[32601] in Kerberos
Re: problem with the cross-realm, any help?
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Wed Aug 25 10:22:43 2010
Message-ID: <4C752729.1060307@anl.gov>
Date: Wed, 25 Aug 2010 09:22:33 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <AANLkTim1ReyKGXPsLu0et4XS0FZtPy8m11R5HkD97HVJ@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 8/25/2010 4:46 AM, c f wrote:
> *Hi Ross,*
>
> On Tue, Aug 24, 2010 at 5:39 PM, Wilper, Ross A<rwilper@stanford.edu>wrote:
>
>> You mention allowing the DES enctypes on the Windows 7 box? Is that the
>> only common enctype available between the MIT realm and Windows? (AES256,
>> AES128, RC4_HMAC, DES_CBC_MD5, DES_CBC_CRC)
>>
>> I have all these enctypes enabled in fact.
>
>
>> If so, you will need to have DES enabled on the domain controller also.
>> This is most easily done (for all machines) using a group policy
>>
>
>> "Network Security: Configure Encryption types allowed for Kerberos"
>>
>
> *I have not found this group policy in a Windows Server 2008.*
>
>
>
>> Outbound trust should be the correct direction
>> It appears that you have altSecurityIdentities set on the domain user
>> account
>> Check the time on the DCs too.
>>
>
> *Yes I linked every AD user to a Mit Keberos principle manually, by the
> "name mapping" settings in AD. I think that's what you mean
> altSecurityIdentities.( I'm still new in this domain )
>
> I have a ntp server, and I've checked the time on all the servers and
> clients.
>
> **Nothings works so far.*
> *With Wireshark on the windows 7 box, I've got some traffic:
> source: windows 7 box, destination: mit kdc, info : as-req
> source: mit kdc, destination: windows 7 box, info : as-rep
> source: windows 7 box, destination: mit kdc, info : tgs-req
> source: mit kdc, destination: windows 7 box, info : tgs-rep
Can you look at the Wireshark tgs-req and tgs-rep and see what service
principal the workstation is requesting?
If its for host/<w7 workstation>@<mit realm> the W7 workstation thinks
it is a member of the MIT realm, and not joined to the AD domain.
If its for krbtgt/<ad domain>@<mit realm> then its a cross realm
ticket, and there is something else going on.
With the cross realm, the W7 workstation needs to be joined to the AD
domain, and user is in the MIT realm.
When you try to login, do you specify user@<mit realm>?
What is the output of ksetup /dumpstate With all your testing it
might be in a strange state.
>
> I don't see any traffice between my windows 7 box and the active directory.
> That seems not so normal.
>
> Thanks.
>
> Claudia
>
> *
>
>>
>> -Ross
>>
>> -----Original Message-----
>> From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf
>> Of c f
>> Sent: Tuesday, August 24, 2010 3:06 AM
>> To: kerberos@mit.edu
>> Subject: problem with the cross-realm, any help?
>>
>> Hello,
>>
>> I need some help with the cross-realm.
>>
>> I have MIT KDC, an Active Directory on Windows Server 2008 Entreprise, and
>> a
>> Windows 7 (in the windows domain) as a client for test.
>> What I want to do is: to log onto Windows 7 with the MIT kerberos accouts.
>>
>> I've created and configured:
>> -- on MIT kdc, adding the "krbtgt/AD.MYDOMAIN.COM@MYDOMAIN.COM", and
>> "krbtgt/MYDOMAIN.COM@AD.MYDOMAIN.COM" principles;
>> -- on Windows2008, creating the trust relationship with the MIT kdc (Direct
>> Outbound)
>> -- on both Windows 7 and Windows server 2008, using "ksetup /addRealm
>> ......" to add the mit kerberos realm;
>> -- on Windows 7, enabling the DES encryption, but not on the 2008 server,
>> as
>> I could not find a way to do that;
>> -- on Windows server 2008, create the same users as in MIT kdc, and mapping
>> them to Mit kerberos principles;
>>
>> The problem is, I cannot log onto Windows 7 by using the Mit kerberos's
>> username and password.
>> I've got these 2 types of error messages : sometimes "user name and
>> password
>> is incorrect", and sometimes"the trust relationship between this
>> workstation
>> and the primary domain failed".
>> On Mit kdc's log file, there is the message
>> "mitkdc.mydomain.comkrb5kdc[6735](info): AS_REQ (7 etypes {18 17 23 3
>> 1 24 -135}) ...: ISSUE:
>> authtime 1282578442, etypes {rep=23 tkt=16 ses=23},
>> userfotest@MYDOMAIN.COMfor krbtgt/
>> AD.MYDOMAIN.COM@MYDOMAIN.COM".
>> And in Active Directory, I see nothing wrong, neither the Windows 7.
>>
>> However, if I don't add my windows 7 into Active Directory, but the Mit
>> Kerberos Domain, everything works. I can authenticate the standalone
>> workstaion (Windows 7) against Mit Kerberos without problem (by activing
>> the
>> guest account on Windows 7, and maypping * to the guest account ).
>>
>> I've been blocked for weeks on this. Does anyone have any ideas to help me?
>>
>> Thank you!
>>
>> Claudia
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
