Kerberos cross-realm with AD
Jean-Yves Avenard
jyavenard at gmail.com
Mon Feb 7 00:15:43 EST 2011
Hi there.
Providing more information in the hope that someone will be able to help:
This is the process I've followed.
In Windows 2008 (MEL.DOMAIN.COM domain):
Started Active Directory Domain and Trusts
Right click on the domain name -> Properties. Select Trusts -> New Trusts
Entered M.DOMAIN.COM ; made it two ways ; non-transitive ; typed the
password. Validate..
On MIT kdc machine (M.DOMAIN.COM realm)
kadmin.local:
kadmin.local: ank +requires_preauth krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM
WARNING: no policy specified for krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM;
defaulting to no policy
Enter password for principal "krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM":
Re-enter password for principal "krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM":
Principal "krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM" created.
kadmin.local: ank +requires_preauth krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM
WARNING: no policy specified for krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM;
defaulting to no policy
Enter password for principal "krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM":
Re-enter password for principal "krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM":
Principal "krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM" created.
In the above, I used the same password (32 random characters) as I
used in Windows 2008 server.
Edited /etc/krb5.conf on the kdc as follow:
[libdefaults]
default_realm = M.DOMAIN.COM
[realms]
M.DOMAIN.COM = {
admin_server = m.domain.com
kdc = m.domain.com
}
MEL.DOMAIN.COM = {
admin_server = ad.domain.com
kdc = ad.domain.com
}
[domain_realm]
domain.com = M.DOMAIN.COM
.domain.com = M.DOMAIN.COM
.m.domain.com = M.DOMAIN.COM
.mel.domain.com = MEL.DOMAIN.COM
[capaths]
MEL.DOMAIN.COM.COM = {
M.DOMAIN.COM = .
}
M.DOMAIN.COM = {
MEL.DOMAIN.COM = .
}
---
On the web server using mod_auth_kerb:
I set the /etc/krb5.conf as above...
People with a M.DOMAIN.COM ticket, can connect fine as that's what it
is configured for.
On my PC ; I then got a ticket as jean-yves.avenard at MEL.DOMAIN.COM ;
and try to connect to the web server ; and it fails prompting me for a
username/password (it's setup to accept any user with kerberos
authtype)
On the KDC; in the log I see:
Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18
17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0, <unknown
client> for HTTP/server4-2.mel.domain.com at M.DOMAIN.COM, Decrypt
integrity check failed
Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18
17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0, <unknown
client> for HTTP/server4-2.mel.domain.com at M.DOMAIN.COM, Decrypt
integrity check failed
Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18
17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0, <unknown
client> for HTTP/server4-2.mel.domain.com at M.DOMAIN.COM, Decrypt
integrity check failed
Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18
17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0, <unknown
client> for HTTP/server4-2.mel.domain.com at M.DOMAIN.COM, Decrypt
integrity check failed
Which lead me to believe that there's an incorrect password set
somewhere... but which one ?
I'm a tad puzzled about what's going on..
If someone could shed some lights it would be greatly appreciated.
Thank you
Jean-Yves
More information about the Kerberos
mailing list