Is it possible to authenticate Windows clients against MIT Kerberos (no AD)?

Cosimo La Torre latorrecosimo80 at gmail.com
Fri Apr 1 08:21:41 EDT 2011 

Hi folks,
I have been trying to configure a WinXP client to authenticate against MIT
Kerberos V with no success (linux clients all work fine)...
I would be very grateful if anyone can help me. I have used ksetup.exe on
the windows clients to configure REALM, KDC and so on.
This is what I have configured so far:

========================== kdc.conf ===============================

[root at centos]# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
 v4_mode = nopreauth
 kdc_tcp_ports = 88

[realms]
EXAMPLE.COM = {
  database_name = /var/kerberos/krb5kdc/principal
  master_key_type = des3-hmac-sha1
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/krb5.keytab
  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
des-cbc-crc:afs3
  default_principal_flags = -preauth
}

=========================
[root at centos]# kadmin.local
Authenticating as principal root/admin at EXAMPLE.COM with password.
kadmin.local:  listprincs
K/M at EXAMPLE.COM
*user at EXAMPLE.COM
host/winxp.example.com at EXAMPLE.COM*
kadmin/admin at EXAMPLE.COM
kadmin/changepw at EXAMPLE.COM
kadmin/history at EXAMPLE.COM
krbtgt/EXAMPLE.COM at EXAMPLE.COM
root/admin at EXAMPLE.COM

============================ named.conf =============================
centos                IN    A    172.24.16.97
winxp                         IN    A    172.24.16.135
_ldap._tcp.                IN    SRV    0    0    389    centos
_ldap._tcp.dc._msdcs        IN    SRV    0    0    389    centos
_kerberos._tcp            IN    SRV    0    0    88    centos
_kerberos._tcp.dc._msdcs    IN    SRV    0    0    88    centos
_kerberos._udp            IN    SRV    0    0    88    centos
_kerberos._udp.dc._msdcs    IN    SRV    0    0    88    centos
kerberos            IN    CNAME    centos

******FORWARD AND REVERSE LOOKUP WORK FINE*******

======================= ksetup (WindowsXP) =======================

C:\Documents and Settings\Administrator>hostname
winxp

C:\Documents and Settings\Administrator>*ksetup*
default realm = EXAMPLE.COM (external)
EXAMPLE.COM:
        kdc = centos.example.com
        Realm Flags = 0xf SendAddress TcpSupported Delegate NcSupported
Mapping user at EXAMPLE.COM to guest.


======================= FAILED WINDOWS LOGIN ==========================

Apr 01 13:16:33 laptop61a krb5kdc[6812](info): AS_REQ (7 etypes {23 -133
-128 3 1 24 -135}) 172.24.16.136: ISSUE: authtime 1301660193, etypes {rep=23
tkt=16 ses=23}, user at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM
Apr 01 13:16:33 laptop61a krb5kdc[6812](info): TGS_REQ (7 etypes {23 -133
-128 3 1 24 -135}) 172.24.16.136: ISSUE: authtime 1301660193, etypes {rep=23
tkt=16 ses=23}, user at EXAMPLE.COM for host/winxp.example.com at EXAMPLE.COM

No logs found in MS Event Viewer

========================== LINUX CLIENT IS FINE
==============================
user at linuxclient:~$ kinit user
Password for user at EXAMPLE.COM:

user at linuxclient:~$ klist -fe
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: user at EXAMPLE.COM

Valid starting     Expires            Service principal
04/01/11 13:10:45  04/02/11 13:10:45  krbtgt/EXAMPLE.COM at EXAMPLE.COM
    renew until 04/01/11 13:10:45, Flags: FPRI
    Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc
mode with HMAC/sha1

More information about the Kerberos mailing list