Negotiate on Windows with cross-realm trust AD and MIT Kereros.

Mikkel Kruse Johnsen mikkel at linet.dk
Tue Jul 17 03:41:46 EDT 2007 

Hi

Yes that did the trick.

netdom trust HHK.DK /domain:CBS.DK /foresttransitive:yes
netdom trust HHK.DK /domain:CBS.DK /addtln:cbs.dk

This is very cool, now the windows clients get the
HTTP/sugi.cbs.dk at CBS.DK when using mkj.lib at HHK.DK.

The problem is now that I get this:

[Tue Jul 17 09:33:34 2007] [debug] src/mod_auth_kerb.c(1432): [client
130.226.36.30] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Tue Jul 17 09:33:34 2007] [debug] src/mod_auth_kerb.c(1432): [client
130.226.36.30] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Tue Jul 17 09:33:34 2007] [debug] src/mod_auth_kerb.c(1147): [client
130.226.36.30] Acquiring creds for HTTP/sugi.cbs.dk at CBS.DK
[Tue Jul 17 09:33:34 2007] [debug] src/mod_auth_kerb.c(1266): [client
130.226.36.30] Verifying client data using KRB5 GSS-API
[Tue Jul 17 09:33:34 2007] [debug] src/mod_auth_kerb.c(1282): [client
130.226.36.30] Verification returned code 851968
[Tue Jul 17 09:33:34 2007] [error] [client 130.226.36.30]
gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code
may provide more information (Cannot allocate memory)

Any suggestions ?


/Mikkel


On Fri, 2007-07-13 at 00:05 +0100, Markus Moeller wrote:

