cross-realm with windows 2k3 ad
Mark Davies
mark at ecs.vuw.ac.nz
Wed Jun 15 21:07:51 EDT 2011
We have previously successfully set up cross-realm between our heimdal
realm and a windows server 2008 r2 based AD domain, but I'm now trying
to set up cross-realm to a 2k3 based AD domain and having problems.
On the windows side, they have entered our realm in lowercase which
may cause some issues at some point but I don't think I'm getting far
enough to strike that yet.
If I kinit a user principle from the windows domain then try to ssh
into one of our machines it fails with "KDC has no support for
encryption type"
icon% kinit daviesma at STAFF.VUW.AC.NZ
daviesma at STAFF.VUW.AC.NZ's Password:
icon% klist -v
Credentials cache: FILE:/tmp/krb5cc_XXX
Principal: daviesma at STAFF.VUW.AC.NZ
Cache version: 4
Server: krbtgt/STAFF.VUW.AC.NZ at STAFF.VUW.AC.NZ
Client: daviesma at STAFF.VUW.AC.NZ
Ticket etype: arcfour-hmac-md5, kvno 2
Ticket length: 1192
Auth time: Jun 16 12:37:55 2011
End time: Jun 16 22:37:55 2011
Renew till: Jun 23 12:37:55 2011
Ticket flags: pre-authent, initial, renewable, forwardable
Addresses: addressless
icon% ssh -v debretts
[...]
debug1: Miscellaneous failure (see text)
KDC has no support for encryption type
[...]
wireshark shows me that its sending a TGS-REQ to the AD KDC
for the cross realm tgt krbtgt/ECS.VUW.AC.NZ at STAFF.VUW.AC.NZ
with encryption types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
des3-cdc-sha rc4-hmac
and that the KDC is returning KRB5KDC_ERR_ETYPE_NOSUPP
surely the rc4-hmac type should be supported?
What is going on here?
cheers
mark
More information about the Kerberos
mailing list