Windows Integration attempt #2

Quanah Gibson-Mount quanah at stanford.edu
Fri Feb 2 15:03:24 EST 2007


I'm resending this to the list, because apparently the newsgroup->list 
process isn't working, and it seems a large number of people don't read the 
newsgroup. ;)

So, after finally getting my work windows system to talk to our MIT
KDC, I thought I'd try and get my new home system to do that, too.
However, I'm having absolutely no luck.  I followed the directions
mailed to me last time on doing this, which is what worked for my work
system, and it doesn't work for my home system.

ksetup on my work system shows:

(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\quanah>ksetup
default realm = stanford.edu (external)
stanford.edu:
        kdc = krb5auth1.stanford.edu
        kdc = krb5auth2.stanford.edu
        kdc = krb5auth3.stanford.edu
        Realm Flags = 0x0 none
Mapping quanah at stanford.edu to quanah.



ksetup on my home system shows:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\quanah>ksetup
default realm = stanford.edu (external)
stanford.edu:
        kdc = krb5auth1.stanford.edu
        kdc = krb5auth2.stanford.edu
        kdc = krb5auth3.stanford.edu
        Realm Flags = 0x0 none
Mapping quanah at stanford.edu to quanah.



So, that looks right to me.  On the KDC side for my work system:


Principal: host/deus-ex.stanford.edu at stanford.edu
Expiration date: [never]
Last password change: Thu Jun 29 11:16:19 PDT 2006
Password expiration date: [none]
Maximum ticket life: 1 day 01:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jun 29 11:21:45 PDT 2006
(quanah/admin at stanford.edu)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 3
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Attributes:
Policy: default


On the KDC side for my home system:

k5admin:  getprinc host/sw-90-717-287-3.stanford.edu
Principal: host/sw-90-717-287-3.stanford.edu at stanford.edu
Expiration date: [never]
Last password change: Fri Jan 19 10:38:42 PST 2007
Password expiration date: [none]
Maximum ticket life: 1 day 01:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Jan 19 10:45:05 PST 2007
(quanah/admin at stanford.edu)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 3
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Attributes:
Policy: default

Again, these match up.  When I attempt to log in to the stanford.edu
domain on my home Windows system, I get the following error:

"The system could not log you on.  Make sure your User name and domain
are correct, then type your password again."

Well, I'm sure both are correct, and I'm sure my password is correct,
too, because the KDC shows that my home system successfully talked to
it, and got all the tickets it should:

Jan 19 10:47:48 kerberos1 krb5kdc[8666]: AS_REQ (1 etypes {1})
171.66.155.86: NEEDED_PREAUTH: quanah at stanford.edu for
krbtgt/stanford.edu at stanford.edu, Additional pre-authentication
required
Jan 19 10:47:48 kerberos1 krb5kdc[8666]: AS_REQ (1 etypes {1})
171.66.155.86: ISSUE: authtime 1169232468, etypes {rep=1 tkt=16
ses=1}, quanah at stanford.edu for krbtgt/stanford.edu at stanford.edu


On both systems, my computer is part of the workgroup "stanford.edu".

Any thoughts on why identical setups aren't working much appreciated.


One other detail since I first sent this out -- My home system will now not 
allow me to become the member of a domain, either.

--Quanah





--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html



More information about the Kerberos mailing list