Problems with authenticating to a Win domain controller

Douglas E. Engert deengert at anl.gov
Wed May 28 11:47:22 EDT 2008 


radaczynski at gmail.com wrote:
> Hi,
> 
> I've recently encountered a strange error when trying to get a ticket
> from a W2k domain controller. My setup is like this:
> 
> 1. krb5.conf:
> [libdefaults]
>         default_realm = DOMAIN1.COM
>         forwardable = true
>         proxiable = true
>         dns_lookup_realm = false
>         dsn_lookup_kdc = false
>         v4_instance_resolve = false
>         v4_name_convert = {
>                 host = {
>                         rcmd = host
>                         ftp = ftp
>                 }
>                 plain = {
>                         something = something-else
>                 }
>         }
> 
> [realms]
>         DOMAIN1.COM = {
>                 kdc = aaa.domain1.com:88
>         }
> 
> [domain_realm]
>         .domain1.com = DOMAIN1.COM
>         domain1.com = DOMAIN1.COM
>         .domain2.com = DOMAIN2.COM
>         domain2.com = DOMAIN2.COM
> 
> 
> [appdefaults]
>         pam = {
>             debug=false
>             forwardable=true
>             krb4_convert=false
>         }
> 
> DOMAIN2 is a trusted domain of DOMAIN1
> 
> now, when i do this:
> kinit myuser at DOMAIN2.COM
> Password for myuser at DOMAIN2.COM:
> 
> and i get a TGT:  renew until 05/29/08 08:55:12, Etype (skey, tkt):
> ArcFour with HMAC/md5, ArcFour with HMAC/md5, the principal is: krbtgt/
> DOMAIN2.COM at DOMAIN2.COM
> 
> then I try:
> kvno HTTP/test.domain1.com at DOMAIN1.COM
> and get:
> Server not found in Kerberos database while getting credentials

This might be some cross realm issue. To get a ticket from
DOMAIN1.COM requires you to first get a krbtgt/DOMAIN1.COM at DOMAIN2.COM
from DOMAIN2.COM.

You set the dns_lookup_kdc = false, and did not define DOMAIN1.COM in
[realms] so you client can not find the KDCs for DOMAIN1.COM.

It might be an issue that the cross realm trust is not set up as you
think it is.

To verify all if these for sure, use a trace program like Wireshark,
that can format the Kerberos packets.

> 
> when I ty:
> kvno HTTP/test.domain1.com at DOMAIN2.COM
> I get:
> KDC reply did not match expectations while getting credentials

W2K may have returned a referral saying look in DOMAIN1.COM.
But the Kerberos lib does not handle today.

> 
> Any help would be greatly appreciated.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list