Cross Realm MIT <-> Windows Close But No Cigar

Michael B Allen mba2000 at ioplex.com
Wed May 2 22:13:32 EDT 2007 

Hello,

I struggling with cross realm auth and I'd appreciate it if someone can
give me pointers.

The problem seems to be with enctypes. So I just asserted RC4 everywhere
and now I'm getting all the right tickets but ssh and smbclient still
aren't quite satisfied.

Info about the two domains and ssh / smbclient test results follows.

---- S.W.NET ----

MIT 1.3.4-46 on CentOS 4.4

I created KDC as usual but before creating the db I put the following
in my kdc.conf:

supported_enctypes = arcfour-hmac:normal

I created some principals and it confirmed the enctype was archfour-hmac:

kadmin.local:  ktadd test at S.W.NET
Entry for principal test at S.W.NET with kvno 3, encryption type ArcFour
with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.

krb5.conf is standard except I added W.NET to the [realms] and
[domain_realm] sections (not sure if that's necessary).

I created a host/ls1.s.w.net at S.W.NET principal and exported it to the
/etc/krb5.keytab (for ssh).

---- W.NET ----

W2K3 standard
ktsetup /addkdc S.W.NET ls1.s.w.net
ktpass /MitRealmName S.W.NET /TrustEncryp RC4
Created two-way trust with AD Domains and Trusts.
Rebooted.

So with everything setup like above I tried ssh and smbclient.

-- Testing with SSH with W.NET TGT --

Ssh doesn't tell me much:

$ ssh -vvv ioplex at ls1.s.w.ne
...
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 192.168.2.20.
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we did not send a packet, disable method

but I can see I have the right tickets:

$ klist 
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: ioplex at W.NET

Valid starting     Expires            Service principal
05/02/07 21:35:40  05/03/07 07:36:11  krbtgt/W.NET at W.NET
        renew until 05/03/07 21:35:40
05/02/07 21:36:23  05/03/07 07:36:11  krbtgt/S.W.NET at W.NET
        renew until 05/03/07 21:35:40
05/02/07 21:36:04  05/03/07 07:36:11  host/ls1.s.w.net at S.W.NET
        renew until 05/02/07 21:36:04

Ssh with an S.W.NET TGT to ls1.s.w.net works fine (no password).

-- Testing with smbclient with S.W.NET TGT --

$ smbclient -k //dc1.w.net/tmp
signing_good: BAD SIG: seq 1
SMB Signature verification failed on incoming packet!
session setup failed: Server packet had invalid SMB signature!

again I have the right tickets:

$ klist 
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: ioplex at S.W.NET

Valid starting     Expires            Service principal
05/02/07 21:27:56  05/03/07 21:27:56  krbtgt/S.W.NET at S.W.NET
05/02/07 21:33:35  05/03/07 21:27:56  krbtgt/W.NET at S.W.NET
05/02/07 21:33:55  05/03/07 07:33:55  dc1$@W.NET

The signature in the SMB response packet is identical to the one
in the request packet (i.e. it was echo'd).

Any ideas?

Do I need to do anything special with DNS?

Mike

-- 
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/

More information about the Kerberos mailing list