problem with the cross-realm, any help?

Robert Wehn robert.wehn at rz.uni-augsburg.de
Wed Sep 1 06:15:40 EDT 2010 

  Dear Claudia,

we have just tested a similar environment.

As Douglas points out the encryption types might be the problem.

To solve this you should try the following:
Windows only supports these enctypes:
aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal 
rc4-hmac:normal des-cbc-crc:normal des-cbc-md5:normal
(all written in krb5.conf/MIT nomenclature 
<http://dict.leo.org/ende?lp=ende&p=wLMDfwkAA&search=nomenclature&trestr=0x8001>)
  -> the des-cbc-XXX types are insecure and disabled in Server 2008 (R2) 
and MIT Kerberos by default
  -> the aes types are only supported by Server 2008, Server 2008 R2, 
Vista, Win7, not in Server 2003/XP or older
  => for testing rc4-hmac:normal is the easiest solution as supported in 
all versions from Win2000 to Win2008R2

In our testing environment we use
  -> kdc.conf:
     supported_enctypes = aes256-cts-hmac-sha1-96:normal 
aes128-cts-hmac-sha1-96:normal rc4-hmac:normal
     but as Douglas pointed out that might be unnecessary
  -> krb5.conf
     default_tgs_enctypes = aes256-cts-hmac-sha1-96 
aes128-cts-hmac-sha1-96 rc4-hmac
     default_tkt_enctypes = aes256-cts-hmac-sha1-96 
aes128-cts-hmac-sha1-96 rc4-hmac
  -> Server 2008 R2 as DC and Domain/Forest functional level
  -> WinXp and Win7 Clients

When you need 3des types for some reason (Unix based services where you 
have no choice) or don't know how to get it out of MIT Kerberos without 
starting from beginning, you have to be careful what you do when 
creating the cross-realm principal in MIT.

It should help best to tell kadmin.lokal exactly what to use when 
creating the
cross-realm-principals:

kadmin.lokal:>  addprinc -requires_preauth -e "rc4-hmac:normal" 
krbtgt/AD.MYDOMAIN.COM at MYDOMAIN.COM

gives you only the rc4:hmac principal, which should work with any 
Windows AD functional level or server Version

kadmin.lokal:>  addprinc -requires_preauth -e 
"aes256-cts-hmac-sha1-96:normal" krbtgt/AD.MYDOMAIN.COM at MYDOMAIN.COM
is best if you never plan to use any DC older than Windows 2008

If MIT needs to Trust AD (which means any MIT based UNIX Service needs 
to be accessible by a AD user using his AD password, four normal 
pass-thru authentication this is not necessary):

kadmin.lokal:>
addprinc -requires_preauth -e "aes256-cts-hmac-sha1-96:normal 
aes128-cts-hmac-sha1-96:normal rc4-hmac:normal" 
krbtgt/MYDOMAIN.COM at AD.MYDOMAIN.COM
(here i use all enc-types Server 2008 might think are a good idea to use 
for tickets used by MIT tgt)

The see what you have done up to now (maybe the non-working 3des in the 
principal) try this:

kadmin.lokal:> get_principal krbtgt/AD.MYDOMAIN.COM at MYDOMAIN.COM
It shows you all, especially the enc-types used, concerning the principal.

The rest of the story:
- On the windows machine  "on both Windows 7 and Windows server 2008, 
using "ksetup /addRealm ......" is the right thing to do...
- be careful with dns names (especially reverse lookup) and "hosttoreal" 
mappings, which can help you causing or solving
   problems -- it cost us some days to figure that out in the end ;-)

After being able to login as user at MYDOMAIN.COM on a 
AD.MYDOMAIN.COM-integrated workstation, using services on a second 
computer (simple smb file share for example) is the next step...

++Robert


On 27.08.2010 17:50, Douglas E. Engert wrote:
>
>> It seems to me that there is still problems with the encryption type.
> Based on the error message, AD does not like one or both of these either
> because it does not support it (3DES) or it thinks the W7 does not support it.
>
> The main difference is Windows has no support for 3DES, and both newer
> MIT and Windows turn off DES by default.
>
>
>> However, I've followed the suggestions of Ross to enble aes. And I think
>> most parts of the entypes are already enabled by default.
>>
>> In the kdc.conf on mit kdc, I've set:
>>    supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
>> des-hmac-sha1:normal des-cbc
>> -md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
>> rc4-mac:normal aes256-cts:norm
>> al
> You should not need to use the supported_enctypes.
>
>> Do I need to set "default_entypes; default_tkt_enctypes;
>> default_tgt_enctypes; permitted_entypes" in the "krb5.conf" file? When I
>> check some documents on line, not all of them have this configuration.
> I would try without these.
>


-- 
Dr. Robert Wehn           _   __  _´-`_   robert.wehn at rz.uni-augsburg.de
Rechenzentrum            | | |  \| | |  \         www.rz.uni-augsburg.de
Universitätsstraße 8     | |_| \ \ | | ` \         Tel: +49 821 598-2047
86159 Augsburg, Germany   \___/ \__| |_/\_\        Fax: +49 821 598-2028

More information about the Kerberos mailing list