[33180] in Kerberos
Re: Kerberos cross-realm with AD
daemon@ATHENA.MIT.EDU (Jean-Yves Avenard)
Mon Feb 7 00:15:59 2011
MIME-Version: 1.0
In-Reply-To: <AANLkTikxxiJsm9PgrGhX0eAJVXaqcW4rhykyBENPNTVR@mail.gmail.com>
Date: Mon, 7 Feb 2011 16:15:43 +1100
Message-ID: <AANLkTim3QrN+WHa6NCqX--QAfGxtL9s64nNkrMQ6qFik@mail.gmail.com>
From: Jean-Yves Avenard <jyavenard@gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi there.
Providing more information in the hope that someone will be able to help:
This is the process I've followed.
In Windows 2008 (MEL.DOMAIN.COM domain):
Started Active Directory Domain and Trusts
Right click on the domain name -> Properties. Select Trusts -> New Trusts
Entered M.DOMAIN.COM ; made it two ways ; non-transitive ; typed the
password. Validate..
On MIT kdc machine (M.DOMAIN.COM realm)
kadmin.local:
kadmin.local: ank +requires_preauth krbtgt/M.DOMAIN.COM@MEL.DOMAIN.COM
WARNING: no policy specified for krbtgt/M.DOMAIN.COM@MEL.DOMAIN.COM;
defaulting to no policy
Enter password for principal "krbtgt/M.DOMAIN.COM@MEL.DOMAIN.COM":
Re-enter password for principal "krbtgt/M.DOMAIN.COM@MEL.DOMAIN.COM":
Principal "krbtgt/M.DOMAIN.COM@MEL.DOMAIN.COM" created.
kadmin.local: ank +requires_preauth krbtgt/MEL.DOMAIN.COM@M.DOMAIN.COM
WARNING: no policy specified for krbtgt/MEL.DOMAIN.COM@M.DOMAIN.COM;
defaulting to no policy
Enter password for principal "krbtgt/MEL.DOMAIN.COM@M.DOMAIN.COM":
Re-enter password for principal "krbtgt/MEL.DOMAIN.COM@M.DOMAIN.COM":
Principal "krbtgt/MEL.DOMAIN.COM@M.DOMAIN.COM" created.
In the above, I used the same password (32 random characters) as I
used in Windows 2008 server.
Edited /etc/krb5.conf on the kdc as follow:
[libdefaults]
default_realm = M.DOMAIN.COM
[realms]
M.DOMAIN.COM = {
admin_server = m.domain.com
kdc = m.domain.com
}
MEL.DOMAIN.COM = {
admin_server = ad.domain.com
kdc = ad.domain.com
}
[domain_realm]
domain.com = M.DOMAIN.COM
.domain.com = M.DOMAIN.COM
.m.domain.com = M.DOMAIN.COM
.mel.domain.com = MEL.DOMAIN.COM
[capaths]
MEL.DOMAIN.COM.COM = {
M.DOMAIN.COM = .
}
M.DOMAIN.COM = {
MEL.DOMAIN.COM = .
}
---
On the web server using mod_auth_kerb:
I set the /etc/krb5.conf as above...
People with a M.DOMAIN.COM ticket, can connect fine as that's what it
is configured for.
On my PC ; I then got a ticket as jean-yves.avenard@MEL.DOMAIN.COM ;
and try to connect to the web server ; and it fails prompting me for a
username/password (it's setup to accept any user with kerberos
authtype)
On the KDC; in the log I see:
Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18
17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0, <unknown
client> for HTTP/server4-2.mel.domain.com@M.DOMAIN.COM, Decrypt
integrity check failed
Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18
17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0, <unknown
client> for HTTP/server4-2.mel.domain.com@M.DOMAIN.COM, Decrypt
integrity check failed
Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18
17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0, <unknown
client> for HTTP/server4-2.mel.domain.com@M.DOMAIN.COM, Decrypt
integrity check failed
Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18
17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0, <unknown
client> for HTTP/server4-2.mel.domain.com@M.DOMAIN.COM, Decrypt
integrity check failed
Which lead me to believe that there's an incorrect password set
somewhere... but which one ?
I'm a tad puzzled about what's going on..
If someone could shed some lights it would be greatly appreciated.
Thank you
Jean-Yves
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
