[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Windows 2003 Interoperability
Try putting this in the libdefaults section of your krb5.conf:
default_tkt_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
default_etypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
default_etypes_des = des-cbc-crc
If that doesn't work, upgrade your version of heimdal and take out the
default_types and default_enctypes lines.
-Brian Joh
-------------- Original message --------------
From: Mike Kennedy <mikek@ucr.edu>
>
> Hello,
>
> I hope that someone can help me. I'm having some issues with a Windows
> 2003/Heimdal cross-realm trust.
>
> Here is my scenario. I have set up a one way outgoing trust from
> ADS.UCRAD.UCR.EDU (Windows 2003 Domain) to our campus Heimdal kerberos
> server (UCR.EDU). I also set up a principal in UCR.EDU called
> krbtgt/ADS.UCRAD.UCR.EDU@UCR.EDU with the same trust password.
>
> Here is my /etc/krb5.conf:
>
> [libdefaults]
> default_realm = UCR.EDU
> default_etypes = des-cbc-crc
> default_etypes_des = des-cbc-crc
>
> [realms]
> UCR.EDU = {
> kdc = edam.ucr.edu
> admin_server = edam.ucr.edu
> }
>
> [domain_real!
m]
> .ucr.edu = UCR.EDU
>
> [kadmin]
> default_keys = des-cbc-crc:pw-salt arcfour-hmac-md5:pw-salt
>
> [logging]
> kdc = 0-/FILE:/var/heimdal/kdc.log
>
> I have also done the required ksetup on the domain controller for
> ADS.UCRAD.UCR.EDU.
>
> When I attempt to log into the Windows DC or any workstation in the
> domain using my UCR.EDU credentials I get an error in event log that says
> the encryption type isn't supported. All the principals in Heimdal db have
> des-cbc-crc and arcfour-hmac-md5 keys only.
>
> Principal: mikek@UCR.EDU
> Principal expires: never
> Password expires: never
> Last password change: never
> Max ticket life: 1 day
> Max renewable life: 1 week
> Kvno: 0
> Mkvno: 0
> Last successful login: never
> Last failed login: never
> Failed login count: 0
> Last modi!
fied: 2006-03-30 15:46:17 UTC
> Modifier: mikek/admin@UCR.EDU <
BR>> Attributes:
> Keytypes: des-cbc-crc(pw-salt), arcfour-hmac-md5(pw-salt)
>
> In kdc.log I see this:
>
> 2006-03-30T07:48:51 AS-REQ mikek@UCR.EDU from IPv4:138.23.222.52 for
> krbtgt/UCR.EDU@UCR.EDU
> 2006-03-30T07:48:51 Using arcfour-hmac-md5/arcfour-hmac-md5
> 2006-03-30T07:48:51 Requested flags: renewable_ok, renewable, forwardable
> 2006-03-30T07:48:51 sending 543 bytes to IPv4:138.23.222.52
> 2006-03-30T07:48:51 TGS-REQ mikek@UCR.EDU from IPv4:138.23.222.52 for
> krbtgt/ADS.UCRAD.UCR.EDU@UCR.EDU [renewable, forwardable]
> 2006-03-30T07:48:51 sending 572 bytes to IPv4:138.23.222.52
>
> 138.23.222.52 is the Windows DC I'm attempting to log in to.
>
> Please help, this has been driving me crazy. :)
>
> Thanks,
>
> Mike
>
> --
> Mike Kennedy
> Computing Infrastructure and Security Group
> Computi!
ng and Communications
> mikek@ucr.edu
> 951.827.5922
>
>