[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Windows 2003 SP1, cross-domain trust

To: heimdal-discuss@sics.se, "Douglas E. Engert" <deengert@anl.gov>
Subject: Re: Windows 2003 SP1, cross-domain trust
From: Chris Stromsoe <cbs@cts.ucla.edu>
Date: Thu, 29 Mar 2007 15:29:01 -0700 (PDT)
In-Reply-To: <460BC172.7060006@anl.gov>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <Pine.LNX.4.64.0703282318490.10031@potato.cts.ucla.edu><460BC172.7060006@anl.gov>
Reply-To: heimdal-discuss@sics.se, Chris Stromsoe <cbs@cts.ucla.edu>

On Thu, 29 Mar 2007, Douglas E. Engert wrote:
> Chris Stromsoe wrote:

> Sounds like you may have gotten a 3DES key from the heimdal realm. AD 
> does not support 3DES, only RC4 and DES. This may be trying to get the 
> cross realm TGT.

None of the principals have 3DES keys.  I had des-cbc-des and 
arcfour-hmac-md5 configured as keytypes for the cross-realm principal.  I 
removed rc4 and that fixed everything.  My problem was getting the DC to 
use RC4 keys for the principal.  Updating the Support Tools on the DC 
fixed that.

>> I am in the same position as this thread (same configuration elements, 
>> try to do the same thing), which did not seem to ever get resolved:
>> 
>> http://www.stacken.kth.se/lists/heimdal-discuss/2006-03/msg00050.html
>
> His krb5.conf only has one realm listed. It has to have both the Heimdal 
> realm and the AD realm. The AD domain and the Kerberos realm have to 
> have different realm names. AD is a real Kerberos realm.

Do you need both listed for a one-way trust (users in the Heimdal KDC, 
services in the AD KDC) ?  I only have the heimdal realm in krb5.conf, but 
am not having any problems logging in to the windows domain using heimdal 
principals.

-Chris

Follow-Ups:
- Re: Windows 2003 SP1, cross-domain trust
  - From: "Douglas E. Engert" <deengert@anl.gov>

References:
- Windows 2003 SP1, cross-domain trust
  - From: Chris Stromsoe <cbs@cts.ucla.edu>
- Re: Windows 2003 SP1, cross-domain trust
  - From: "Douglas E. Engert" <deengert@anl.gov>

Prev by Date: Re: Windows 2003 SP1, cross-domain trust
Next by Date: Re: Windows 2003 SP1, cross-domain trust
Prev by thread: Re: Windows 2003 SP1, cross-domain trust
Next by thread: Re: Windows 2003 SP1, cross-domain trust
Index(es):
- Date
- Thread