W2K SSO authentication against MIT Kerberos (1.3.2) problem

From: Wolfram Klaus (klaus@physik.fu-berlin.de)
Date: Wed Mar 10 2004 - 07:26:42 EST

• Next message: David.Knight@clubcorp.com: "(SUMMARY) Filesystem --- "ls -l" total reporting incorrect file sizes - ADVFS"
• Previous message: Karen Y Byrd: "SUMMARY: Remote console access using Lantronix"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dear list,
We are currrently in the process of setting up a centralized
authentication server for Linux, W2k, and Tru64. The central AS is a
MIT KDC on a Linux machine. Authentication from Linux and W2k (cross
realm trust with ADS) works fine, but so far I cannot get the Tru64
Boxes to authenticate against the KDC.

Tru64 System: 5.1B + PK3 (=5.1B-1?)
              W2KSSO installed

w2ksetup fails when invoking "creacct -h `hostname` -u". So I tried a
simple kinit:

  Password for klaus@PHYSIK.FU-BERLIN.DE:
  kinit
  KDC reply did not match expectations

>From a tcpdump I could see, that the Tru64 kinit uses
Pre_authentication. The Pre_authentication seems to succeed on the
KDC. Here is the relevant part of the KDC's log file:

Mar 10 13:10:38 z63 krb5kdc[14024](info): AS_REQ (1 etypes {5}) 160.45.33.151: BAD_ENCRYPTION_TYPE: klaus@PHYSIK.FU-BERLIN.DE for krbtgt/PHYSIK.FU-BERLIN.DE@PHYSIK.FU-BERLIN.DE, KDC has no support for encryption type
Mar 10 13:10:38 z63 krb5kdc[14024](info): AS_REQ (1 etypes {3}) 160.45.33.151: BAD_ENCRYPTION_TYPE: klaus@PHYSIK.FU-BERLIN.DE for krbtgt/PHYSIK.FU-BERLIN.DE@PHYSIK.FU-BERLIN.DE, KDC has no support for encryption type
Mar 10 13:10:38 z63 krb5kdc[14024](info): AS_REQ (1 etypes {1}) 160.45.33.151: ISSUE: authtime 1078920638, etypes {rep=1 tkt=16 ses=1}, klaus@PHYSIK.FU-BERLIN.DE for krbtgt/PHYSIK.FU-BERLIN.DE@PHYSIK.FU-BERLIN.DE

OK, our KDC currenly has only etypes 1 and 16 for principals, but this
shouldn't be a problem.

What exactly is it, that Tru64's kinit is expecting from the kdc and
not getting?

If it helps here is the principal klaus@PHYSIK.FU-BERLIN.DE

  kadmin: getprinc klaus
  Principal: klaus@PHYSIK.FU-BERLIN.DE
  Expiration date: [never]
  Last password change: Thu Mar 04 12:09:23 CET 2004
  Password expiration date: [none]
  Maximum ticket life: 1 day 00:00:00
  Maximum renewable life: 0 days 00:00:00
  Last modified: Thu Mar 04 12:09:23 CET 2004 (kadmind@PHYSIK.FU-BERLIN.DE)
  Last successful authentication: [never]
  Last failed authentication: [never]
  Failed password attempts: 0
  Number of keys: 2
  Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
  Key: vno 2, DES cbc mode with CRC-32, no salt
  Attributes:
  Policy: [none]

And yes, I put the KDC's hostname and IP in /etc/hosts just to make
sure this is not the problem. Is this really needed?

TIA for any ideas!

-- 
Wolfram Klaus  (Wolfram.Klaus@physik.fu-berlin.de)        
Free University Berlin
Physics Department  
                                   

• Next message: David.Knight@clubcorp.com: "(SUMMARY) Filesystem --- "ls -l" total reporting incorrect file sizes - ADVFS"
• Previous message: Karen Y Byrd: "SUMMARY: Remote console access using Lantronix"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:49:53 EDT