[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Windows 2003 Interoperability


I hope that someone can help me. I'm having some issues with a Windows
2003/Heimdal cross-realm trust.

Here is my scenario. I have set up a one way outgoing trust from
ADS.UCRAD.UCR.EDU (Windows 2003 Domain) to our campus Heimdal kerberos
server (UCR.EDU). I also set up a principal in UCR.EDU called
krbtgt/ADS.UCRAD.UCR.EDU@UCR.EDU with the same trust password.

Here is my /etc/krb5.conf:

        default_realm = UCR.EDU
        default_etypes = des-cbc-crc
        default_etypes_des = des-cbc-crc

        UCR.EDU = {
                kdc = edam.ucr.edu
                admin_server = edam.ucr.edu

        .ucr.edu = UCR.EDU

        default_keys = des-cbc-crc:pw-salt arcfour-hmac-md5:pw-salt

        kdc = 0-/FILE:/var/heimdal/kdc.log

I have also done the required ksetup on the domain controller for

When I attempt to log into the Windows DC or any workstation in the
domain using my UCR.EDU credentials I get an error in event log that says
the encryption type isn't supported. All the principals in Heimdal db have
des-cbc-crc and arcfour-hmac-md5 keys only.

            Principal: mikek@UCR.EDU
    Principal expires: never
     Password expires: never
 Last password change: never
      Max ticket life: 1 day
   Max renewable life: 1 week
                 Kvno: 0
                Mkvno: 0
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2006-03-30 15:46:17 UTC
             Modifier: mikek/admin@UCR.EDU
             Keytypes: des-cbc-crc(pw-salt), arcfour-hmac-md5(pw-salt)

In kdc.log I see this:

2006-03-30T07:48:51 AS-REQ mikek@UCR.EDU from IPv4: for krbtgt/UCR.EDU@UCR.EDU
2006-03-30T07:48:51 Using arcfour-hmac-md5/arcfour-hmac-md5
2006-03-30T07:48:51 Requested flags: renewable_ok, renewable, forwardable
2006-03-30T07:48:51 sending 543 bytes to IPv4:
2006-03-30T07:48:51 TGS-REQ mikek@UCR.EDU from IPv4: for krbtgt/ADS.UCRAD.UCR.EDU@UCR.EDU [renewable, forwardable]
2006-03-30T07:48:51 sending 572 bytes to IPv4: is the Windows DC I'm attempting to log in to.

Please help, this has been driving me crazy. :)



Mike Kennedy
Computing Infrastructure and Security Group
Computing and Communications