W2K SSO authentication against MIT Kerberos (1.3.2) problem

From: Wolfram Klaus (klaus_at_physik.fu-berlin.de)
Date: 03/10/04

  • Next message: David.Knight_at_clubcorp.com: "(SUMMARY) Filesystem --- "ls -l" total reporting incorrect file sizes - ADVFS" 
    Date: Wed, 10 Mar 2004 13:26:42 +0100 (CET)
To: tru64-unix-managers@ornl.gov (tru64 list)

    Dear list,
    We are currrently in the process of setting up a centralized
    authentication server for Linux, W2k, and Tru64. The central AS is a
    MIT KDC on a Linux machine. Authentication from Linux and W2k (cross
    realm trust with ADS) works fine, but so far I cannot get the Tru64
    Boxes to authenticate against the KDC.

    Tru64 System: 5.1B + PK3 (=5.1B-1?)
                  W2KSSO installed

    w2ksetup fails when invoking "creacct -h `hostname` -u". So I tried a
    simple kinit:

      Password for klaus@PHYSIK.FU-BERLIN.DE:
      kinit
      KDC reply did not match expectations

    >From a tcpdump I could see, that the Tru64 kinit uses
    Pre_authentication. The Pre_authentication seems to succeed on the
    KDC. Here is the relevant part of the KDC's log file:

    Mar 10 13:10:38 z63 krb5kdc[14024](info): AS_REQ (1 etypes {5}) 160.45.33.151: BAD_ENCRYPTION_TYPE: klaus@PHYSIK.FU-BERLIN.DE for krbtgt/PHYSIK.FU-BERLIN.DE@PHYSIK.FU-BERLIN.DE, KDC has no support for encryption type
    Mar 10 13:10:38 z63 krb5kdc[14024](info): AS_REQ (1 etypes {3}) 160.45.33.151: BAD_ENCRYPTION_TYPE: klaus@PHYSIK.FU-BERLIN.DE for krbtgt/PHYSIK.FU-BERLIN.DE@PHYSIK.FU-BERLIN.DE, KDC has no support for encryption type
    Mar 10 13:10:38 z63 krb5kdc[14024](info): AS_REQ (1 etypes {1}) 160.45.33.151: ISSUE: authtime 1078920638, etypes {rep=1 tkt=16 ses=1}, klaus@PHYSIK.FU-BERLIN.DE for krbtgt/PHYSIK.FU-BERLIN.DE@PHYSIK.FU-BERLIN.DE

    OK, our KDC currenly has only etypes 1 and 16 for principals, but this
    shouldn't be a problem.

    What exactly is it, that Tru64's kinit is expecting from the kdc and
    not getting?

    If it helps here is the principal klaus@PHYSIK.FU-BERLIN.DE

      kadmin: getprinc klaus
      Principal: klaus@PHYSIK.FU-BERLIN.DE
      Expiration date: [never]
      Last password change: Thu Mar 04 12:09:23 CET 2004
      Password expiration date: [none]
      Maximum ticket life: 1 day 00:00:00
      Maximum renewable life: 0 days 00:00:00
      Last modified: Thu Mar 04 12:09:23 CET 2004 (kadmind@PHYSIK.FU-BERLIN.DE)
      Last successful authentication: [never]
      Last failed authentication: [never]
      Failed password attempts: 0
      Number of keys: 2
      Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
      Key: vno 2, DES cbc mode with CRC-32, no salt
      Attributes:
      Policy: [none]

    And yes, I put the KDC's hostname and IP in /etc/hosts just to make
    sure this is not the problem. Is this really needed?

    TIA for any ideas! 

    -- 
Wolfram Klaus  (Wolfram.Klaus@physik.fu-berlin.de)        
Free University Berlin
Physics Department
  • Next message: David.Knight_at_clubcorp.com: "(SUMMARY) Filesystem --- "ls -l" total reporting incorrect file sizes - ADVFS"

    Relevant Pages

    • Re: Kerberos OpenLDAP Frontend
      ... Jonathan Javier Cordoba Gonzalez wrote: ... but then you are mixing the authentication with the authorization. ... A KDC with passwords and LDAP ...
      (comp.protocols.kerberos)
    • Re: tracking user activities in kerberos
      ... authenticated & how many times did he failed authentication process. ... The MIT KDC will log which tickets are issued, ... (You could look for multiple initial-ticket requests from a ...
      (comp.protocols.kerberos)
    • Re: tracking user activities in kerberos
      ... The MIT KDC will log which tickets are issued, but won't indicate the lifetimes of the tickets, and the KDC doesn't know whether or when or how often they actually get used. ... Successful and failed initial authentication aren't recorded in the default case because the KDC doesn't have that information -- it only knows who asked for initial credentials and when, and can't distinguish a legitimate user from someone trying to break into the account. ... (You could look for multiple initial-ticket requests from a single source in a short period of time, but that merely suggests that someone is getting the password wrong and keeps trying. ...
      (comp.protocols.kerberos)
    • SUMMARY: W2K SSO authentication against MIT Kerberos (1.3.2) problem
      ... Thanks to Dave Love, Paul Moore, Graham Allen and Rudolf Gabler (in ... SSO software for Tru64 is only supported when used with the Windows ... 2000 server acting as the KDC. ... authentication server for Linux, W2k, and Tru64. ...
      (Tru64-UNIX-Managers)
    • NYC LOCAL: Wednesday 18 February 2004 NYLUG: Mordy Ovits on PAM, Pluggable Authentication Modules
      ... To: NYLUG Announcements ... Ovits on Understanding Authentication on Linux ... Unless you have already rsvp'ed for a prior meeting, ...
      (comp.os.linux.misc)