[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Windows 2003 SP1, cross-domain trust
Chris Stromsoe wrote:
> I'm trying to set up a cross-domain trust from a W2K3 SP1 AD domain
> controller to a heimdal 0.7.2 KDC ("pass-thru authentication").
> I can authenticate stand-alone workstations fine. kerbtray shows all of
> the proper tickets showing up.
> After setting up the trust on the DC, I get KDC_ERR_ETYPE_NOTSUPP on the
> DC when I try to authenticate with credentials from the heimdal realm.
Sounds like you may have gotten a 3DES key from the heimdal realm. AD does
not support 3DES, only RC4 and DES. This may be trying to get the cross realm
Best way to test this is to use some network trace program, like
Wireshark on the client, to see the K5 packets between the client and the KDCs.
On Windows rather then trying to use login for testing, use the Windows
runas /netonly /user:user@REALM cmd.exe
to run a cmd window as the other user. It will get Kerberos tickets.
> I am in the same position as this thread (same configuration elements,
> try to do the same thing), which did not seem to ever get resolved:
His krb5.conf only has one realm listed. It has to have both the
Heimdal realm and the AD realm. The AD domain and the Kerberos realm
have to have different realm names. AD is a real Kerberos realm.
> I've read plenty of reports of people claiming to have working Win 2000
> cross-realm trust relationships (generally with MIT), but haven't found
> any that claim success with W2K3.
> Can anybody confirm that they have a W2K3 SP1 domain controller that has
> an outgoing trust to a heimdal KDC, and that pass-thru authentication
> actually works?
Sorry, I can claim that, just responding to you note, as it looks
like a 3des vs rc4 problem.
> If you do have a working trust, did you have to do anything not
> mentioned in the documentation on the windows side? Are you using rc4
> or des keytypes? What do your principles look like in the KDC?
Even if the user has a principal in the Heimdal, they need an AD account,
anf the account has to saythey can authenticate using the Heimdal
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439