problem with the cross-realm, any help?

Douglas E. Engert deengert at anl.gov
Fri Aug 27 11:50:42 EDT 2010



On 8/26/2010 9:18 AM, c f wrote:
> Hi,
>
> I've recreated the domain trust, and rejoined my Windows 7 box to the AD to
> make a clean test.
>
> On both AD and Win7 box,  "ksetup /dumpstate"  shows :
> default realm = ad.mydomain.com
> MYDOMAIN.COM:
>      kdc=mitkdc.mydomain.com
>      realm flags = 0x0 no realm flags
> Mapping all users to a local account by the same name
>
> When I try to log in with "user at MYDOMAIN.COM" (MYDOMAIN.COM is the mit
> realm), I get the error message "there are currently no logon servers
> availble to service the logon request". But it works well if I just want to
> log onto the AD domain with an AD account and password.
>
> Wiresharks shows more traffics than last time:
>> source: w7,  destination: mit kdc, info : as-req:
>> source: mit kdc,  destination: w7, info : as-rep
>> source: w7,  destination: mit kdc, info : tgs-req:
>      realm: mit realm
>      server name: krbtgt/ad domain
>> source: mit kdc,  destination: w7, info : tgs-rep:
>      client realm: ad domain, client name: user4test
>      ticket realm: mit realm
>      server name: krbtgt./ad domain


OK, you got a cross realm TGT, but that does not mean it will work.
Look a the Wireshark output for this packet at the enc-part and Ticket
enc-part to see what the Encryption types and Kvnos are used.


>> source: w7,  destination: ad, info : tgs-req:
>       realm: ad domain
>      server name: host/w7

W7 is trying to use the cross realm TGT to get service ticket
for itself, as expected. So it must like the session key.

>> source: ad,  destination: w7, info : KEB Error: KRB5KDC_ERR_ETYPE_NOSUPP
>      error code: KRB5KDC_ERR_ETYPE_NOSUPP (14)
>      realm: ad domain
>      server name: host/w7

>
> It seems to me that there is still problems with the encryption type.

Based on the error message, AD does not like one or both of these either
because it does not support it (3DES) or it thinks the W7 does not support it.

The main difference is Windows has no support for 3DES, and both newer
MIT and Windows turn off DES by default.


> However, I've followed the suggestions of Ross to enble aes. And I think
> most parts of the entypes are already enabled by default.
>
> In the kdc.conf on mit kdc, I've set:
>   supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
> des-hmac-sha1:normal des-cbc
> -md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
> rc4-mac:normal aes256-cts:norm
> al

You should not need to use the supported_enctypes.

>
> Do I need to set "default_entypes; default_tkt_enctypes;
> default_tgt_enctypes; permitted_entypes" in the "krb5.conf" file? When I
> check some documents on line, not all of them have this configuration.

I would try without these.

