> Type: PA-TGS-REQ (1)
>>> Value: 6E8201BA308201B6A003020105A10302010EA20703050000...
>>> AP-REQ
>>> Pvno: 5
>>> MSG Type: AP-REQ (14)
>>> Padding: 0
>>> APOptions: 00000000
>>> .0.. .... .... .... .... .... .... .... = Use Session
>>> Key: Do NOT use the session key to encrypt the ticket
>>> ..0. .... .... .... .... .... .... .... = Mutual
>>> required: Mutual authentication is NOT required
>>> Ticket
>>> Tkt-vno: 5
>>> Realm: SUSE.HOME
>>> Server Name (Unknown): krbtgt/WINDOWS2003.HOME
>>> Name-type: Unknown (0)
>>> Name: krbtgt
>>> Name: WINDOWS2003.HOME
>>> enc-part rc4-hmac
>>> Encryption type: rc4-hmac (23)
>>> Kvno: 1
>>> enc-part:
>>> 46B8A78EEFCA7160D04C0C723040660AF957F1C8AF3B4BDE...
>>> Authenticator rc4-hmac
>>> Encryption type: rc4-hmac (23)
>>> Authenticator data:
>>> FE71BE32F2BFF609F021A368F6DAF66CC42C00C7508FB8E2...
>>> KDC_REQ_BODY
>>> Padding: 0
>>> KDCOptions: 00800000 (Renewable)
>>> .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT
>>> use forwardable tickets
>>> ..0. .... .... .... .... .... .... .... = Forwarded: This is
>>> NOT a forwarded ticket
>>> ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT
>>> use proxiable tickets
>>> .... 0... .... .... .... .... .... .... = Proxy: This ticket
>>> has NOT been proxied
>>> .... .0.. .... .... .... .... .... .... = Allow Postdate: We
>>> do NOT allow the ticket to be postdated
>>> .... ..0. .... .... .... .... .... .... = Postdated: This
>>> ticket is NOT postdated
>>> .... .... 1... .... .... .... .... .... = Renewable: This
>>> ticket is RENEWABLE
>>> .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
>>> .... .... .... ...0 .... .... .... .... = Canonicalize: This
>>> is NOT a canonicalized ticket request
>>> .... .... .... .... .... .... ..0. .... = Disable Transited
>>> Check: Transited checking is NOT disabled
>>> .... .... .... .... .... .... ...0 .... = Renewable OK: We do
>>> NOT accept renewed tickets
>>> .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do
>>> NOT encrypt the tkt inside the skey
>>> .... .... .... .... .... .... .... ..0. = Renew: This is NOT
>>> a request to renew a ticket
>>> .... .... .... .... .... .... .... ...0 = Validate: This is
>>> NOT a request to validate a postdated ticket
>>> Realm: WINDOWS2003.HOME
>>> Server Name (Service and Host): HTTP/w2k3.windows2003.home
>>> Name-type: Service and Host (3)
>>> Name: HTTP
>>> Name: w2k3.windows2003.home
>>> till: 2006-05-01 22:51:23 (Z)
>>> Nonce: 1146487891
>>> Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
>>> Encryption type: rc4-hmac (23)
>>> Encryption type: des3-cbc-sha1 (16)
>>> Encryption type: des-cbc-crc (1)
>>> Encryption type: des-cbc-md5 (3)
>>>
>>> No. Time Source Destination Protocol
>>> Info
>>> 446 51229.334347 windows2003.windows2003.home opensuse.suse.home KRB5
>>> KRB Error: KRB5KDC_ERR_ETYPE_NOSUPP
>>>
>>> Frame 446 (151 bytes on wire, 151 bytes captured)
>>> Arrival Time: May 1, 2006 13:51:34.609439000
>>> Time delta from previous packet: 0.004612000 seconds
>>> Time since reference or first frame: 51229.334347000 seconds
>>> Frame Number: 446
>>> Packet Length: 151 bytes
>>> Capture Length: 151 bytes
>>> Protocols in frame: sll:ip:udp:kerberos
>>> Linux cooked capture
>>> Packet type: Unicast to us (0)
>>> Link-layer address type: 1
>>> Link-layer address length: 6
>>> Source: Vmware_71:05:9f (00:0c:29:71:05:9f)
>>> Protocol: IP (0x0800)
>>> Internet Protocol, Src: windows2003.windows2003.home (192.168.1.5), Dst:
>>> opensuse.suse.home (192.168.1.7)
>>> Version: 4
>>> Header length: 20 bytes
>>> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
>>> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
>>> .... ..0. = ECN-Capable Transport (ECT): 0
>>> .... ...0 = ECN-CE: 0
>>> Total Length: 135
>>> Identification: 0xdebe (57022)
>>> Flags: 0x00
>>> 0... = Reserved bit: Not set
>>> .0.. = Don't fragment: Not set
>>> ..0. = More fragments: Not set
>>> Fragment offset: 0
>>> Time to live: 128
>>> Protocol: UDP (0x11)
>>> Header checksum: 0xd84a [correct]
>>> Good: True
>>> Bad : False
>>> Source: windows2003.windows2003.home (192.168.1.5)
>>> Destination: opensuse.suse.home (192.168.1.7)
>>> User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885)
>>> Source port: kerberos (88)
>>> Destination port: 32885 (32885)
>>> Length: 115
>>> Checksum: 0xb7f8 [correct]
>>> Kerberos KRB-ERROR
>>> Pvno: 5
>>> MSG Type: KRB-ERROR (30)
>>> stime: 2006-05-01 12:51:33 (Z)
>>> susec: 907050
>>> error_code: KRB5KDC_ERR_ETYPE_NOSUPP (14)
>>> Realm: WINDOWS2003.HOME
>>> Server Name (Service and Host): HTTP/w2k3.windows2003.home
>>> Name-type: Service and Host (3)
>>> Name: HTTP
>>> Name: w2k3.windows2003.home
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> "Markus Moeller" <huaraz at moeller.plus.com> wrote in message
>>> news:444bcbd2$0$23157$ed2e19e4 at ptn-nntp-reader04.plus.net...
>>>> Is there anywhere a howto for setting up a oneway or even twoway trust
>>>> between a Windows 2003 SP1/R2 server and a MIT kdc with rc4-hmac
>>>> encryption ?
>>>>
>>>> Thank you
>>>> Markus
>>>>
>>>
>>>
>>
>>
>
>
More information about the Kerberos
mailing list