Negotiate on Windows with cross-realm trust AD and MIT Kereros.

Markus Moeller huaraz at moeller.plus.com
Thu Jul 12 19:05:20 EDT 2007


I think you need to tell AD that keys for systems in the cbs.dk domain can 
be retrieved frpm CBS.DK.

Try netdom trust HHK.DK /domain:CBS.DK /addtln:cbs.dk on your kdc.



Markus


"Mikkel Kruse Johnsen" <mikkel at linet.dk> wrote in message 
news:1184231952.3026.34.camel at tux.lib.cbs.dk...
> Hi Everyone
>
> What I want to do is to be able to athenticate (Negotiate) from firefox,
> IE7 on Windows and Linux.
>
> What I have is an MS Active Directory 2003 (but running in 2000 mode)
> with realm "HHK.DK" then I have a Linux Kerberos server (RHEL5 64bit)
> with realm "CBS.DK". I have made a two-way trust between them.
> (http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx#EVCAC).
>
> That seems to work because:
>
> On Linux: (using user in linux kerberos)
>
> ---
> kinit mkj.lib at CBS.DK
> klist -e -f
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: mkj.lib at CBS.DK
>
> Valid starting     Expires            Service principal
> 07/09/07 12:09:43  07/10/07 12:09:43  krbtgt/CBS.DK at CBS.DK
>        Flags: FI, Etype (skey, tkt): Triple DES cbc mode with
> HMAC/sha1, Triple DES cbc mode with HMAC/sha1
> ---
>
> Going to my test server it works, phpinfo() gives me:
> ---
> _SERVER["REMOTE_USER"]mkj.lib at CBS.DK
> _SERVER["AUTH_TYPE"]Negotiate
> ---
> klist -e -f
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: mkj.lib at CBS.DK
>
> Valid starting     Expires            Service principal
> 07/09/07 12:09:43  07/10/07 12:09:43  krbtgt/CBS.DK at CBS.DK
>        Flags: FI, Etype (skey, tkt): Triple DES cbc mode with
> HMAC/sha1, Triple DES cbc mode with HMAC/sha1
> 07/09/07 12:10:40  07/10/07 12:09:43  HTTP/sugi.cbs.dk at CBS.DK
>        Flags: FT, Etype (skey, tkt): Triple DES cbc mode with
> HMAC/sha1, ArcFour with HMAC/md5
> ---
>
> Still on Linux (using user in AD)
>
> ---
> kinit mkj.lib at HHK.DK
> Password for mkj.lib at HHK.DK:
> [mkj at tux ~]$ klist -e -f
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: mkj.lib at HHK.DK
>
> Valid starting     Expires            Service principal
> 07/09/07 12:12:02  07/09/07 22:12:08  krbtgt/HHK.DK at HHK.DK
>        renew until 07/10/07 12:12:02, Flags: FRIA
>        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
> ----
>
> Web page says:
> ----
> _SERVER["REMOTE_USER"]mkj.lib at HHK.DK
> _SERVER["AUTH_TYPE"]Negotiate
> ----
> klist -e -f
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: mkj.lib at HHK.DK
>
> Valid starting     Expires            Service principal
> 07/09/07 12:12:02  07/09/07 22:12:08  krbtgt/HHK.DK at HHK.DK
>        renew until 07/10/07 12:12:02, Flags: FRIA
>        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
> 07/09/07 12:12:40  07/09/07 22:12:08  krbtgt/CBS.DK at HHK.DK
>        renew until 07/10/07 12:12:02, Flags: FRAO
>        Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with
> RSA-MD5
> 07/09/07 12:12:41  07/09/07 22:12:08  HTTP/sugi.cbs.dk at CBS.DK
>        renew until 07/09/07 12:12:41, Flags: FRAT
>        Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, ArcFour
> with HMAC/md5
> ----
>
>
> Now on Windows joined to HHK.DK and logged in as "mkj.lib"
>
> ----
> C:\Program Files\Resource Kit>klist tickets
>
> Cached Tickets: (11)
>
>   Server: krbtgt/HHK.DK at HHK.DK
>      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>      End Time: 7/9/2007 19:26:55
>      Renew Time: 7/16/2007 9:26:55
>
>
>   Server: krbtgt/HHK.DK at HHK.DK
>      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>      End Time: 7/9/2007 19:26:55
>      Renew Time: 7/16/2007 9:26:55
>
>
>   Server: cifs/etrust.hhk.dk at HHK.DK
>      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>      End Time: 7/9/2007 19:26:55
>      Renew Time: 7/16/2007 9:26:55
>
>
>   Server: cifs/HHK-02 at HHK.DK
>      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>      End Time: 7/9/2007 19:26:55
>      Renew Time: 7/16/2007 9:26:55
>
>
>   Server: cifs/ITS-AMO.hhk.dk at HHK.DK
>      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>      End Time: 7/9/2007 19:26:55
>      Renew Time: 7/16/2007 9:26:55
>
>
>   Server: cifs/ns1.hhk.dk at HHK.DK
>      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>      End Time: 7/9/2007 19:26:55
>      Renew Time: 7/16/2007 9:26:55
>
>
