[29899] in Kerberos
Re: Problems with authenticating to a Win domain controller
daemon@ATHENA.MIT.EDU (radaczynski@gmail.com)
Thu May 29 09:22:07 2008
From: radaczynski@gmail.com
Date: Wed, 28 May 2008 23:30:09 -0700 (PDT)
Message-ID: <f9c3b910-e901-46ca-8558-a42df1350298@l64g2000hse.googlegroups.com>
Mime-Version: 1.0
X-Complaints-To: groups-abuse@google.com
Complaints-To: groups-abuse@google.com
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On May 28, 5:47 pm, "Douglas E. Engert" <deeng...@anl.gov> wrote:
> radaczyn...@gmail.com wrote:
> > Hi,
>
> > I've recently encountered a strange error when trying to get a ticket
> > from a W2k domain controller. My setup is like this:
>
> > 1. krb5.conf:
> > [libdefaults]
> > default_realm = DOMAIN1.COM
> > forwardable = true
> > proxiable = true
> > dns_lookup_realm = false
> > dsn_lookup_kdc = false
> > v4_instance_resolve = false
> > v4_name_convert = {
> > host = {
> > rcmd = host
> > ftp = ftp
> > }
> > plain = {
> > something = something-else
> > }
> > }
>
> > [realms]
> > DOMAIN1.COM = {
> > kdc = aaa.domain1.com:88
> > }
>
> > [domain_realm]
> > .domain1.com = DOMAIN1.COM
> > domain1.com = DOMAIN1.COM
> > .domain2.com = DOMAIN2.COM
> > domain2.com = DOMAIN2.COM
>
> > [appdefaults]
> > pam = {
> > debug=false
> > forwardable=true
> > krb4_convert=false
> > }
>
> > DOMAIN2 is a trusted domain of DOMAIN1
>
> > now, when i do this:
> > kinit myu...@DOMAIN2.COM
> > Password for myu...@DOMAIN2.COM:
>
> > and i get a TGT: renew until 05/29/08 08:55:12, Etype (skey, tkt):
> > ArcFour with HMAC/md5, ArcFour with HMAC/md5, the principal is: krbtgt/
> > DOMAIN2....@DOMAIN2.COM
>
> > then I try:
> > kvno HTTP/test.domain1....@DOMAIN1.COM
> > and get:
> > Server not found in Kerberos database while getting credentials
>
> This might be some cross realm issue. To get a ticket from
> DOMAIN1.COM requires you to first get a krbtgt/DOMAIN1....@DOMAIN2.COM
> from DOMAIN2.COM.
Can you please tell me how to do it with command line utilities from
MIT kerberos?
> You set the dns_lookup_kdc = false, and did not define DOMAIN1.COM in
> [realms] so you client can not find the KDCs for DOMAIN1.COM.
actually, I did - I did not define DOMAIN2.COM, for which I do obtain
tgt's.
>
> It might be an issue that the cross realm trust is not set up as you
> think it is.
doesn't the above prove that the cross realm trust is set up?
>
> To verify all if these for sure, use a trace program like Wireshark,
> that can format the Kerberos packets.
I will do that and report back the results. Any hints for running it?
> > when I ty:
> > kvno HTTP/test.domain1....@DOMAIN2.COM
> > I get:
> > KDC reply did not match expectations while getting credentials
>
> W2K may have returned a referral saying look in DOMAIN1.COM.
> But the Kerberos lib does not handle today.
That's probably it -> I should look in DOMAIN1.COM, since the service
principal is in DOMAIN1.COM.
Thanks for the reply and any further hints anyone could give me.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
