[29888] in Kerberos
Re: Problems with authenticating to a Win domain controller
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Wed May 28 11:48:12 2008
Message-ID: <483D7E8A.7010102@anl.gov>
Date: Wed, 28 May 2008 10:47:22 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: radaczynski@gmail.com
In-Reply-To: <39b71f23-4227-4c63-b500-1801705cad9c@k37g2000hsf.googlegroups.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
radaczynski@gmail.com wrote:
> Hi,
>
> I've recently encountered a strange error when trying to get a ticket
> from a W2k domain controller. My setup is like this:
>
> 1. krb5.conf:
> [libdefaults]
> default_realm = DOMAIN1.COM
> forwardable = true
> proxiable = true
> dns_lookup_realm = false
> dsn_lookup_kdc = false
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
>
> [realms]
> DOMAIN1.COM = {
> kdc = aaa.domain1.com:88
> }
>
> [domain_realm]
> .domain1.com = DOMAIN1.COM
> domain1.com = DOMAIN1.COM
> .domain2.com = DOMAIN2.COM
> domain2.com = DOMAIN2.COM
>
>
> [appdefaults]
> pam = {
> debug=false
> forwardable=true
> krb4_convert=false
> }
>
> DOMAIN2 is a trusted domain of DOMAIN1
>
> now, when i do this:
> kinit myuser@DOMAIN2.COM
> Password for myuser@DOMAIN2.COM:
>
> and i get a TGT: renew until 05/29/08 08:55:12, Etype (skey, tkt):
> ArcFour with HMAC/md5, ArcFour with HMAC/md5, the principal is: krbtgt/
> DOMAIN2.COM@DOMAIN2.COM
>
> then I try:
> kvno HTTP/test.domain1.com@DOMAIN1.COM
> and get:
> Server not found in Kerberos database while getting credentials
This might be some cross realm issue. To get a ticket from
DOMAIN1.COM requires you to first get a krbtgt/DOMAIN1.COM@DOMAIN2.COM
from DOMAIN2.COM.
You set the dns_lookup_kdc = false, and did not define DOMAIN1.COM in
[realms] so you client can not find the KDCs for DOMAIN1.COM.
It might be an issue that the cross realm trust is not set up as you
think it is.
To verify all if these for sure, use a trace program like Wireshark,
that can format the Kerberos packets.
>
> when I ty:
> kvno HTTP/test.domain1.com@DOMAIN2.COM
> I get:
> KDC reply did not match expectations while getting credentials
W2K may have returned a referral saying look in DOMAIN1.COM.
But the Kerberos lib does not handle today.
>
> Any help would be greatly appreciated.
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
