[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Can Heimdal KDC issue cross-realm referral ?
Thanks for your reply.
I have set win2k_compatible = yes, and I used
des_cbc_crc as the default for e_types and e_types_des
but the problem persists.
The event viewer logs the following error:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 594
Date: 3/30/2004
Time: 11:29:25 AM
User: N/A
Computer: TESTW2K8
Description:
A Kerberos Error Message was received:
on logon session InitializeSecurityContext
Client Time:
Server Time:
Error Code: 3:28:5.0000 3/30/2004 (null) 0x7
Extended Error: KDC_ERR_S_PRINCIPAL_UNKNOWN
Client Realm: LARA_HMD.COM
Client Name: lara
Server Realm: LARA_HMD.COM
Server Name: HOST/Test_w2kserver
Target Name: HOST/Test_w2kserver at LARA_HMD.COM
Error Text:
File:
Line:
Error Data is in record data.
testw2k8 is the client machine
test_w2kserver is the computer in w2k domain that
client wants to access
LARA_HMD.COM is the Kerberos realm
LARA_W2K.COM is the W2K domain realm
So, client sends TGS_REQ to KDC in LARA_HMD.COM for
host/test_w2kserver@LARA_HMD.COM, but actually
host/test_w2kserver is in LARA_W2K.COM !!
How does the KDC look up for the actual realm of
host/test_w2kserver ? Checking kdc.conf or krb5.conf ?
or through DNS lookup ?
Currently my KDC returns KDC_ERR_S_PRINCIPAL_UNKNOWN
and the log file says:
2004-03-31T17:50:32 TGS-REQ lara@LARA_HMD.COM from
IPv4:192.168.168.105 for HOST
/test_w2kserver@LARA_HMD.COM [renewable_ok,
canonicalize, renewable, forwardable
]
2004-03-31T17:50:32 Server not found in database:
HOST/test_w2kserver@LARA_HMD.C
OM: No such entry in the database
lara
--- Prágai_Róbert <pragai@rubin.hu> wrote:
> Hi,
>
> as I recall the [libdefaults] section should
> contain
> win2k_compatible = yes, and some encryption types
> should not be used (I
> used des_cbc_crc and des_cbc_md5).
> I've managed to authenticate via a Win2K client to a
> Heimdal realm and
> then to a Win2K server, but I think the client asked
> for a cross-realm
> TGT first from the
> HEimdal KDC and then asked the Win2K KDC to give the
> right service
> ticket to her. Have you set the correct realms and
> KDC-s in the Win2K
> machine with
> ksetup?
>
> Robert
>
> >Hello,
> >
> >In section 4.7 Referrals of Heimdal and Windows
> 2000 Kerberos --how to get them to play together
> paper, it is stated:
> >"We have added functionality for referrals to the
> HeimdalKDC that is sufficient for Windows clients"
> >
> >What configurations need to be done on a Heimdal
> KDC to provide the support ?
> >I need a cross-realm referral support in the
> following scenario:
> >a win2k client authenticates to a heimdal kdc. The
> client then wants to access a computer in another
> realm (a win2k domain). Hence the win2k client sends
> a TGS_REQ to heimdal kdc with target name of the
> service in its own realm (I've just known that
> microsoft changed the mechanism !). Hence the client
> makes an assumption that the service is in its own
> realm until the KDC replies with a TGS_REP telling
> him that the service is in fact in another realm
> (hence giving a cross-realm referral).
> >
> >Cheers,
> >Lara
> >
> >
> >
>
>------------------------------------------------------------------------------------
>
> >La vie, voyez-vous, ca n'est jamais si bon ni si
> mauvais qu'on croit
> >
> - Guy de Maupassant -
>
>------------------------------------------------------------------------------------
> >
> >---------------------------------
> >Do you Yahoo!?
> >Yahoo! Finance Tax Center - File online. File on
> time.
> >
> >
>
>
>
=====
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------
__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html