[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Windows 2003 SP1, cross-domain trust

Chris Stromsoe wrote:
> On Thu, 29 Mar 2007, Douglas E. Engert wrote:
>> Chris Stromsoe wrote:
>> Sounds like you may have gotten a 3DES key from the heimdal realm. AD 
>> does not support 3DES, only RC4 and DES. This may be trying to get the 
>> cross realm TGT.
> None of the principals have 3DES keys.  I had des-cbc-des and 
> arcfour-hmac-md5 configured as keytypes for the cross-realm principal.  
> I removed rc4 and that fixed everything.  My problem was getting the DC 
> to use RC4 keys for the principal.  Updating the Support Tools on the DC 
> fixed that.
>>> I am in the same position as this thread (same configuration 
>>> elements, try to do the same thing), which did not seem to ever get 
>>> resolved:
>>> http://www.stacken.kth.se/lists/heimdal-discuss/2006-03/msg00050.html
>> His krb5.conf only has one realm listed. It has to have both the 
>> Heimdal realm and the AD realm. The AD domain and the Kerberos realm 
>> have to have different realm names. AD is a real Kerberos realm.
> Do you need both listed for a one-way trust (users in the Heimdal KDC, 
> services in the AD KDC) ?  I only have the heimdal realm in krb5.conf, 
> but am not having any problems logging in to the windows domain using 
> heimdal principals.

Forgot that AD will publish DNS SRV records and Heimdal can locate
the KDC using DNS, i.e the dns_lookup_kdc option.  Sorry about that.

set type=ANY

I see from here that you have two kdc, black and white.

> -Chris


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444