From: Wolfram Klaus (klaus@physik.fu-berlin.de)
Date: Thu Mar 11 2004 - 04:52:46 EST
Thanks to Dave Love, Paul Moore, Graham Allen and Rudolf Gabler (in
the order their messages arrived)!
The consensus is you cannot use the W2KSSO SIA module for
authentication against a normal KDC (Paul Moore from HP wrote: "The
SSO software for Tru64 is only supported when used with the Windows
2000 server acting as the KDC. What you are trying will not
work."). Fortunately there is an alternative KRB5 SIA module available
at
http://www.cit.uws.edu.au/~luke/software/sia_kerberosv5/
that works for us. Thanks dave and Graham for pointing me in that
direction. Dave warned me that "some Tru64 update broke things
using it in combination with LDAP". We will be using LDAP later
so we may run into problems then. So I might be back on the list
soon ;)
Thanks again, this list is great!
Wolfram
-----Original Message-----
Dear list,
We are currrently in the process of setting up a centralized
authentication server for Linux, W2k, and Tru64. The central AS is a
MIT KDC on a Linux machine. Authentication from Linux and W2k (cross
realm trust with ADS) works fine, but so far I cannot get the Tru64
Boxes to authenticate against the KDC.
Tru64 System: 5.1B + PK3 (=5.1B-1?)
W2KSSO installed
w2ksetup fails when invoking "creacct -h `hostname` -u". So I tried a
simple kinit:
Password for klaus@PHYSIK.FU-BERLIN.DE:
kinit
KDC reply did not match expectations
>From a tcpdump I could see, that the Tru64 kinit uses
Pre_authentication. The Pre_authentication seems to succeed on the
KDC. Here is the relevant part of the KDC's log file:
Mar 10 13:10:38 z63 krb5kdc[14024](info): AS_REQ (1 etypes {5}) 160.45.33.151: BAD_ENCRYPTION_TYPE: klaus@PHYSIK.FU-BERLIN.DE for krbtgt/PHYSIK.FU-BERLIN.DE@PHYSIK.FU-BERLIN.DE, KDC has no support for encryption type
Mar 10 13:10:38 z63 krb5kdc[14024](info): AS_REQ (1 etypes {3}) 160.45.33.151: BAD_ENCRYPTION_TYPE: klaus@PHYSIK.FU-BERLIN.DE for krbtgt/PHYSIK.FU-BERLIN.DE@PYSIK.FU-BERLIN.DE, KDC has no support for encryption type
Mar 10 13:10:38 z63 krb5kdc[14024](info): AS_REQ (1 etypes {1}) 160.45.33.151: ISSUE: authtime 1078920638, etypes {rep=1 tkt=16 ses=1}, klaus@PHYSIK.FU-BERLIN.DE for krbtgt/PHYSIK.FU-BERLIN.DE@PHYSIK.FU-BERLIN.DE
OK, our KDC currenly has only etypes 1 and 16 for principals, but this
shouldn't be a problem.
What exactly is it, that Tru64's kinit is expecting from the kdc and
not getting?
If it helps here is the principal klaus@PHYSIK.FU-BERLIN.DE
kadmin: getprinc klaus
Principal: klaus@PHYSIK.FU-BERLIN.DE
Expiration date: [never]
Last password change: Thu Mar 04 12:09:23 CET 2004
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Thu Mar 04 12:09:23 CET 2004 (kadmind@PHYSIK.FU-BERLIN.DE)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]
And yes, I put the KDC's hostname and IP in /etc/hosts just to make
sure this is not the problem. Is this really needed?
TIA for any ideas!
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:49:53 EDT