Kerberos cross-realm with AD

Douglas E. Engert deengert at anl.gov
Mon Feb 7 15:45:24 EST 2011 


On 2/6/2011 11:15 PM, Jean-Yves Avenard wrote:
> Hi there.
>
> Providing more information in the hope that someone will be able to help:
>
> This is the process I've followed.
>
> In Windows 2008 (MEL.DOMAIN.COM domain):
>
> Started Active Directory Domain and Trusts
> Right click on the domain name ->  Properties. Select Trusts ->  New Trusts
> Entered M.DOMAIN.COM ; made it two ways ; non-transitive ; typed the
> password. Validate..
>
> On MIT kdc machine (M.DOMAIN.COM realm)
>
> kadmin.local:
> kadmin.local:  ank +requires_preauth krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM
> WARNING: no policy specified for krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM;
> defaulting to no policy
> Enter password for principal "krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM":
> Re-enter password for principal "krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM":
> Principal "krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM" created.
> kadmin.local:  ank +requires_preauth krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM
> WARNING: no policy specified for krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM;
> defaulting to no policy
> Enter password for principal "krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM":
> Re-enter password for principal "krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM":
> Principal "krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM" created.
>
> In the above, I used the same password (32 random characters) as I
> used in Windows 2008 server.
>
> Edited /etc/krb5.conf on the kdc as follow:
> [libdefaults]
>          default_realm = M.DOMAIN.COM
> [realms]
>          M.DOMAIN.COM = {
>                  admin_server = m.domain.com
>                  kdc = m.domain.com
>          }
>          MEL.DOMAIN.COM = {
>                  admin_server = ad.domain.com
>                  kdc = ad.domain.com
>          }
> [domain_realm]
>          domain.com = M.DOMAIN.COM
>          .domain.com = M.DOMAIN.COM
>          .m.domain.com = M.DOMAIN.COM
>          .mel.domain.com = MEL.DOMAIN.COM
>
> [capaths]
>      MEL.DOMAIN.COM.COM = {
>          M.DOMAIN.COM = .
>      }
>
>      M.DOMAIN.COM = {
>           MEL.DOMAIN.COM = .
>      }
>
> ---
>
> On the web server using mod_auth_kerb:
> I set the /etc/krb5.conf as above...
>
> People with a M.DOMAIN.COM ticket, can connect fine as that's what it
> is configured for.
>
> On my PC ; I then got a ticket as jean-yves.avenard at MEL.DOMAIN.COM ;

Is you PC Windows? Is it in a domain? If so which domain.
Did you get the ticket using the Windows kerberos, or some other kerberos?

Is the browser IE or some other browser using non-windows Kerberos?

(Windows builtin Kerberos does not use the krb5.conf, and so does
cross realm a little differently.)

> and try to connect to the web server ; and it fails prompting me for a
> username/password (it's setup to accept any user with kerberos
> authtype)
>
> On the KDC; in the log I see:
> Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18
> 17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0,<unknown
> client>  for HTTP/server4-2.mel.domain.com at M.DOMAIN.COM, Decrypt
> integrity check failed

This looks strange, as the server4-2.mel.domain.com should be in the
MEL.DOMAIN.COM realm and the client should not be sending a request
to the M.DOMAIN.COM realm.


But the Decrypt integrity check failed would also imply that it
found a key to use, but the decryption did not work. This may be
a salt issue. If you set up cross-realm to use RC4, it does not
use a salt and that might make take one factor out of the loop.

A wireshark trace run on the client could help see what is going on.


> Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18
> 17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0,<unknown
> client>  for HTTP/server4-2.mel.domain.com at M.DOMAIN.COM, Decrypt
> integrity check failed
> Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18
> 17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0,<unknown
> client>  for HTTP/server4-2.mel.domain.com at M.DOMAIN.COM, Decrypt
> integrity check failed
> Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18
> 17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0,<unknown
> client>  for HTTP/server4-2.mel.domain.com at M.DOMAIN.COM, Decrypt
> integrity check failed
>
> Which lead me to believe that there's an incorrect password set
> somewhere... but which one ?
>
> I'm a tad puzzled about what's going on..
> If someone could shed some lights it would be greatly appreciated.
>
> Thank you
> Jean-Yves
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list