[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal 0.7.2 with Windows 2003 KDC




Looking at the trace you sent, It looks like  the client requested a
ticket for realm LVSC which may be the domain common name, but the realm
is actually LVS-C.COM. Windows can handle this but the Heimdal and MIT
expect the realm realm names to be used in all cases.

Also note the salt returned LVS-C.COM.

So in your krb5.conf and any where you need a realm name,
try using the actuall realm name of LVS-C.COM.





michel.brabants@euphonynet.be wrote:

> Hello,
> 
> you can find the ethereal-dump of my kerberos-login in the attachment. The
> kdc is located on a Windows 2003 SP1-machine. This trace is done' with the
> des-cbc-md5-cypher, but I also can't login with the rc4-hmac-cypher and it
> looks the be the same case on first sight.
> 
> Greetings and thank you,
> 
> Michel
> 
> 
>>Send it to me and I can have a quick look.
>>
>>
>>
>>michel.brabants@euphonynet.be wrote:
>>
>>
>>>Hello all,
>>>
>>>I have a network-trace of ther kerberos-part. However, I don't want to
>>>send this file to a public list (if it is possibel anyway). It seems
>>>that
>>>I get a ticket (It seems so), but kinit still says password incorrect.
>>>
>>>Just tell me if you want to have a look at the ethereal-dump an where to
>>>send it.
>>>
>>>Greetings,
>>>
>>>Michel
>>>
>>>
>>>
>>>>michel.brabants@euphonynet.be wrote:
>>>>
>>>>
>>>>
>>>>>Hello,
>>>>>
>>>>>some more information: when I type in a wrong password, I het
>>>>>"pre-authentication failed". When I type in the correct password, I get
>>>>>password incorrect.
>>>>
>>>>Have you looked at a network trace? Ethereal can decode the KRB5
>>>>packets.
>>>>http://www.ethereal.com
>>>>
>>>>Note that Windows treats the user as is case insensitive, but the salt
>>>>is case sensitive.   So to Windows User@REALM is the same as user@REALM.
>>>>
>>>>
>>>>
>>>>
>>>>>Thank you and greetings,
>>>>>
>>>>>Michel
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Hello,
>>>>>>
>>>>>>I found the following interesting page -
>>>>>>http://searchwindowssecurity.techtarget.com/originalContent/0,289142,sid45_gci1014058,00.html
>>>>>>, which describes encryption-capabilities of windows 2000 and windows
>>>>>>2003
>>>>>>with regard to kerberos. It also contains other information regarding
>>>>>>their kerberos-implementations. I hope this is usefull to people.
>>>>>>
>>>>>>Greetings,
>>>>>>
>>>>>>Michel
>>>>>>
>>>>>>P.S: My questions are still open, but I'm looking how to detect if
>>>>>>pre-authentication is enabled or not.
>>>>
>>>>Ethereal would show this.
>>>>
>>>>
>>>>
>>>>>>>Hello,
>>>>>>>
>>>>>>>I'm trying to authenticate to a Windows 2003 KDC using kinit from
>>>>>>>heimdal
>>>>>>>0.7.2 on linux. My loginname is recognized, but I continuously get
>>>>>>>password incorrect, while I'm 99% sure that it is ok. I read that I
>>>>>>>should
>>>>>>>force DES, which didn't help. The samba docs said that with heimdal
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>0.6,
>>>>>>>
>>>>>>>you shouldn't force DES, which also didn't help.
>>>>>>>
>>>>>>>Is ther an incompability at the moment? I had the impression that
>>>>>>>heindal
>>>>>>>0.6.x worked, but I can't compile heimdal 0.6.6 with gcc 4.0.3.
>>>>>>>
>>>>>>>Any idea, if there is already a fix for this or if this is a known
>>>>>>>issue?
>>>>>>>
>>>>>>>Thank you,
>>>>>>>
>>>>>>>Michel
>>>>>>>
>>>>>>>P.s.: Is there a way to enbale logging for kinit?
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>--
>>>>
>>>> Douglas E. Engert  <DEEngert@anl.gov>
>>>> Argonne National Laboratory
>>>> 9700 South Cass Avenue
>>>> Argonne, Illinois  60439
>>>> (630) 252-5444
>>>>
>>>
>>>
>>>
>>--
>>
>>  Douglas E. Engert  <DEEngert@anl.gov>
>>  Argonne National Laboratory
>>  9700 South Cass Avenue
>>  Argonne, Illinois  60439
>>  (630) 252-5444
>>

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444