cross-realm with windows 2k3 ad

Douglas E. Engert deengert at anl.gov
Fri Jun 17 14:08:33 EDT 2011



On 6/15/2011 8:07 PM, Mark Davies wrote:
> We have previously successfully set up cross-realm between our heimdal
> realm and a windows server 2008 r2 based AD domain, but I'm now trying
> to set up cross-realm to a 2k3 based AD domain and having problems.
>
> On the windows side, they have entered our realm in lowercase which
> may cause some issues at some point but I don't think I'm getting far
> enough to strike that yet.
>
> If I kinit a user principle from the windows domain then try to ssh
> into one of our machines it fails with "KDC has no support for
> encryption type"
>
> icon% kinit daviesma at STAFF.VUW.AC.NZ
> daviesma at STAFF.VUW.AC.NZ's Password:
> icon% klist -v
> Credentials cache: FILE:/tmp/krb5cc_XXX
>          Principal: daviesma at STAFF.VUW.AC.NZ
>      Cache version: 4
>
> Server: krbtgt/STAFF.VUW.AC.NZ at STAFF.VUW.AC.NZ
> Client: daviesma at STAFF.VUW.AC.NZ
> Ticket etype: arcfour-hmac-md5, kvno 2
> Ticket length: 1192
> Auth time:  Jun 16 12:37:55 2011
> End time:   Jun 16 22:37:55 2011
> Renew till: Jun 23 12:37:55 2011
> Ticket flags: pre-authent, initial, renewable, forwardable
> Addresses: addressless
>
> icon% ssh -v debretts
>       [...]
> debug1:  Miscellaneous failure (see text)
> KDC has no support for encryption type
>       [...]
>
>
> wireshark shows me that its sending a TGS-REQ to the AD KDC
> for the cross realm tgt krbtgt/ECS.VUW.AC.NZ at STAFF.VUW.AC.NZ
> with encryption types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> des3-cdc-sha rc4-hmac
> and that the KDC is returning KRB5KDC_ERR_ETYPE_NOSUPP
>
> surely the rc4-hmac type should be supported?

Yes it should be. But when you setup the cross realm trust,
did W2K3 assume the MIT realm could only do DES?
Id the des-only bit on in the TGT account in AD?

DES is off by default in most Kerberos and W2008.

> What is going on here?
>
> cheers
> mark
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list