>   Server: cifs/HHK-02.hhk.dk at HHK.DK
>      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>      End Time: 7/9/2007 19:26:55
>      Renew Time: 7/16/2007 9:26:55
>
>
>   Server: cifs/NS2.hhk.dk at HHK.DK
>      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>      End Time: 7/9/2007 19:26:55
>      Renew Time: 7/16/2007 9:26:55
>
>
>   Server: ldap/NS2.hhk.dk/hhk.dk at HHK.DK
>      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>      End Time: 7/9/2007 19:26:55
>      Renew Time: 7/16/2007 9:26:55
>
>
>   Server: LDAP/NS2.hhk.dk at HHK.DK
>      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>      End Time: 7/9/2007 19:26:55
>      Renew Time: 7/16/2007 9:26:55
>
>
>   Server: host/tuxwin.hhk.dk at HHK.DK
>      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>      End Time: 7/9/2007 19:26:55
>      Renew Time: 7/16/2007 9:26:55
> -----
>
> But entering the the web page:
> ---
> Authorization Required
> This server could not verify that you are authorized to access the
> document requested. Either you supplied the wrong credentials (e.g., bad
> password), or your browser doesn't understand how to supply the
> credentials required.
>
> ----
> Apache error log:
> ----
> [Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1432): [client
> 130.226.36.172] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1432): [client
> 130.226.36.172] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1147): [client
> 130.226.36.172] Acquiring creds for HTTP/sugi.cbs.dk at CBS.DK
> [Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1266): [client
> 130.226.36.172] Verifying client data using KRB5 GSS-API
> [Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1282): [client
> 130.226.36.172] Verification returned code 589824
> [Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1309): [client
> 130.226.36.172] Warning: received token seems to be NTLM, which isn't
> supported by the Kerberos module. Check your IE configuration.
> [Mon Jul 09 12:16:21 2007] [error] [client 130.226.36.172]
> gss_accept_sec_context() failed: Invalid token was supplied (No error)
> ----
>
> I have followd alle the instructions, "Integrated logon is on", my sites
> is in Local Sites and proxy is turned off. The same error is using
> firefox, have set the trusted-uri and delegation-uris in about:config to
> "cbs.dk,hhk.dk". (did the same under linux and it works).
>
> Any help is appreciated
>
>
>
> .htacces:
> ---
> AuthType Kerberos
> AuthName "CBS Login"
> KrbAuthRealms CBS.DK HHK.DK
> KrbServiceName HTTP/sugi.cbs.dk at CBS.DK
> Krb5Keytab /etc/httpd/conf/httpd.keytab
> KrbSaveCredentials on
> KrbMethodNegotiate on
> KrbMethodK5Passwd off
> require valid-user
> ----
> Have tried with out KrbServiceName set and with "KrbServiceName HTTP"
> and still no luck.
>
>
> krb5.conf
> ----
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = CBS.DK
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> forwardable = yes
> default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
> default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
> permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
> noaddresses = no
>
> [realms]
> CBS.DK = {
>  kdc = kerberos.cbs.dk:88
>  admin_server = kerberos.cbs.dk:749
>  default_domain = cbs.dk
> }
> HHK.DK = {
>  kdc = ns1.hhk.dk:88
>  admin_server = ns1.hhk.dk:749
>  default_domain = hhk.dk
> }
>
> [domain_realm]
> .cbs.dk = CBS.DK
> cbs.dk = CBS.DK
> .hhk.dk = HHK.DK
> hhk.dk = HHK.DK
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
>   debug = false
>   ticket_lifetime = 36000
>   renew_lifetime = 36000
>   forwardable = true
>   krb4_convert = false
> }
> -
>
> kdc.conf
> ----
> [kdcdefaults]
> acl_file = /var/kerberos/krb5kdc/kadm5.acl
> dict_file = /usr/share/dict/words
> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
> v4_mode = nopreauth
>
> [realms]
> CBS.DK = {
>  #master_key_type = des3-hmac-sha1
>  supported_enctypes = rc4-hmac:normal des3-hmac-sha1:normal
> arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal
> des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
> }
> ---
>
>
>
>
>
>
>
>
>
>
>
>
> Mikkel Kruse Johnsen
> Linet
> Ørholmgade 6 st tv
> 2200 København N
>
> Tlf: +45 2128 7793
> email: mikkel at linet.dk
> www: http://www.linet.dk
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 






More information about the Kerberos mailing list