[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal 0.7.2 with Windows 2003 KDC

To: "Douglas E. Engert" <deengert@anl.gov>
Subject: Re: heimdal 0.7.2 with Windows 2003 KDC
From: michel.brabants@euphonynet.be
Date: Sun, 14 May 2006 13:03:59 +0200 (CEST)
Cc: michel.brabants@euphonynet.be, "Heimdal list" <heimdal-discuss@sics.se>
Importance: Normal
In-Reply-To: <4464BC34.3010905@anl.gov>
References: <2078.217.136.238.173.1147280129.squirrel@webmail.euphonynet.be> <1199.217.136.238.173.1147338391.squirrel@webmail.euphonynet.be> <1355.217.136.238.173.1147340893.squirrel@webmail.euphonynet.be> <4463775B.3040908@anl.gov> <44403.217.136.238.173.1147443238.squirrel@webmail.euphonynet.be> <4464A681.3070405@anl.gov> <49162.212.87.108.119.1147451108.squirrel@webmail.euphonynet.be> <4464BC34.3010905@anl.gov>
Sender: owner-heimdal-discuss@sics.se
User-Agent: SquirrelMail/1.4.5

Hello,

I tried the domainname in capitial letters like you suggested (LVS-C.COM)
and it worked! So, I can get a ticket at the moment.

Thank you and greetings,

Michel

>
> Looking at the trace you sent, It looks like  the client requested a
> ticket for realm LVSC which may be the domain common name, but the realm
> is actually LVS-C.COM. Windows can handle this but the Heimdal and MIT
> expect the realm realm names to be used in all cases.
>
> Also note the salt returned LVS-C.COM.
>
> So in your krb5.conf and any where you need a realm name,
> try using the actuall realm name of LVS-C.COM.
>
>
>
>
>
> michel.brabants@euphonynet.be wrote:
>
>> Hello,
>>
>> you can find the ethereal-dump of my kerberos-login in the attachment.
>> The
>> kdc is located on a Windows 2003 SP1-machine. This trace is done' with
>> the
>> des-cbc-md5-cypher, but I also can't login with the rc4-hmac-cypher and
>> it
>> looks the be the same case on first sight.
>>
>> Greetings and thank you,
>>
>> Michel
>>
>>
>>>Send it to me and I can have a quick look.
>>>
>>>
>>>
>>>michel.brabants@euphonynet.be wrote:
>>>
>>>
>>>>Hello all,
>>>>
>>>>I have a network-trace of ther kerberos-part. However, I don't want to
>>>>send this file to a public list (if it is possibel anyway). It seems
>>>>that
>>>>I get a ticket (It seems so), but kinit still says password incorrect.
>>>>
>>>>Just tell me if you want to have a look at the ethereal-dump an where
>>>> to
>>>>send it.
>>>>
>>>>Greetings,
>>>>
>>>>Michel
>>>>
>>>>
>>>>
>>>>>michel.brabants@euphonynet.be wrote:
>>>>>
>>>>>
>>>>>
>>>>>>Hello,
>>>>>>
>>>>>>some more information: when I type in a wrong password, I het
>>>>>>"pre-authentication failed". When I type in the correct password, I
>>>>>> get
>>>>>>password incorrect.
>>>>>
>>>>>Have you looked at a network trace? Ethereal can decode the KRB5
>>>>>packets.
>>>>>http://www.ethereal.com
>>>>>
>>>>>Note that Windows treats the user as is case insensitive, but the salt
>>>>>is case sensitive.   So to Windows User@REALM is the same as
>>>>> user@REALM.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Thank you and greetings,
>>>>>>
>>>>>>Michel
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>Hello,
>>>>>>>
>>>>>>>I found the following interesting page -
>>>>>>>http://searchwindowssecurity.techtarget.com/originalContent/0,289142,sid45_gci1014058,00.html
>>>>>>>, which describes encryption-capabilities of windows 2000 and
>>>>>>> windows
>>>>>>>2003
>>>>>>>with regard to kerberos. It also contains other information
>>>>>>> regarding
>>>>>>>their kerberos-implementations. I hope this is usefull to people.
>>>>>>>
>>>>>>>Greetings,
>>>>>>>
>>>>>>>Michel
>>>>>>>
>>>>>>>P.S: My questions are still open, but I'm looking how to detect if
>>>>>>>pre-authentication is enabled or not.
>>>>>
>>>>>Ethereal would show this.
>>>>>
>>>>>
>>>>>
>>>>>>>>Hello,
>>>>>>>>
>>>>>>>>I'm trying to authenticate to a Windows 2003 KDC using kinit from
>>>>>>>>heimdal
>>>>>>>>0.7.2 on linux. My loginname is recognized, but I continuously get
>>>>>>>>password incorrect, while I'm 99% sure that it is ok. I read that I
>>>>>>>>should
>>>>>>>>force DES, which didn't help. The samba docs said that with heimdal
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>0.6,
>>>>>>>>
>>>>>>>>you shouldn't force DES, which also didn't help.
>>>>>>>>
>>>>>>>>Is ther an incompability at the moment? I had the impression that
>>>>>>>>heindal
>>>>>>>>0.6.x worked, but I can't compile heimdal 0.6.6 with gcc 4.0.3.
>>>>>>>>
>>>>>>>>Any idea, if there is already a fix for this or if this is a known
>>>>>>>>issue?
>>>>>>>>
>>>>>>>>Thank you,
>>>>>>>>
>>>>>>>>Michel
>>>>>>>>
>>>>>>>>P.s.: Is there a way to enbale logging for kinit?
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>--
>>>>>
>>>>> Douglas E. Engert  <DEEngert@anl.gov>
>>>>> Argonne National Laboratory
>>>>> 9700 South Cass Avenue
>>>>> Argonne, Illinois  60439
>>>>> (630) 252-5444
>>>>>
>>>>
>>>>
>>>>
>>>--
>>>
>>>  Douglas E. Engert  <DEEngert@anl.gov>
>>>  Argonne National Laboratory
>>>  9700 South Cass Avenue
>>>  Argonne, Illinois  60439
>>>  (630) 252-5444
>>>
>
> --
>
>   Douglas E. Engert  <DEEngert@anl.gov>
>   Argonne National Laboratory
>   9700 South Cass Avenue
>   Argonne, Illinois  60439
>   (630) 252-5444
>

References:
- heimdal 0.7.2 with Windows 2003 KDC
  - From: michel.brabants@euphonynet.be
- Re: heimdal 0.7.2 with Windows 2003 KDC
  - From: michel.brabants@euphonynet.be
- Re: heimdal 0.7.2 with Windows 2003 KDC
  - From: michel.brabants@euphonynet.be
- Re: heimdal 0.7.2 with Windows 2003 KDC
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: heimdal 0.7.2 with Windows 2003 KDC
  - From: michel.brabants@euphonynet.be
- Re: heimdal 0.7.2 with Windows 2003 KDC
  - From: "Douglas E. Engert" <deengert@anl.gov>

Prev by Date: Re: Problem about kinit
Next by Date: Re: Problem with multiple realms/databases
Prev by thread: Re: heimdal 0.7.2 with Windows 2003 KDC
Next by thread: ./configure --with-openldap not working
Index(es):
- Date
- Thread