Kerberos cross-realm with AD

Jean-Yves Avenard jyavenard at gmail.com
Mon Feb 7 00:15:43 EST 2011 

Hi there.

Providing more information in the hope that someone will be able to help:

This is the process I've followed.

In Windows 2008 (MEL.DOMAIN.COM domain):

Started Active Directory Domain and Trusts
Right click on the domain name -> Properties. Select Trusts -> New Trusts
Entered M.DOMAIN.COM ; made it two ways ; non-transitive ; typed the
password. Validate..

On MIT kdc machine (M.DOMAIN.COM realm)

kadmin.local:
kadmin.local:  ank +requires_preauth krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM
WARNING: no policy specified for krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM;
defaulting to no policy
Enter password for principal "krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM":
Re-enter password for principal "krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM":
Principal "krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM" created.
kadmin.local:  ank +requires_preauth krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM
WARNING: no policy specified for krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM;
defaulting to no policy
Enter password for principal "krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM":
Re-enter password for principal "krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM":
Principal "krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM" created.

In the above, I used the same password (32 random characters) as I
used in Windows 2008 server.

Edited /etc/krb5.conf on the kdc as follow:
[libdefaults]
        default_realm = M.DOMAIN.COM
[realms]
        M.DOMAIN.COM = {
                admin_server = m.domain.com
                kdc = m.domain.com
        }
        MEL.DOMAIN.COM = {
                admin_server = ad.domain.com
                kdc = ad.domain.com
        }
[domain_realm]
        domain.com = M.DOMAIN.COM
        .domain.com = M.DOMAIN.COM
        .m.domain.com = M.DOMAIN.COM
        .mel.domain.com = MEL.DOMAIN.COM

[capaths]
    MEL.DOMAIN.COM.COM = {
        M.DOMAIN.COM = .
    }

    M.DOMAIN.COM = {
         MEL.DOMAIN.COM = .
    }

---

On the web server using mod_auth_kerb:
I set the /etc/krb5.conf as above...

People with a M.DOMAIN.COM ticket, can connect fine as that's what it
is configured for.

On my PC ; I then got a ticket as jean-yves.avenard at MEL.DOMAIN.COM ;
and try to connect to the web server ; and it fails prompting me for a
username/password (it's setup to accept any user with kerberos
authtype)

On the KDC; in the log I see:
Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18
17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0,  <unknown
client> for HTTP/server4-2.mel.domain.com at M.DOMAIN.COM, Decrypt
integrity check failed
Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18
17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0,  <unknown
client> for HTTP/server4-2.mel.domain.com at M.DOMAIN.COM, Decrypt
integrity check failed
Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18
17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0,  <unknown
client> for HTTP/server4-2.mel.domain.com at M.DOMAIN.COM, Decrypt
integrity check failed
Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18
17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0,  <unknown
client> for HTTP/server4-2.mel.domain.com at M.DOMAIN.COM, Decrypt
integrity check failed

Which lead me to believe that there's an incorrect password set
somewhere... but which one ?

I'm a tad puzzled about what's going on..
If someone could shed some lights it would be greatly appreciated.

Thank you
Jean-Yves

More information about the Kerberos mailing list