cross-realm with windows 2k3 ad

Mark Davies mark at ecs.vuw.ac.nz
Wed Jun 15 21:07:51 EDT 2011


We have previously successfully set up cross-realm between our heimdal 
realm and a windows server 2008 r2 based AD domain, but I'm now trying 
to set up cross-realm to a 2k3 based AD domain and having problems.

On the windows side, they have entered our realm in lowercase which 
may cause some issues at some point but I don't think I'm getting far 
enough to strike that yet.

If I kinit a user principle from the windows domain then try to ssh 
into one of our machines it fails with "KDC has no support for 
encryption type"

icon% kinit daviesma at STAFF.VUW.AC.NZ
daviesma at STAFF.VUW.AC.NZ's Password: 
icon% klist -v
Credentials cache: FILE:/tmp/krb5cc_XXX
        Principal: daviesma at STAFF.VUW.AC.NZ
    Cache version: 4

Server: krbtgt/STAFF.VUW.AC.NZ at STAFF.VUW.AC.NZ
Client: daviesma at STAFF.VUW.AC.NZ
Ticket etype: arcfour-hmac-md5, kvno 2
Ticket length: 1192
Auth time:  Jun 16 12:37:55 2011
End time:   Jun 16 22:37:55 2011
Renew till: Jun 23 12:37:55 2011
Ticket flags: pre-authent, initial, renewable, forwardable
Addresses: addressless

icon% ssh -v debretts
     [...]
debug1:  Miscellaneous failure (see text)
KDC has no support for encryption type
     [...]


wireshark shows me that its sending a TGS-REQ to the AD KDC
for the cross realm tgt krbtgt/ECS.VUW.AC.NZ at STAFF.VUW.AC.NZ
with encryption types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 
des3-cdc-sha rc4-hmac
and that the KDC is returning KRB5KDC_ERR_ETYPE_NOSUPP

surely the rc4-hmac type should be supported?
What is going on here?

cheers
mark



More information about the Kerberos mailing list