[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

cross realm authentication (Kerberos Realm & Win2K)


I have a question about to the cross-realm
authentication (Kerberos Realm & Win2K)

My scenario is as follows:
a user has successfully authenticated himself to a
Kerberos Realm (Heimdal-0.6) using a Win2K
machine. This user then wants to remotely access
another computer which is located in a Win2K domain.
I believe this is possible by configuring
trust-relationship between the Kerberos Realm and
Win2K domain, as described in the following articles:
- Heimdal and Windows2000 Kerberos -- how to get them
play together
- Step by step Guide to Kerberos 5 (krb5 1.0)
- Windows 2000 Compatibility in Heimdal documentation

However, when the user (using a w2k prof machine named
testw2k8) sends a TGS-REQ to its KDC in the Kerberos
Realm (LARA_HMD) for accessing the computer (named
test_w2kserver) in a Win2K domain trusted by the KDC
Realm, the following error is generated in the event
Event Type:     Error
Event Source:   Kerberos
Event Category: None
Event ID:       594
Date:           3/30/2004
Time:           11:29:25 AM
User:           N/A
Computer:       TESTW2K8
A Kerberos Error Message was received:
         on logon session InitializeSecurityContext
 Client Time:
 Server Time:
 Error Code: 3:28:5.0000 3/30/2004 (null) 0x7
 Client Realm: LARA_HMD.COM
 Client Name: lara
 Server Realm: LARA_HMD.COM
 Server Name: HOST/Test_w2kserver
 Target Name: HOST/Test_w2kserver@LARA_HMD.COM
 Error Text:
 Error Data is in record data.

While in the KDC log file, the KDC said that it can't
find test_w2kserver in its database:
2004-03-30T20:23:42 TGS-REQ lara@LARA_HMD.COM from
IPv4: for
HOST/Test_w2kserver@LARA_HMD.COM [renewable_ok,
canonicalize, renewable, forwardable]
2004-03-30T20:23:42 Server not found in database:
HOST/Test_w2kserver@LARA_HMD.COM: No such entry in the

So, my questions are:
1. An excerpt from
draft-ietf-krb-wg-kerberos-referrals-00.txt says:
   "Once a user has a TGT, they would like to be able
to access services
   in any trusted Kerberos realm. To do this requires
that the client
   be able to determine what realm the target
service's host is in
   before making the TGS request. Current
implementations of Kerberos
   typically have a table that maps DNS host names to
   Kerberos realms. In order for this to work on the
client, each
   application canonicalizes the host name of the
service by doing a
   DNS lookup followed by a reverse lookup using the
returned IP
   address. The returned primary host name is then
used in the
   construction of the principal name for the target
service. In order
   for the correct realm to be added for the target
host, the mapping
   table [domain_to_realm] is consulted for the realm
corresponding to
   the DNS host name. The corresponding realm is then
used to complete
   the target service principal name"

Hence in my case, is it correct if the client sends a
request with target name:
HOST/Test_w2kserver@LARA_HMD.COM or
should it resolve the correct domain for
test_w2kserver (which is LARA_W2K) and sends the
request to 
HOST/Test_w2kserver@LARA_W2K.COM ?

2. After sniffing the packet using ethereal (the
contents of the packets are attached in this mail), 
I noticed that the client sent a TGS_REQ with the
canonicalize bit (bit 15) not set. Based on my
from the 'Generating KDC Referrals to locate Kerberos
realms' draft, the client should send a TGS_REQ with
canonicalize bit set so that the KDC can return a
out that bit 15 is currently unused and reserved for
So in this case, should the client sends a TGS_REQ
with bit 15 set ?
3. After adding the inter-realm keys:
%shell kadmin add krbtgt/LARA_W2K.COM@LARA_HMD.COM
%shell kadmin add krbtgt/LARA_HMD.COM@LARA_W2K.COM
should I execute kinit for both of them ?

4. a ksetup on my client machine (test2k8) reveals the
following info:
default realm = LARA_HMD.COM (external realm)
	kdc = kerberos.lara_hmd.com
Failed to create kerberos key: 5 (0x5)

What does 'Failed to create kerberos key: 5' mean ? 
When I check in regedit, the mapping is correct :
lara@LARA_HMD.COM mapped to lara

Thanks for any ideas, hints or comments.
I've been stucked with this problem for 2 days :-(


La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -

Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.