Windows client authentication problem
Richard E. Silverman
res at qoxp.net
Thu Jan 29 01:16:48 EST 2009
>>>>> "VVN" == Viji V Nair <vijivijayakumar at gmail.com> writes:
VVN> Hi, I am trying to authenticate windows xp clients to an MIT
VVN> kerberos server. The Server is on a Linux machine and I have
VVN> both windows and Linux clients on my network. I have followed the
VVN> below steps, but no success.
VVN> Configured the kerberos server and Linux clients are
VVN> authenticating properly, but no success on windows clients. On
VVN> the kerberos Server I have created a host principal using the
VVN> following command.
VVN> # kadmin -q "ank host/bmdata01.testing.com" (I tried kadmin -q
VVN> "ank host/bmdata01" also)
VVN> On the windows xp client(bmdata01),
VVN> C:> ksetup /setrealm TESTING.COM C:> ksetup /addkdc TESTING.COM
VVN> viji.bigmaps.com C:> ksetup /setmachpassword <password> C:>
VVN> ksetup /mapuser admin at TESTING.COM guest C:> ksetup /mapuser * *
VVN> After the reboot windows is showing TESTING.COM as a Kerberos
VVN> Realm on the login screen, but when I try to login using a
VVN> kerberos user it is throwing the following error.
VVN> *"The system could not log you on. Make sure your user name and
VVN> domain are correct, and then type your password again. Letters in
VVN> passwords must be typed using the correct case."*
VVN> But the kerberos server is issuing the tickets, the log shows:
VVN> Dec 30 22:36:03 viji.testing.com krb5kdc[5179](info): AS_REQ (7
VVN> etypes {23 -133 -128 3 1 24 -135}) 172.16.33.112: NEEDED_PREAUTH:
VVN> admin at TESTING.COM for krbtgt/TESTING.COM at TESTING.COM, Additional
VVN> pre-authentication required Dec 30 22:36:03 viji.testing.com
VVN> krb5kdc[5179](info): AS_REQ (3 etypes {23 3 1}) 172.16.33.112:
VVN> ISSUE: authtime 1230656763, etypes {rep=23 tkt=18 ses=23},
VVN> admin at TESTING.COM for krbtgt/TESTING.COM at TESTING.COM Dec 30
VVN> 22:36:03 viji.testing.com krb5kdc[5179](info): TGS_REQ (7 etypes
VVN> {23 -133 -128 3 1 24 -135}) 172.16.33.112: ISSUE: authtime
VVN> 1230656763, etypes {rep=23 tkt=18 ses=23}, admin at TESTING.COM for
VVN> host/bmdata01.testing.com@ TESTING.COM
Make sure both the machine and user principals on the KDC only have RC4 or
DES keys. The session key here is RC4 (23), but the ticket is AES (18).
VVN> I have found some article on Microsoft website, saying this is a
VVN> bug and apply the latest service pack (SP3), I even tried that,
VVN> but no success.
VVN> http://support.microsoft.com/kb/825081
VVN> Similar Thread:
VVN> http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html
VVN> c:> ksetup.exe default realm = TESTING.COM (external)
VVN> TESTING.COM: kdc = viji.testing.com Realm Flags = 0x0 none
VVN> Mapping all users (*) to guest. Mapping admin to guest.
VVN> # cat /etc/krb5.conf
VVN> [logging] default = FILE:/var/log/krb5libs.log kdc =
VVN> FILE:/var/log/krb5kdc.log admin_server =
VVN> FILE:/var/log/kadmind.log
VVN> [libdefaults] default_realm = TESTING.COM dns_lookup_realm = true
VVN> dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes
VVN> [realms] TESTING.COM = { kdc = viji.testing.com:88 admin_server =
VVN> viji.testing.com:749 default_domain = testing.com
VVN> }
[domain_realm]
VVN> .testing.com = TESTING.COM testing.com = TESTING.COM
VVN> [appdefaults] pam = { debug = false ticket_lifetime = 36000
VVN> renew_lifetime = 36000 forwardable = true krb4_convert = false
VVN> }
[dbmodules]
VVN> TESTING.COM = { db_library = kldap ldap_servers =
VVN> ldap://127.0.0.1/ ldap_kerberos_container_dn =
VVN> cn=kerberos,dc=testing,dc=com ldap_kdc_dn =
VVN> uid=kdc,cn=sysaccounts,cn=etc,dc=testing,dc=com ldap_kadmind_dn =
VVN> uid=kdc,cn=sysaccounts,cn=etc,dc=testing,dc=com
VVN> ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
VVN> }
Any help on this will be greatly appreciated.
VVN> Thanks & Regards Viji
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list