[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Windows 2003 SP1, cross-domain trust

To: Chris Stromsoe <cbs@cts.ucla.edu>
Subject: Re: Windows 2003 SP1, cross-domain trust
From: "Douglas E. Engert" <deengert@anl.gov>
Date: Fri, 30 Mar 2007 15:09:34 -0500
CC: heimdal-discuss@sics.se
In-Reply-To: <Pine.LNX.4.64.0703291349330.28433@potato.cts.ucla.edu>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <Pine.LNX.4.64.0703282318490.10031@potato.cts.ucla.edu> <460BC172.7060006@anl.gov> <Pine.LNX.4.64.0703291349330.28433@potato.cts.ucla.edu>
Reply-To: heimdal-discuss@sics.se, "Douglas E. Engert" <deengert@anl.gov>
User-Agent: Thunderbird 1.5.0.10 (Windows/20070221)



Chris Stromsoe wrote:
> On Thu, 29 Mar 2007, Douglas E. Engert wrote:
>> Chris Stromsoe wrote:
> 
>> Sounds like you may have gotten a 3DES key from the heimdal realm. AD 
>> does not support 3DES, only RC4 and DES. This may be trying to get the 
>> cross realm TGT.
> 
> None of the principals have 3DES keys.  I had des-cbc-des and 
> arcfour-hmac-md5 configured as keytypes for the cross-realm principal.  
> I removed rc4 and that fixed everything.  My problem was getting the DC 
> to use RC4 keys for the principal.  Updating the Support Tools on the DC 
> fixed that.
> 
>>> I am in the same position as this thread (same configuration 
>>> elements, try to do the same thing), which did not seem to ever get 
>>> resolved:
>>>
>>> http://www.stacken.kth.se/lists/heimdal-discuss/2006-03/msg00050.html
>>
>> His krb5.conf only has one realm listed. It has to have both the 
>> Heimdal realm and the AD realm. The AD domain and the Kerberos realm 
>> have to have different realm names. AD is a real Kerberos realm.
> 
> Do you need both listed for a one-way trust (users in the Heimdal KDC, 
> services in the AD KDC) ?  I only have the heimdal realm in krb5.conf, 
> but am not having any problems logging in to the windows domain using 
> heimdal principals.
> 

Forgot that AD will publish DNS SRV records and Heimdal can locate
the KDC using DNS, i.e the dns_lookup_kdc option.  Sorry about that.

nslookup
set type=ANY
_kerberos._udp.realmname
_kerberos._tcp.reamlname

I see from here that you have two kdc, black and white.



> 
> -Chris
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

References:
- Windows 2003 SP1, cross-domain trust
  - From: Chris Stromsoe <cbs@cts.ucla.edu>
- Re: Windows 2003 SP1, cross-domain trust
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: Windows 2003 SP1, cross-domain trust
  - From: Chris Stromsoe <cbs@cts.ucla.edu>

Prev by Date: Re: Windows 2003 SP1, cross-domain trust
Next by Date: IMPORTANT NOTICE!!!
Prev by thread: Re: Windows 2003 SP1, cross-domain trust
Next by thread: problems with gss_set_allowable_enctypes()
Index(es):
- Date
- Thread