Windows login failing, with no errors?

Douglas E. Engert deengert at anl.gov
Mon Apr 5 10:42:22 EDT 2010 


Tom Medhurst wrote:
> Thanks Douglas,
> 
> I removed the policy host/wdesk3.tnet.loc using kadmin.local and added 
> it back in again with a known password. (ank -policy hosts 
> host/wdesk3.tnet.loc). 
> 
> I then used ksetup on the windows 7 machine (wdesk3) to set the 
> machine's password (ksetup /SetComputerPassword MYPASSWORDHERE)
> 
> I then used ktadd to add host/wdesk3.tnet.loc into my keytab (gave the 
> path using the -k switch).

Don't do this step. Keytabs are only used for holding the keys for a
service and each service normally has its own keytab located on the
service machine. The key for your host is held on the host machine.
On Windows the ksetup /setcomputerpassword stores the password so
a key can be generated on the fly by Windows.

The ktadd also changes the key in the database, as it updates both
a keytab and the database.

The /usr/local/var/krb5kdc/kadm5.keytab is used for the kadmin service.
It does not have host principals.

The Kerberos protocol is based on a shared secret between the KDC and
the user, and a shared secret between the KDC and a server.

Kerberos stores keys in the database and in keytab files when the principal
is created or modified. The keys are generated from passwords or random
data and then the passwords are discarded.  Microsoft stores passwords in
AD and on Windows machines, and will generate the keys from the stored
password when ever needed. Which approach is better is not important here,
what is important is that you need to have the Kerberos KDC generate a key
to store in the database from some password, and also use ksetup to store
the password on the Windows machine.




> 
> I rebooted the Windows 7 machine (wdesk3) and tried to login again, but 
> I still got the same problem (with the same logging).
> 
> The logs look like the tickets are being requested successfully (see my 
> last email).. any idea why I'm still getting "user name of password is 
> incorrect" from the client?
> 
> Kind Regards,
> Tom
> 
> On Mon, Apr 5, 2010 at 2:42 PM, Douglas E. Engert <deengert at anl.gov 
> <mailto:deengert at anl.gov>> wrote:
> 
> 
> 
>     Tom Medhurst wrote:
> 
>         Hi Guys,
>         I'm trying to get 2 Windows Clients (1x Windows XP Pro SP3, 1x
>         Windows
>         7 Enterprise) configured so they logon via Kerberos 5-1.8 (Arch
>         Linux
>         Server, Kerberos 5 build from source), and I'm soooo close I can
>         smell
>         it! but...
> 
>         When I login I get the error message:
> 
>         "The username or password is incorrect" on the Windows client.
> 
>         The log file krb5kdc.log shows the following for each attempt:
> 
>         "dc1 krb5kdc[5372](info): AS_REQ (6 etypes {18 17 23 24 - 135 3})
>         10.0.0.3 <http://10.0.0.3>: ISSUE: authtime 1270166763, etypes
>         {rep=23 tkt=16 ses=23},
>         tom at TNET.LOC for krbtgt/TNET.LOC at TNET.LOC
>         dc1 krb5kdc[5372](info): TGS_REQ (5 etypes {18 17 23 24 - 135})
>         10.0.0.3 <http://10.0.0.3>: ISSUE: authtime 1270166763, etypes
>         {rep=23 tkt16 ses23},
>         tom at TNET.LOC for host/wdesk3.tnet.loc at TNET.LOC"
> 
>         Is there an error hidden somewhere in this krb5kdc.log output? Or
>         should I be looking elsewhere?
>         I have done the following:
>         Synced the time with a ntp server (on the same box) using w32tm
>         /config ...
> 
> 
>         Added this machine to the list of hosts (via
>         /usr/local/sbin/kadmin.local):
>         kadmin.local> ank -e rc4-hmac:normal -policy host/wdesk3.tnet.loc
>         kadmin.local> ktadd -k /usr/local/var/krb5kdc/kadm5.keytab
> 
> 
>     These lasat two dont not look correct. I think you just added the
>     client's
>     host principal (with a random password) to the keytab used by the KDC.
> 
>     You need to add the host to to the KDC with a known password, then
>     use the
>     ksetup /setcomputerpassword command with that known password, in
>     effect creating
>     the Microsoft equivalent of a keytab on the client.
> 
> 
>         Added the Windows machine to the realm, added the kdc server, and
>         mapped the users:
> 
>             ksetup /addkdc TNET.LOC dc1.tnet.loc
>             ksetup /addkpasswd TNET.LOC dc1.tnet.loc
>             ksetup /setrealm TNET.LOC
> 
> 
>         REBOOT WINDOWS
> 
>             ksetup /mapuser * *
> 
>         I know that the Windows box is trying as everytime I attempt to
>         login
>         I get the same messages in the server's krb5kdc.log file.
>         Can anybody help me figure out what I've missed?
> 
>         Many Thanks,
>         Tom
>         ________________________________________________
>         Kerberos mailing list           Kerberos at mit.edu
>         <mailto:Kerberos at mit.edu>
>         https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 
>     -- 
> 
>      Douglas E. Engert  <DEEngert at anl.gov <mailto:DEEngert at anl.gov>>
>      Argonne National Laboratory
>      9700 South Cass Avenue
>      Argonne, Illinois  60439
>      (630) 252-5444
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list