[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Windows 2003 Interoperability

To: heimdal-discuss@sics.se
Subject: Re: Windows 2003 Interoperability
From: Mike Kennedy <mikek@ucr.edu>
Date: Thu, 30 Mar 2006 15:31:44 -0800 (PST)
In-Reply-To: <033020062008.25254.442C3AA7000E6E71000062A62207024553080106D2020E079D0D@comcast.net>
Sender: owner-heimdal-discuss@sics.se


Hi Brian,

Following your suggestion, I changed my krb5.conf file to what you see
below to no avail. I suppose its still confusing to me as what encryption
types Windows 2003 actually supports.

[libdefaults]
        default_realm = UCR.EDU
        default_tkt_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
        default_tgs_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
        default_etypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
        default_etypes_des = des-cbc-crc

[realms]
        UCR.EDU = {
                kdc = edam.ucr.edu
                admin_server = edam.ucr.edu
        }

[domain_realm]
        .ucr.edu = UCR.EDU

[kadmin]
        default_keys = des-cbc-crc:pw-salt arcfour-hmac-md5:pw-salt

[logging]
        kdc = 0-/FILE:/var/heimdal/kdc.log

I'm still getting this message in the event log on the Windows DC when
the login fails.

A Kerberos Error Message was received:
         on logon session
 Client Time:
 Server Time: 23:4:51.0000 3/30/2006 Z
 Error Code: 0xe KDC_ERR_ETYPE_NOTSUPP
 Extended Error:
 Client Realm:
 Client Name:
 Server Realm: ADS.UCRAD.UCR.EDU
 Server Name: host/schnell.ads.ucrad.ucr.edu
 Target Name: host/schnell.ads.ucrad.ucr.edu@ADS.UCRAD.UCR.EDU
 Error Text:
 File: 9
 Line: ae0
 Error Data is in record data.


--
Mike Kennedy
Computing Infrastructure and Security Group
Computing and Communications
mikek@ucr.edu
951.827.5922


On Thu, 30 Mar 2006 brian.joh@comcast.net wrote:

> Try putting this in the libdefaults section of your krb5.conf:
>
>         default_tkt_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
>         default_tgs_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
>         default_etypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
>         default_etypes_des = des-cbc-crc
>
> If that doesn't work, upgrade your version of heimdal and take out the
> default_types and default_enctypes lines.
>
> -Brian Joh
> -------------- Original message --------------
> From: Mike Kennedy <mikek@ucr.edu>
>
> >
> > Hello,
> >
> > I hope that someone can help me. I'm having some issues with a Windows
> > 2003/Heimdal cross-realm trust.
> >
> > Here is my scenario. I have set up a one way outgoing trust from
> > ADS.UCRAD.UCR.EDU (Windows 2003 Domain) to our campus Heimdal kerberos
> > server (UCR.EDU). I also set up a principal in UCR.EDU called
> > krbtgt/ADS.UCRAD.UCR.EDU@UCR.EDU with the same trust password.
> >
> > Here is my /etc/krb5.conf:
> >
> > [libdefaults]
> > default_realm = UCR.EDU
> > default_etypes = des-cbc-crc
> > default_etypes_des = des-cbc-crc
> >
> > [realms]
> > UCR.EDU = {
> > kdc = edam.ucr.edu
> > admin_server = edam.ucr.edu
> > }
> >
> > [domain_realm]
> > .ucr.edu = UCR.EDU
> >
> > [kadmin]
> > default_keys = des-cbc-crc:pw-salt arcfour-hmac-md5:pw-salt
> >
> > [logging]
> > kdc = 0-/FILE:/var/heimdal/kdc.log
> >
> > I have also done the required ksetup on the domain controller for
> > ADS.UCRAD.UCR.EDU.
> >
> > When I attempt to log into the Windows DC or any workstation in the
> > domain using my UCR.EDU credentials I get an error in event log that says
> > the encryption type isn't supported. All the principals in Heimdal db have
> > des-cbc-crc and arcfour-hmac-md5 keys only.
> >
> > Principal: mikek@UCR.EDU
> > Principal expires: never
> > Password expires: never
> > Last password change: never
> > Max ticket life: 1 day
> > Max renewable life: 1 week
> > Kvno: 0
> > Mkvno: 0
> > Last successful login: never
> > Last failed login: never
> > Failed login count: 0
> > Last modified: 2006-03-30 15:46:17 UTC
> > Modifier: mikek/admin@UCR.EDU
> > Attributes:
> > Keytypes: des-cbc-crc(pw-salt), arcfour-hmac-md5(pw-salt)
> >
> > In kdc.log I see this:
> >
> > 2006-03-30T07:48:51 AS-REQ mikek@UCR.EDU from IPv4:138.23.222.52 for
> > krbtgt/UCR.EDU@UCR.EDU
> > 2006-03-30T07:48:51 Using arcfour-hmac-md5/arcfour-hmac-md5
> > 2006-03-30T07:48:51 Requested flags: renewable_ok, renewable, forwardable
> > 2006-03-30T07:48:51 sending 543 bytes to IPv4:138.23.222.52
> > 2006-03-30T07:48:51 TGS-REQ mikek@UCR.EDU from IPv4:138.23.222.52 for
> > krbtgt/ADS.UCRAD.UCR.EDU@UCR.EDU [renewable, forwardable]
> > 2006-03-30T07:48:51 sending 572 bytes to IPv4:138.23.222.52
> >
> > 138.23.222.52 is the Windows DC I'm attempting to log in to.
> >
> > Please help, this has been driving me crazy. :)
> >
> > Thanks,
> >
> > Mike
> >
> > --
> > Mike Kennedy
> > Computing Infrastructure and Security Group
> > Computing and Communications
> > mikek@ucr.edu
> > 951.827.5922
> >
> >

References:
- Re: Windows 2003 Interoperability
  - From: brian.joh@comcast.net

Prev by Date: Re: Windows 2003 Interoperability
Next by Date: Re: Windows 2003 Interoperability
Prev by thread: Re: Windows 2003 Interoperability
Index(es):
- Date
- Thread