Re: Windows 2003 Interoperability

[brian.joh@comcast.net]

Try putting this in the libdefaults section of your krb5.conf:

 

        default_tkt_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
        default_tgs_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
        default_etypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
        default_etypes_des = des-cbc-crc

If that doesn't work, upgrade your version of heimdal and take out the

default_types and default_enctypes lines.

 

-Brian Joh

> -------------- Original message -------------- 
> From: Mike Kennedy <mikek@ucr.edu> 
>
> > 
> > Hello, 
> > 
> > I hope that someone can help me. I'm having some issues with a Windows 
> > 2003/Heimdal cross-realm trust. 
> > 
> > Here is my scenario. I have set up a one way outgoing trust from 
> > ADS.UCRAD.UCR.EDU (Windows 2003 Domain) to our campus Heimdal kerberos 
> > server (UCR.EDU). I also set up a principal in UCR.EDU called 
> > krbtgt/ADS.UCRAD.UCR.EDU@UCR.EDU with the same trust password. 
> > 
> > Here is my /etc/krb5.conf: 
> > 
> > [libdefaults] 
> > default_realm = UCR.EDU 
> > default_etypes = des-cbc-crc 
> > default_etypes_des = des-cbc-crc 
> > 
> > [realms] 
> > UCR.EDU = { 
> > kdc = edam.ucr.edu 
> > admin_server = edam.ucr.edu 
> > } 
> > 
> > [domain_real!
>  m] 
> > .ucr.edu = UCR.EDU 
> > 
> > [kadmin] 
> > default_keys = des-cbc-crc:pw-salt arcfour-hmac-md5:pw-salt 
> > 
> > [logging] 
> > kdc = 0-/FILE:/var/heimdal/kdc.log 
> > 
> > I have also done the required ksetup on the domain controller for 
> > ADS.UCRAD.UCR.EDU. 
> > 
> > When I attempt to log into the Windows DC or any workstation in the 
> > domain using my UCR.EDU credentials I get an error in event log that says 
> > the encryption type isn't supported. All the principals in Heimdal db have 
> > des-cbc-crc and arcfour-hmac-md5 keys only. 
> > 
> > Principal: mikek@UCR.EDU 
> > Principal expires: never 
> > Password expires: never 
> > Last password change: never 
> > Max ticket life: 1 day 
> > Max renewable life: 1 week 
> > Kvno: 0 
> > Mkvno: 0 
> > Last successful login: never 
> > Last failed login: never 
> > Failed login count: 0 
> > Last modi!
>  fied: 2006-03-30 15:46:17 UTC 
> > Modifier: mikek/admin@UCR.EDU <
> BR>> Attributes: 
> > Keytypes: des-cbc-crc(pw-salt), arcfour-hmac-md5(pw-salt) 
> > 
> > In kdc.log I see this: 
> > 
> > 2006-03-30T07:48:51 AS-REQ mikek@UCR.EDU from IPv4:138.23.222.52 for 
> > krbtgt/UCR.EDU@UCR.EDU 
> > 2006-03-30T07:48:51 Using arcfour-hmac-md5/arcfour-hmac-md5 
> > 2006-03-30T07:48:51 Requested flags: renewable_ok, renewable, forwardable 
> > 2006-03-30T07:48:51 sending 543 bytes to IPv4:138.23.222.52 
> > 2006-03-30T07:48:51 TGS-REQ mikek@UCR.EDU from IPv4:138.23.222.52 for 
> > krbtgt/ADS.UCRAD.UCR.EDU@UCR.EDU [renewable, forwardable] 
> > 2006-03-30T07:48:51 sending 572 bytes to IPv4:138.23.222.52 
> > 
> > 138.23.222.52 is the Windows DC I'm attempting to log in to. 
> > 
> > Please help, this has been driving me crazy. :) 
> > 
> > Thanks, 
> > 
> > Mike 
> > 
> > -- 
> > Mike Kennedy 
> > Computing Infrastructure and Security Group 
> > Computi!
>  ng and Communications 
> > mikek@ucr.edu 
> > 951.827.5922 
> > 
> >