[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

W2K SSO authentication against MIT Kerberos (1.3.2) problem

To: tru64-unix-managers@xxxxxxxx (tru64 list)
Subject: W2K SSO authentication against MIT Kerberos (1.3.2) problem
From: Wolfram Klaus <klaus@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 10 Mar 2004 13:26:42 +0100 (CET)
Delivered-to: tru64-unix-managers@sws1.ctd.ornl.gov
Followup-to: poster
Sender: tru64-unix-managers-owner@xxxxxxxx

Dear list,
We are currrently in the process of setting up a centralized
authentication server for Linux, W2k, and Tru64. The central AS is a
MIT KDC on a Linux machine. Authentication from Linux and W2k (cross
realm trust with ADS) works fine, but so far I cannot get the Tru64
Boxes to authenticate against the KDC.

Tru64 System: 5.1B + PK3 (=5.1B-1?)
	      W2KSSO installed

w2ksetup fails when invoking "creacct -h  `hostname` -u". So I tried a
simple kinit:

  Password for klaus@xxxxxxxxxxxxxxxxxxx: 
  kinit
  KDC reply did not match expectations

>From a tcpdump I could see, that the Tru64 kinit uses
Pre_authentication. The Pre_authentication seems to succeed on the
KDC. Here is the relevant part of the KDC's log file:

Mar 10 13:10:38 z63 krb5kdc[14024](info): AS_REQ (1 etypes {5}) 160.45.33.151: BAD_ENCRYPTION_TYPE: klaus@xxxxxxxxxxxxxxxxxxx for krbtgt/PHYSIK.FU-BERLIN.DE@xxxxxxxxxxxxxxxxxxx, KDC has no support for encryption type
Mar 10 13:10:38 z63 krb5kdc[14024](info): AS_REQ (1 etypes {3}) 160.45.33.151: BAD_ENCRYPTION_TYPE: klaus@xxxxxxxxxxxxxxxxxxx for krbtgt/PHYSIK.FU-BERLIN.DE@xxxxxxxxxxxxxxxxxxx, KDC has no support for encryption type
Mar 10 13:10:38 z63 krb5kdc[14024](info): AS_REQ (1 etypes {1}) 160.45.33.151: ISSUE: authtime 1078920638, etypes {rep=1 tkt=16 ses=1}, klaus@xxxxxxxxxxxxxxxxxxx for krbtgt/PHYSIK.FU-BERLIN.DE@xxxxxxxxxxxxxxxxxxx

OK, our KDC currenly has only etypes 1 and 16 for principals, but this
shouldn't be a problem.

What exactly is it, that Tru64's kinit is expecting from the kdc and
not getting?

If it helps here is the principal klaus@xxxxxxxxxxxxxxxxxxx

  kadmin:  getprinc klaus
  Principal: klaus@xxxxxxxxxxxxxxxxxxx
  Expiration date: [never]
  Last password change: Thu Mar 04 12:09:23 CET 2004
  Password expiration date: [none]
  Maximum ticket life: 1 day 00:00:00
  Maximum renewable life: 0 days 00:00:00
  Last modified: Thu Mar 04 12:09:23 CET 2004 (kadmind@xxxxxxxxxxxxxxxxxxx)
  Last successful authentication: [never]
  Last failed authentication: [never]
  Failed password attempts: 0
  Number of keys: 2
  Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
  Key: vno 2, DES cbc mode with CRC-32, no salt
  Attributes:
  Policy: [none]

And yes, I put the KDC's hostname and IP in /etc/hosts just to make
sure this is not the problem. Is this really needed?

TIA for any ideas!
-- 
Wolfram Klaus  (Wolfram.Klaus@xxxxxxxxxxxxxxxxxxx)        
Free University Berlin
Physics Department

Prev by Date: SUMMARY: Remote console access using Lantronix
Next by Date: (SUMMARY) Filesystem --- "ls -l" total reporting incorrect file sizes - ADVFS
Previous by thread: SUMMARY: Remote console access using Lantronix
Next by thread: (SUMMARY) Filesystem --- "ls -l" total reporting incorrect file sizes - ADVFS
Index(es):
- Date
- Thread