Kerberos Authentication with Windows AD
Ranjith Murugan
muruganr at vmware.com
Thu Sep 1 07:33:27 EDT 2011
Hi All,
I am a Newbie in Kerberos authentication, Currently trying to setup an
Kerberos server to Authenticate against a Windows AD.
Environment:
Ubuntu 10.10 (Kerberos Server)
Windows 2003 R2 (Active Directory)
For Explanation: Kerberos Server(s1.int), Windows Ad(s2.int)
The Server seems to be working individually, I have created a trust
relationship between S1.int and S2.int. Also create a user in S2.int and
Mapped the user to a user on S1.int. Now When I trying login to a machine
with the Kerberos User, I get an error "NEEDED_PREAUTH". Could someone let
me know the reason for this error? Note: Checked Click sync. DNS server
working fine.
Error Msg from the Log file:
Aug 22 15:09:32 lhr-qa12 krb5kdc[3482](info): AS_REQ (7 etypes {23 -133
-128 3 1 24 -135}) <IP address>: NEEDED_PREAUTH: admin at S1.INT for
krbtgt/S1.INT at S2.INT, Additional pre-authentication required
Aug 22 15:09:32 lhr-qa12 krb5kdc[3482](info): AS_REQ (2 etypes {3 1})
10.20.221.180: ISSUE: authtime 1314022172, etypes {rep=3 tkt=1 ses=1},
admin at S1.INT for krbtgt/S1.INT at S1.INT
Aug 22 15:09:32 lhr-qa12 krb5kdc[3482](info): TGS_REQ (7 etypes {23 -133
-128 3 1 24 -135}) <IP address>: ISSUE: authtime 1314022172, etypes {rep=1
tkt=1 ses=1}, admin at S1.INT for krbtgt/S2.INT at S1.INT
Aug 22 15:09:32 lhr-qa12 krb5kdc[3482](info): TGS_REQ (7 etypes {23 -133
-128 3 1 24 -135}) <IP address>: ISSUE: authtime 1314022172, etypes {rep=1
tkt=16 ses=1}, admin at S1.INT for host/test.S2.int at S1.INT
I have used the allow_weak_crypto = true in /etc/krb5.conf, If this is
removed from the conf file, I get and error in kinit as well
Error Message:
kinit: KDC has no support for encryption type while getting initial
credential
Regards,
Ranjith.
More information about the Kerberos
mailing list