> I think you need to tell AD that keys for systems in the cbs.dk domain can 
> be retrieved frpm CBS.DK.
> 
> Try netdom trust HHK.DK /domain:CBS.DK /addtln:cbs.dk on your kdc.
> 
> 
> 
> Markus
> 
> 
> "Mikkel Kruse Johnsen" <mikkel at linet.dk> wrote in message 
> news:1184231952.3026.34.camel at tux.lib.cbs.dk...
> > Hi Everyone
> >
> > What I want to do is to be able to athenticate (Negotiate) from firefox,
> > IE7 on Windows and Linux.
> >
> > What I have is an MS Active Directory 2003 (but running in 2000 mode)
> > with realm "HHK.DK" then I have a Linux Kerberos server (RHEL5 64bit)
> > with realm "CBS.DK". I have made a two-way trust between them.
> > (http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx#EVCAC).
> >
> > That seems to work because:
> >
> > On Linux: (using user in linux kerberos)
> >
> > ---
> > kinit mkj.lib at CBS.DK
> > klist -e -f
> > Ticket cache: FILE:/tmp/krb5cc_500
> > Default principal: mkj.lib at CBS.DK
> >
> > Valid starting     Expires            Service principal
> > 07/09/07 12:09:43  07/10/07 12:09:43  krbtgt/CBS.DK at CBS.DK
> >        Flags: FI, Etype (skey, tkt): Triple DES cbc mode with
> > HMAC/sha1, Triple DES cbc mode with HMAC/sha1
> > ---
> >
> > Going to my test server it works, phpinfo() gives me:
> > ---
> > _SERVER["REMOTE_USER"]mkj.lib at CBS.DK
> > _SERVER["AUTH_TYPE"]Negotiate
> > ---
> > klist -e -f
> > Ticket cache: FILE:/tmp/krb5cc_500
> > Default principal: mkj.lib at CBS.DK
> >
> > Valid starting     Expires            Service principal
> > 07/09/07 12:09:43  07/10/07 12:09:43  krbtgt/CBS.DK at CBS.DK
> >        Flags: FI, Etype (skey, tkt): Triple DES cbc mode with
> > HMAC/sha1, Triple DES cbc mode with HMAC/sha1
> > 07/09/07 12:10:40  07/10/07 12:09:43  HTTP/sugi.cbs.dk at CBS.DK
> >        Flags: FT, Etype (skey, tkt): Triple DES cbc mode with
> > HMAC/sha1, ArcFour with HMAC/md5
> > ---
> >
> > Still on Linux (using user in AD)
> >
> > ---
> > kinit mkj.lib at HHK.DK
> > Password for mkj.lib at HHK.DK:
> > [mkj at tux ~]$ klist -e -f
> > Ticket cache: FILE:/tmp/krb5cc_500
> > Default principal: mkj.lib at HHK.DK
> >
> > Valid starting     Expires            Service principal
> > 07/09/07 12:12:02  07/09/07 22:12:08  krbtgt/HHK.DK at HHK.DK
> >        renew until 07/10/07 12:12:02, Flags: FRIA
> >        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
> > ----
> >
> > Web page says:
> > ----
> > _SERVER["REMOTE_USER"]mkj.lib at HHK.DK
> > _SERVER["AUTH_TYPE"]Negotiate
> > ----
> > klist -e -f
> > Ticket cache: FILE:/tmp/krb5cc_500
> > Default principal: mkj.lib at HHK.DK
> >
> > Valid starting     Expires            Service principal
> > 07/09/07 12:12:02  07/09/07 22:12:08  krbtgt/HHK.DK at HHK.DK
> >        renew until 07/10/07 12:12:02, Flags: FRIA
> >        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
> > 07/09/07 12:12:40  07/09/07 22:12:08  krbtgt/CBS.DK at HHK.DK
> >        renew until 07/10/07 12:12:02, Flags: FRAO
> >        Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with
> > RSA-MD5
> > 07/09/07 12:12:41  07/09/07 22:12:08  HTTP/sugi.cbs.dk at CBS.DK
> >        renew until 07/09/07 12:12:41, Flags: FRAT
> >        Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, ArcFour
> > with HMAC/md5
> > ----
> >
> >
> > Now on Windows joined to HHK.DK and logged in as "mkj.lib"
> >
> > ----
> > C:\Program Files\Resource Kit>klist tickets
> >
> > Cached Tickets: (11)
> >
> >   Server: krbtgt/HHK.DK at HHK.DK
> >      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
> >      End Time: 7/9/2007 19:26:55
> >      Renew Time: 7/16/2007 9:26:55
> >
> >
> >   Server: krbtgt/HHK.DK at HHK.DK
> >      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
> >      End Time: 7/9/2007 19:26:55
> >      Renew Time: 7/16/2007 9:26:55
> >
> >
> >   Server: cifs/etrust.hhk.dk at HHK.DK
> >      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
> >      End Time: 7/9/2007 19:26:55
> >      Renew Time: 7/16/2007 9:26:55
> >
> >
> >   Server: cifs/HHK-02 at HHK.DK
> >      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
> >      End Time: 7/9/2007 19:26:55
> >      Renew Time: 7/16/2007 9:26:55
> >
> >
> >   Server: cifs/ITS-AMO.hhk.dk at HHK.DK
> >      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
> >      End Time: 7/9/2007 19:26:55
> >      Renew Time: 7/16/2007 9:26:55
> >
> >
> >   Server: cifs/ns1.hhk.dk at HHK.DK
> >      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
> >      End Time: 7/9/2007 19:26:55
> >      Renew Time: 7/16/2007 9:26:55
> >
> >
> >   Server: cifs/HHK-02.hhk.dk at HHK.DK
> >      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
> >      End Time: 7/9/2007 19:26:55
> >      Renew Time: 7/16/2007 9:26:55
> >
> >
> >   Server: cifs/NS2.hhk.dk at HHK.DK
> >      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
> >      End Time: 7/9/2007 19:26:55
