[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Interoperating with Win2K

To: Mark Davies <mark@MCS.VUW.AC.NZ>
Subject: Re: Interoperating with Win2K
From: Assar Westerlund <assar@sics.se>
Date: 24 Jul 2000 09:15:17 +0200
Cc: heimdal-discuss@sics.se
In-Reply-To: Mark Davies's message of "Mon, 24 Jul 2000 14:05:18 +1200"
References: <200007240205.e6O25I312997@city-art.mcs.vuw.ac.nz>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.070098 (Pterodactyl Gnus v0.98) Emacs/20.6

Mark Davies <mark@MCS.VUW.AC.NZ> writes:
> OK, making progress :-)

I can't say progress is always very fast when trying to figure out how
to make a w2k box do what you want it to...

> Machine "a" in the w2k realm POC.VUW.AC.NZ (same machine as in my previous tests).
> Machine "b" in a purely heimdal based realm MCS.VUW.AC.NZ
> Cross-realm principles "krbtgt/MCS.VUW.AC.NZ@POC.VUW.AC.NZ" and 
> "krbtgt/POC.VUW.AC.NZ@MCS.VUW.AC.NZ" set up in both realms KDC's.

You need to make sure that you have added both of these principals to
your KDC database with v5 salt, since the w2k has no way of knowing
what particular salt you're using.  If you have `[kadmin]use_v4_salt'
or something related to that in your configuration, that might cause
you to loose.

(I got the impression from the MS document that it had to be the same
password in both directions so that's what I tried, but it's not clear
if it has to be.)

> telneting from "a" to "b" gives this error:
> 
>   Kerberos V5: mk_req failed (Decrypt integrity check failed)

I think this implies that you do not have identical keys between your
Heimdal and your w2k KDC.

> telneting from "b" to "a" without adding the default_etypes entries to "b"s
> krb5.conf gives this error:
> 
>   Kerberos V5: mk_req failed (KDC has no support for encryption type)

right

> telneting from "b" to "a" with adding the default_etypes entries to "b"s
> krb5.conf gives gives this error:
> 
>   Kerberos V5: mk_req failed (Message stream modified)

I got this when I had the wrong key for the cross-realm principals, so
I think this means that the keys are not identical.

> and do you really have to make that change to krb5.conf files for machines 
> that aren't directly in a w2k managed realm?

You would need the `default_etypes'-stuff for machines that are going
to act as clients to a w2k KDC.  There should of course be some more
automatic way of detecting and doing this, but I haven't stumpled on
it yet...

> So what still needs to be done?

As I said above, the only thing that you might have wrong, I think,
are that the keys are not identical.  It's hard to verify this since I
know of no way of examining the keys on the Windows side (there's
pwdump2 - but I'm unclear if it helps).  If it still does not work for
you, please send me your entire krb5.conf or make it available.

/assar

Follow-Ups:
- Re: Interoperating with Win2K
  - From: Mark Davies <mark@MCS.VUW.AC.NZ>
- Re: Interoperating with Win2K
  - From: Mark Davies <mark@MCS.VUW.AC.NZ>

References:
- Re: Interoperating with Win2K
  - From: Mark Davies <mark@MCS.VUW.AC.NZ>

Prev by Date: Re: Interoperating with Win2K
Next by Date: Re: Interoperating with Win2K
Prev by thread: Re: Interoperating with Win2K
Next by thread: Re: Interoperating with Win2K
Index(es):
- Date
- Thread