Kerberos cross-realm with AD
Douglas E. Engert
deengert at anl.gov
Mon Feb 7 15:45:24 EST 2011
On 2/6/2011 11:15 PM, Jean-Yves Avenard wrote:
> Hi there.
>
> Providing more information in the hope that someone will be able to help:
>
> This is the process I've followed.
>
> In Windows 2008 (MEL.DOMAIN.COM domain):
>
> Started Active Directory Domain and Trusts
> Right click on the domain name -> Properties. Select Trusts -> New Trusts
> Entered M.DOMAIN.COM ; made it two ways ; non-transitive ; typed the
> password. Validate..
>
> On MIT kdc machine (M.DOMAIN.COM realm)
>
> kadmin.local:
> kadmin.local: ank +requires_preauth krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM
> WARNING: no policy specified for krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM;
> defaulting to no policy
> Enter password for principal "krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM":
> Re-enter password for principal "krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM":
> Principal "krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM" created.
> kadmin.local: ank +requires_preauth krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM
> WARNING: no policy specified for krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM;
> defaulting to no policy
> Enter password for principal "krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM":
> Re-enter password for principal "krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM":
> Principal "krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM" created.
>
> In the above, I used the same password (32 random characters) as I
> used in Windows 2008 server.
>
> Edited /etc/krb5.conf on the kdc as follow:
> [libdefaults]
> default_realm = M.DOMAIN.COM
> [realms]
> M.DOMAIN.COM = {
> admin_server = m.domain.com
> kdc = m.domain.com
> }
> MEL.DOMAIN.COM = {
> admin_server = ad.domain.com
> kdc = ad.domain.com
> }
> [domain_realm]
> domain.com = M.DOMAIN.COM
> .domain.com = M.DOMAIN.COM
> .m.domain.com = M.DOMAIN.COM
> .mel.domain.com = MEL.DOMAIN.COM
>
> [capaths]
> MEL.DOMAIN.COM.COM = {
> M.DOMAIN.COM = .
> }
>
> M.DOMAIN.COM = {
> MEL.DOMAIN.COM = .
> }
>
> ---
>
> On the web server using mod_auth_kerb:
> I set the /etc/krb5.conf as above...
>
> People with a M.DOMAIN.COM ticket, can connect fine as that's what it
> is configured for.
>
> On my PC ; I then got a ticket as jean-yves.avenard at MEL.DOMAIN.COM ;
Is you PC Windows? Is it in a domain? If so which domain.
Did you get the ticket using the Windows kerberos, or some other kerberos?
Is the browser IE or some other browser using non-windows Kerberos?
(Windows builtin Kerberos does not use the krb5.conf, and so does
cross realm a little differently.)
> and try to connect to the web server ; and it fails prompting me for a
> username/password (it's setup to accept any user with kerberos
> authtype)
>
> On the KDC; in the log I see:
> Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18
> 17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0,<unknown
> client> for HTTP/server4-2.mel.domain.com at M.DOMAIN.COM, Decrypt
> integrity check failed
This looks strange, as the server4-2.mel.domain.com should be in the
MEL.DOMAIN.COM realm and the client should not be sending a request
to the M.DOMAIN.COM realm.
But the Decrypt integrity check failed would also imply that it
found a key to use, but the decryption did not work. This may be
a salt issue. If you set up cross-realm to use RC4, it does not
use a salt and that might make take one factor out of the loop.
A wireshark trace run on the client could help see what is going on.
> Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18
> 17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0,<unknown
> client> for HTTP/server4-2.mel.domain.com at M.DOMAIN.COM, Decrypt
> integrity check failed
> Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18
> 17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0,<unknown
> client> for HTTP/server4-2.mel.domain.com at M.DOMAIN.COM, Decrypt
> integrity check failed
> Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18
> 17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0,<unknown
> client> for HTTP/server4-2.mel.domain.com at M.DOMAIN.COM, Decrypt
> integrity check failed
>
> Which lead me to believe that there's an incorrect password set
> somewhere... but which one ?
>
> I'm a tad puzzled about what's going on..
> If someone could shed some lights it would be greatly appreciated.
>
> Thank you
> Jean-Yves
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list