problem with the cross-realm, any help?

c f claudiawhf at gmail.com
Thu Aug 26 10:18:46 EDT 2010 

Hi,

I've recreated the domain trust, and rejoined my Windows 7 box to the AD to
make a clean test.

On both AD and Win7 box,  "ksetup /dumpstate"  shows :
default realm = ad.mydomain.com
MYDOMAIN.COM:
    kdc=mitkdc.mydomain.com
    realm flags = 0x0 no realm flags
Mapping all users to a local account by the same name

When I try to log in with "user at MYDOMAIN.COM" (MYDOMAIN.COM is the mit
realm), I get the error message "there are currently no logon servers
availble to service the logon request". But it works well if I just want to
log onto the AD domain with an AD account and password.

Wiresharks shows more traffics than last time:
>source: w7,  destination: mit kdc, info : as-req:
> source: mit kdc,  destination: w7, info : as-rep
> source: w7,  destination: mit kdc, info : tgs-req:
    realm: mit realm
    server name: krbtgt/ad domain
> source: mit kdc,  destination: w7, info : tgs-rep:
    client realm: ad domain, client name: user4test
    ticket realm: mit realm
    server name: krbtgt./ad domain
> source: w7,  destination: ad, info : tgs-req:
     realm: ad domain
    server name: host/w7
> source: ad,  destination: w7, info : KEB Error: KRB5KDC_ERR_ETYPE_NOSUPP
    error code: KRB5KDC_ERR_ETYPE_NOSUPP (14)
    realm: ad domain
    server name: host/w7

It seems to me that there is still problems with the encryption type.
However, I've followed the suggestions of Ross to enble aes. And I think
most parts of the entypes are already enabled by default.

In the kdc.conf on mit kdc, I've set:
 supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc
-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
rc4-mac:normal aes256-cts:norm
al

Do I need to set "default_entypes; default_tkt_enctypes;
default_tgt_enctypes; permitted_entypes" in the "krb5.conf" file? When I
check some documents on line, not all of them have this configuration.

Thanks in advance.

regards,
Claudia


_____________________________________________________________________


On Wed, Aug 25, 2010 at 4:22 PM, Douglas E. Engert <deengert at anl.gov> wrote:

>
>
> On 8/25/2010 4:46 AM, c f wrote:
> > *Hi Ross,*
> >
> > On Tue, Aug 24, 2010 at 5:39 PM, Wilper, Ross A<rwilper at stanford.edu
> >wrote:
> >
> >> You mention allowing the DES enctypes on the Windows 7 box? Is that the
> >> only common enctype available between the MIT realm and Windows?
> (AES256,
> >> AES128, RC4_HMAC, DES_CBC_MD5, DES_CBC_CRC)
> >>
> >> I have all these enctypes enabled in fact.
> >
> >
> >> If so, you will need to have DES enabled on the domain controller also.
> >> This is most easily done (for all machines) using a group policy
> >>
> >
> >> "Network Security: Configure Encryption types allowed for Kerberos"
> >>
> >
> > *I have not found this group policy in a Windows Server 2008.*
> >
> >
> >
> >> Outbound trust should be the correct direction
> >> It appears that you have altSecurityIdentities set on the domain user
> >> account
> >> Check the time on the DCs too.
> >>
> >
> > *Yes I linked every AD user to a Mit Keberos principle manually, by the
> > "name mapping" settings in AD. I think that's what you mean
> > altSecurityIdentities.( I'm still new in this domain )
> >
> > I have a ntp server, and I've checked the time on all the servers and
> > clients.
> >
> > **Nothings works so far.*
> > *With Wireshark on the windows 7 box, I've got some traffic:
> > source: windows 7 box,  destination: mit kdc, info : as-req
> > source: mit kdc,  destination: windows 7 box, info : as-rep
> > source: windows 7 box,  destination: mit kdc, info : tgs-req
> > source: mit kdc,  destination: windows 7 box, info : tgs-rep
>
> *Can you look at the Wireshark tgs-req and tgs-rep and see what service
> principal the workstation is requesting?
>
> If its for host/<w7 workstation>@<mit realm> the W7 workstation thinks* *
> it is a member of the MIT realm, and not joined to the AD domain.
>
> If its for krbtgt/<ad domain>@<mit realm> then its a cross realm* *
> ticket, and there is something else going on.
>
> With the cross realm, the W7 workstation needs to be joined to the AD* *
> domain, and user is in the MIT realm.
>
> When you try to login, do you specify user@<mit realm>?* *
>
> What is the output of ksetup /dumpstate  With all your testing it* *
> might be in a strange state.
> *
>
>
>
> >
> > I don't see any traffice between my windows 7 box and the active
> directory.
> > That seems not so normal.
> >
> > Thanks.
> >
> > Claudia
> >
> > *
> >
> >>
> >> -Ross
> >>
> >> -----Original Message-----
> >> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf
> >> Of c f
> >> Sent: Tuesday, August 24, 2010 3:06 AM
> >> To: kerberos at mit.edu
> >> Subject: problem with the cross-realm, any help?
> >>
> >> Hello,
> >>
> >> I need some help with the cross-realm.
> >>
> >> I have MIT KDC, an Active Directory on Windows Server 2008 Entreprise,
> and
> >> a
> >> Windows 7 (in the windows domain) as a client for test.
> >> What I want to do is: to log onto Windows 7 with the MIT kerberos
> accouts.
> >>
> >> I've created and configured:
> >> -- on MIT kdc, adding the "krbtgt/AD.MYDOMAIN.COM at MYDOMAIN.COM", and
> >> "krbtgt/MYDOMAIN.COM at AD.MYDOMAIN.COM" principles;
> >> -- on Windows2008, creating the trust relationship with the MIT kdc
> (Direct
> >> Outbound)
> >> -- on both Windows 7 and Windows server 2008, using "ksetup /addRealm
> >> ......" to add the mit kerberos realm;
> >> -- on Windows 7, enabling the DES encryption, but not on the 2008
> server,
> >> as
> >> I could not find a way to do that;
> >> -- on Windows server 2008, create the same users as in MIT kdc, and
> mapping
> >> them to Mit kerberos principles;
> >>
> >> The problem is, I cannot log onto Windows 7 by using the Mit kerberos's
> >> username and password.
> >> I've got these 2 types of error messages : sometimes "user name and
> >> password
> >> is incorrect", and sometimes"the trust relationship between this
> >> workstation
> >> and the primary domain failed".
> >> On Mit kdc's log file, there is the message
> >> "mitkdc.mydomain.comkrb5kdc[6735](info): AS_REQ (7 etypes {18 17 23 3
> >> 1 24 -135}) ...: ISSUE:
> >> authtime 1282578442, etypes {rep=23 tkt=16 ses=23},
> >> userfotest at MYDOMAIN.COMfor krbtgt/
> >> AD.MYDOMAIN.COM at MYDOMAIN.COM".
> >> And in Active Directory, I see nothing wrong, neither the Windows 7.
> >>
> >> However, if I don't add my windows 7 into Active Directory, but the Mit
> >> Kerberos Domain, everything works. I can authenticate the standalone
> >> workstaion (Windows 7) against Mit Kerberos without problem (by activing
> >> the
> >> guest account on Windows 7, and maypping * to the guest account ).
> >>
> >> I've been blocked for weeks on this. Does anyone have any ideas to help
> me?
> >>
> >> Thank you!
> >>
> >> Claudia
> >> ________________________________________________
> >> Kerberos mailing list           Kerberos at mit.edu
> >> https://mailman.mit.edu/mailman/listinfo/kerberos
> >>
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
>
> --
>
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list