[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Can Heimdal KDC issue cross-realm referral ?

Thanks for your reply.

I have set win2k_compatible = yes, and I used
des_cbc_crc as the default for e_types and e_types_des
but the problem persists.

The event viewer logs the following error:
Event Type:     Error
Event Source:   Kerberos
Event Category: None
Event ID:       594
Date:           3/30/2004
Time:           11:29:25 AM
User:           N/A
Computer:       TESTW2K8
A Kerberos Error Message was received:
         on logon session InitializeSecurityContext
 Client Time:
 Server Time:
 Error Code: 3:28:5.0000 3/30/2004 (null) 0x7
 Client Realm: LARA_HMD.COM
 Client Name: lara
 Server Realm: LARA_HMD.COM
 Server Name: HOST/Test_w2kserver
 Target Name: HOST/Test_w2kserver at LARA_HMD.COM
 Error Text:
 Error Data is in record data.

testw2k8 is the client machine
test_w2kserver is the computer in w2k domain that
client wants to access
LARA_HMD.COM is the Kerberos realm
LARA_W2K.COM is the W2K domain realm

So, client sends TGS_REQ to KDC in LARA_HMD.COM for
host/test_w2kserver@LARA_HMD.COM, but actually
host/test_w2kserver is in LARA_W2K.COM !!

How does the KDC look up for the actual realm of
host/test_w2kserver ? Checking kdc.conf or krb5.conf ?
or through DNS lookup ?

and the log file says:
2004-03-31T17:50:32 TGS-REQ lara@LARA_HMD.COM from
IPv4: for HOST
/test_w2kserver@LARA_HMD.COM [renewable_ok,
canonicalize, renewable, forwardable
2004-03-31T17:50:32 Server not found in database:
OM: No such entry in the database


--- Prágai_Róbert <pragai@rubin.hu> wrote:
> Hi,
>     as I recall the [libdefaults] section should
> contain 
> win2k_compatible = yes, and some encryption types
> should not be used (I 
> used des_cbc_crc and des_cbc_md5).
> I've managed to authenticate via a Win2K client to a
> Heimdal realm and 
> then to a Win2K server, but I think the client asked
> for a cross-realm 
> TGT first from the
> HEimdal KDC and then asked the Win2K KDC to give the
> right service 
> ticket to her. Have you set the correct realms and
> KDC-s in the Win2K 
> machine with
> ksetup?
> Robert
> >Hello,
> > 
> >In section 4.7 Referrals of Heimdal and Windows
> 2000 Kerberos --how to get them to play together
> paper, it is stated:
> >"We have added functionality for referrals to the
> HeimdalKDC that is sufficient for Windows clients"
> > 
> >What configurations need to be done on a Heimdal
> KDC to provide the support ?
> >I need a cross-realm referral support in the
> following scenario:
> >a win2k client authenticates to a heimdal kdc. The
> client then wants to access a computer in another
> realm (a win2k domain). Hence the win2k client sends
> a TGS_REQ to heimdal kdc with target name of the
> service in its own realm (I've just known that
> microsoft changed the mechanism !). Hence the client
> makes an assumption that the service is in its own
> realm until the KDC replies with a TGS_REP telling
> him that the service is in fact in another realm
> (hence giving a cross-realm referral).
> > 
> >Cheers,
> >Lara
> >
> >
> >
> >La vie, voyez-vous, ca n'est jamais si bon ni si
> mauvais qu'on croit
> >                                                   
>                     - Guy de Maupassant -
> >
> >---------------------------------
> >Do you Yahoo!?
> >Yahoo! Finance Tax Center - File online. File on
> time.
> >  
> >

La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -

Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.