[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Windows 2003 Interoperability

To: heimdal-discuss@sics.se
Subject: Windows 2003 Interoperability
From: Mike Kennedy <mikek@ucr.edu>
Date: Thu, 30 Mar 2006 11:22:04 -0800 (PST)
Sender: owner-heimdal-discuss@sics.se


Hello,

I hope that someone can help me. I'm having some issues with a Windows
2003/Heimdal cross-realm trust.

Here is my scenario. I have set up a one way outgoing trust from
ADS.UCRAD.UCR.EDU (Windows 2003 Domain) to our campus Heimdal kerberos
server (UCR.EDU). I also set up a principal in UCR.EDU called
krbtgt/ADS.UCRAD.UCR.EDU@UCR.EDU with the same trust password.

Here is my /etc/krb5.conf:

[libdefaults]
        default_realm = UCR.EDU
        default_etypes = des-cbc-crc
        default_etypes_des = des-cbc-crc

[realms]
        UCR.EDU = {
                kdc = edam.ucr.edu
                admin_server = edam.ucr.edu
        }

[domain_realm]
        .ucr.edu = UCR.EDU

[kadmin]
        default_keys = des-cbc-crc:pw-salt arcfour-hmac-md5:pw-salt

[logging]
        kdc = 0-/FILE:/var/heimdal/kdc.log

I have also done the required ksetup on the domain controller for
ADS.UCRAD.UCR.EDU.

When I attempt to log into the Windows DC or any workstation in the
domain using my UCR.EDU credentials I get an error in event log that says
the encryption type isn't supported. All the principals in Heimdal db have
des-cbc-crc and arcfour-hmac-md5 keys only.

            Principal: mikek@UCR.EDU
    Principal expires: never
     Password expires: never
 Last password change: never
      Max ticket life: 1 day
   Max renewable life: 1 week
                 Kvno: 0
                Mkvno: 0
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2006-03-30 15:46:17 UTC
             Modifier: mikek/admin@UCR.EDU
           Attributes:
             Keytypes: des-cbc-crc(pw-salt), arcfour-hmac-md5(pw-salt)

In kdc.log I see this:

2006-03-30T07:48:51 AS-REQ mikek@UCR.EDU from IPv4:138.23.222.52 for krbtgt/UCR.EDU@UCR.EDU
2006-03-30T07:48:51 Using arcfour-hmac-md5/arcfour-hmac-md5
2006-03-30T07:48:51 Requested flags: renewable_ok, renewable, forwardable
2006-03-30T07:48:51 sending 543 bytes to IPv4:138.23.222.52
2006-03-30T07:48:51 TGS-REQ mikek@UCR.EDU from IPv4:138.23.222.52 for krbtgt/ADS.UCRAD.UCR.EDU@UCR.EDU [renewable, forwardable]
2006-03-30T07:48:51 sending 572 bytes to IPv4:138.23.222.52

138.23.222.52 is the Windows DC I'm attempting to log in to.

Please help, this has been driving me crazy. :)

Thanks,

Mike

--
Mike Kennedy
Computing Infrastructure and Security Group
Computing and Communications
mikek@ucr.edu
951.827.5922

Follow-Ups:
- Re: Windows 2003 Interoperability
  - From: Björn Sandell <biorn@chalmers.se>

Prev by Date: CFP: AFS & Kerberos Best Practices Workshop 2006
Next by Date: Re: Windows 2003 Interoperability
Prev by thread: CFP: AFS & Kerberos Best Practices Workshop 2006
Next by thread: Re: Windows 2003 Interoperability
Index(es):
- Date
- Thread