[32238] in Kerberos
Re: Windows login failing, with no errors?
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Mon Apr 5 09:42:53 2010
Message-ID: <4BB9E8D1.1070006@anl.gov>
Date: Mon, 05 Apr 2010 08:42:41 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Tom Medhurst <tom.medhurst@googlemail.com>
In-Reply-To: <i2i8da9fa8d1004021213q9a8f9c81u4b4dcd8227d4c074@mail.gmail.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Tom Medhurst wrote:
> Hi Guys,
> I'm trying to get 2 Windows Clients (1x Windows XP Pro SP3, 1x Windows
> 7 Enterprise) configured so they logon via Kerberos 5-1.8 (Arch Linux
> Server, Kerberos 5 build from source), and I'm soooo close I can smell
> it! but...
>
> When I login I get the error message:
>
> "The username or password is incorrect" on the Windows client.
>
> The log file krb5kdc.log shows the following for each attempt:
>
> "dc1 krb5kdc[5372](info): AS_REQ (6 etypes {18 17 23 24 - 135 3})
> 10.0.0.3: ISSUE: authtime 1270166763, etypes {rep=23 tkt=16 ses=23},
> tom@TNET.LOC for krbtgt/TNET.LOC@TNET.LOC
> dc1 krb5kdc[5372](info): TGS_REQ (5 etypes {18 17 23 24 - 135})
> 10.0.0.3: ISSUE: authtime 1270166763, etypes {rep=23 tkt16 ses23},
> tom@TNET.LOC for host/wdesk3.tnet.loc@TNET.LOC"
>
> Is there an error hidden somewhere in this krb5kdc.log output? Or
> should I be looking elsewhere?
> I have done the following:
> Synced the time with a ntp server (on the same box) using w32tm /config ...
> Added this machine to the list of hosts (via /usr/local/sbin/kadmin.local):
> kadmin.local> ank -e rc4-hmac:normal -policy host/wdesk3.tnet.loc
> kadmin.local> ktadd -k /usr/local/var/krb5kdc/kadm5.keytab
These lasat two dont not look correct. I think you just added the client's
host principal (with a random password) to the keytab used by the KDC.
You need to add the host to to the KDC with a known password, then use the
ksetup /setcomputerpassword command with that known password, in effect creating
the Microsoft equivalent of a keytab on the client.
> Added the Windows machine to the realm, added the kdc server, and
> mapped the users:
>> ksetup /addkdc TNET.LOC dc1.tnet.loc
>> ksetup /addkpasswd TNET.LOC dc1.tnet.loc
>> ksetup /setrealm TNET.LOC
> REBOOT WINDOWS
>> ksetup /mapuser * *
> I know that the Windows box is trying as everytime I attempt to login
> I get the same messages in the server's krb5kdc.log file.
> Can anybody help me figure out what I've missed?
>
> Many Thanks,
> Tom
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