> >      Renew Time: 7/16/2007 9:26:55
> >
> >
> >   Server: ldap/NS2.hhk.dk/hhk.dk at HHK.DK
> >      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
> >      End Time: 7/9/2007 19:26:55
> >      Renew Time: 7/16/2007 9:26:55
> >
> >
> >   Server: LDAP/NS2.hhk.dk at HHK.DK
> >      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
> >      End Time: 7/9/2007 19:26:55
> >      Renew Time: 7/16/2007 9:26:55
> >
> >
> >   Server: host/tuxwin.hhk.dk at HHK.DK
> >      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
> >      End Time: 7/9/2007 19:26:55
> >      Renew Time: 7/16/2007 9:26:55
> > -----
> >
> > But entering the the web page:
> > ---
> > Authorization Required
> > This server could not verify that you are authorized to access the
> > document requested. Either you supplied the wrong credentials (e.g., bad
> > password), or your browser doesn't understand how to supply the
> > credentials required.
> >
> > ----
> > Apache error log:
> > ----
> > [Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1432): [client
> > 130.226.36.172] kerb_authenticate_user entered with user (NULL) and
> > auth_type Kerberos
> > [Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1432): [client
> > 130.226.36.172] kerb_authenticate_user entered with user (NULL) and
> > auth_type Kerberos
> > [Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1147): [client
> > 130.226.36.172] Acquiring creds for HTTP/sugi.cbs.dk at CBS.DK
> > [Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1266): [client
> > 130.226.36.172] Verifying client data using KRB5 GSS-API
> > [Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1282): [client
> > 130.226.36.172] Verification returned code 589824
> > [Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1309): [client
> > 130.226.36.172] Warning: received token seems to be NTLM, which isn't
> > supported by the Kerberos module. Check your IE configuration.
> > [Mon Jul 09 12:16:21 2007] [error] [client 130.226.36.172]
> > gss_accept_sec_context() failed: Invalid token was supplied (No error)
> > ----
> >
> > I have followd alle the instructions, "Integrated logon is on", my sites
> > is in Local Sites and proxy is turned off. The same error is using
> > firefox, have set the trusted-uri and delegation-uris in about:config to
> > "cbs.dk,hhk.dk". (did the same under linux and it works).
> >
> > Any help is appreciated
> >
> >
> >
> > .htacces:
> > ---
> > AuthType Kerberos
> > AuthName "CBS Login"
> > KrbAuthRealms CBS.DK HHK.DK
> > KrbServiceName HTTP/sugi.cbs.dk at CBS.DK
> > Krb5Keytab /etc/httpd/conf/httpd.keytab
> > KrbSaveCredentials on
> > KrbMethodNegotiate on
> > KrbMethodK5Passwd off
> > require valid-user
> > ----
> > Have tried with out KrbServiceName set and with "KrbServiceName HTTP"
> > and still no luck.
> >
> >
> > krb5.conf
> > ----
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> > default_realm = CBS.DK
> > dns_lookup_realm = false
> > dns_lookup_kdc = false
> > ticket_lifetime = 24h
> > forwardable = yes
> > default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
> > default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
> > permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
> > noaddresses = no
> >
> > [realms]
> > CBS.DK = {
> >  kdc = kerberos.cbs.dk:88
> >  admin_server = kerberos.cbs.dk:749
> >  default_domain = cbs.dk
> > }
> > HHK.DK = {
> >  kdc = ns1.hhk.dk:88
> >  admin_server = ns1.hhk.dk:749
> >  default_domain = hhk.dk
> > }
> >
> > [domain_realm]
> > .cbs.dk = CBS.DK
> > cbs.dk = CBS.DK
> > .hhk.dk = HHK.DK
> > hhk.dk = HHK.DK
> >
> > [kdc]
> > profile = /var/kerberos/krb5kdc/kdc.conf
> >
> > [appdefaults]
> > pam = {
> >   debug = false
> >   ticket_lifetime = 36000
> >   renew_lifetime = 36000
> >   forwardable = true
> >   krb4_convert = false
> > }
> > -
> >
> > kdc.conf
> > ----
> > [kdcdefaults]
> > acl_file = /var/kerberos/krb5kdc/kadm5.acl
> > dict_file = /usr/share/dict/words
> > admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
> > v4_mode = nopreauth
> >
> > [realms]
> > CBS.DK = {
> >  #master_key_type = des3-hmac-sha1
> >  supported_enctypes = rc4-hmac:normal des3-hmac-sha1:normal
> > arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal
> > des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
> > }
> > ---
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Mikkel Kruse Johnsen
> > Linet
> > rholmgade 6 st tv
> > 2200 Kbenhavn N
> >
> > Tlf: +45 2128 7793
> > email: mikkel at linet.dk
> > www: http://www.linet.dk
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> 
> 
> 
> 
> 
> !DSPAM:4696b58e127294042098162!
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> !DSPAM:4696b58e127294042098162!

Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N

Tlf: +45 2128 7793
email: mikkel at linet.dk
www: http://www.linet.dk

More information about the Kerberos mailing list