>
> Thanks in advance.
>
> regards,
> Claudia
>
>
> _____________________________________________________________________
>
>
> On Wed, Aug 25, 2010 at 4:22 PM, Douglas E. Engert<deengert at anl.gov>  wrote:
>
>>
>>
>> On 8/25/2010 4:46 AM, c f wrote:
>>> *Hi Ross,*
>>>
>>> On Tue, Aug 24, 2010 at 5:39 PM, Wilper, Ross A<rwilper at stanford.edu
>>> wrote:
>>>
>>>> You mention allowing the DES enctypes on the Windows 7 box? Is that the
>>>> only common enctype available between the MIT realm and Windows?
>> (AES256,
>>>> AES128, RC4_HMAC, DES_CBC_MD5, DES_CBC_CRC)
>>>>
>>>> I have all these enctypes enabled in fact.
>>>
>>>
>>>> If so, you will need to have DES enabled on the domain controller also.
>>>> This is most easily done (for all machines) using a group policy
>>>>
>>>
>>>> "Network Security: Configure Encryption types allowed for Kerberos"
>>>>
>>>
>>> *I have not found this group policy in a Windows Server 2008.*
>>>
>>>
>>>
>>>> Outbound trust should be the correct direction
>>>> It appears that you have altSecurityIdentities set on the domain user
>>>> account
>>>> Check the time on the DCs too.
>>>>
>>>
>>> *Yes I linked every AD user to a Mit Keberos principle manually, by the
>>> "name mapping" settings in AD. I think that's what you mean
>>> altSecurityIdentities.( I'm still new in this domain )
>>>
>>> I have a ntp server, and I've checked the time on all the servers and
>>> clients.
>>>
>>> **Nothings works so far.*
>>> *With Wireshark on the windows 7 box, I've got some traffic:
>>> source: windows 7 box,  destination: mit kdc, info : as-req
>>> source: mit kdc,  destination: windows 7 box, info : as-rep
>>> source: windows 7 box,  destination: mit kdc, info : tgs-req
>>> source: mit kdc,  destination: windows 7 box, info : tgs-rep
>>
>> *Can you look at the Wireshark tgs-req and tgs-rep and see what service
>> principal the workstation is requesting?
>>
>> If its for host/<w7 workstation>@<mit realm>  the W7 workstation thinks* *
>> it is a member of the MIT realm, and not joined to the AD domain.
>>
>> If its for krbtgt/<ad domain>@<mit realm>  then its a cross realm* *
>> ticket, and there is something else going on.
>>
>> With the cross realm, the W7 workstation needs to be joined to the AD* *
>> domain, and user is in the MIT realm.
>>
>> When you try to login, do you specify user@<mit realm>?* *
>>
>> What is the output of ksetup /dumpstate  With all your testing it* *
>> might be in a strange state.
>> *
>>
>>
>>
>>>
>>> I don't see any traffice between my windows 7 box and the active
>> directory.
>>> That seems not so normal.
>>>
>>> Thanks.
>>>
>>> Claudia
>>>
>>> *
>>>
>>>>
>>>> -Ross
>>>>
>>>> -----Original Message-----
>>>> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
>> Behalf
>>>> Of c f
>>>> Sent: Tuesday, August 24, 2010 3:06 AM
>>>> To: kerberos at mit.edu
>>>> Subject: problem with the cross-realm, any help?
>>>>
>>>> Hello,
>>>>
>>>> I need some help with the cross-realm.
>>>>
>>>> I have MIT KDC, an Active Directory on Windows Server 2008 Entreprise,
>> and
>>>> a
>>>> Windows 7 (in the windows domain) as a client for test.
>>>> What I want to do is: to log onto Windows 7 with the MIT kerberos
>> accouts.
>>>>
>>>> I've created and configured:
>>>> -- on MIT kdc, adding the "krbtgt/AD.MYDOMAIN.COM at MYDOMAIN.COM", and
>>>> "krbtgt/MYDOMAIN.COM at AD.MYDOMAIN.COM" principles;
>>>> -- on Windows2008, creating the trust relationship with the MIT kdc
>> (Direct
>>>> Outbound)
>>>> -- on both Windows 7 and Windows server 2008, using "ksetup /addRealm
>>>> ......" to add the mit kerberos realm;
>>>> -- on Windows 7, enabling the DES encryption, but not on the 2008
>> server,
>>>> as
>>>> I could not find a way to do that;
>>>> -- on Windows server 2008, create the same users as in MIT kdc, and
>> mapping
>>>> them to Mit kerberos principles;
>>>>
>>>> The problem is, I cannot log onto Windows 7 by using the Mit kerberos's
>>>> username and password.
>>>> I've got these 2 types of error messages : sometimes "user name and
>>>> password
>>>> is incorrect", and sometimes"the trust relationship between this
>>>> workstation
>>>> and the primary domain failed".
>>>> On Mit kdc's log file, there is the message
>>>> "mitkdc.mydomain.comkrb5kdc[6735](info): AS_REQ (7 etypes {18 17 23 3
>>>> 1 24 -135}) ...: ISSUE:
>>>> authtime 1282578442, etypes {rep=23 tkt=16 ses=23},
>>>> userfotest at MYDOMAIN.COMfor krbtgt/
>>>> AD.MYDOMAIN.COM at MYDOMAIN.COM".
>>>> And in Active Directory, I see nothing wrong, neither the Windows 7.
>>>>
>>>> However, if I don't add my windows 7 into Active Directory, but the Mit
>>>> Kerberos Domain, everything works. I can authenticate the standalone
>>>> workstaion (Windows 7) against Mit Kerberos without problem (by activing
>>>> the
>>>> guest account on Windows 7, and maypping * to the guest account ).
>>>>
>>>> I've been blocked for weeks on this. Does anyone have any ideas to help
>> me?
>>>>
>>>> Thank you!
>>>>
>>>> Claudia
>>>> ________________________________________________
>>>> Kerberos mailing list           Kerberos at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>>
>> --
>>
>>   Douglas E. Engert<DEEngert at anl.gov>
>>   Argonne National Laboratory
>>   9700 South Cass Avenue
>>   Argonne, Illinois  60439
>>   (630) 252-5444
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list