[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Windows 2003 SP1, cross-domain trust

On Thu, 29 Mar 2007, Douglas E. Engert wrote:
> Chris Stromsoe wrote:

> Sounds like you may have gotten a 3DES key from the heimdal realm. AD 
> does not support 3DES, only RC4 and DES. This may be trying to get the 
> cross realm TGT.

None of the principals have 3DES keys.  I had des-cbc-des and 
arcfour-hmac-md5 configured as keytypes for the cross-realm principal.  I 
removed rc4 and that fixed everything.  My problem was getting the DC to 
use RC4 keys for the principal.  Updating the Support Tools on the DC 
fixed that.

>> I am in the same position as this thread (same configuration elements, 
>> try to do the same thing), which did not seem to ever get resolved:
>> http://www.stacken.kth.se/lists/heimdal-discuss/2006-03/msg00050.html
> His krb5.conf only has one realm listed. It has to have both the Heimdal 
> realm and the AD realm. The AD domain and the Kerberos realm have to 
> have different realm names. AD is a real Kerberos realm.

Do you need both listed for a one-way trust (users in the Heimdal KDC, 
services in the AD KDC) ?  I only have the heimdal realm in krb5.conf, but 
am not having any problems logging in to the windows domain using heimdal