>>>>> "Luke" == Luke Howard <[EMAIL PROTECTED]> writes:
Luke> The Windows "solution" is, as previously mentioned, to have Luke> a local or Active Directory account for the user. That's Luke> where the authorization information comes from (in an AD Luke> domain it is included in the authorization data field of the Luke> ticket). Note that enhancing a KDC to supply the necessary Luke> authorization data is not sufficient to eliminate the need Luke> for an local or Active Directory account. It is, as one Luke> might expect, a significantly more involved problem. 'a local or AD account'. I don't have AD, but I _DO_ have a local account. Luke> Did you set the machine password with ksetup and create a Luke> machine principal on your KDC with the same password? >> Yes. I first tried with a random passwd and add that to the >> keytab. I then found the link to the step-by-step guide, so I >> re-did it, this time without adding it to the keytab. Luke> Which keytab? There is no keytab on a Windows 2000 Luke> workstation. You need to do ksetup /SetComputerPassword to Luke> set the machine password in the LSA secret store. You can Luke> verify this with lsadump2. The keytab on the KDC. I got the error ----- s n i p ----- Sep 26 08:02:19 rmgztk krb5kdc[1075](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) <IP_OF_FIREWALL_AT_HOME>(88): UNKNOWN_SERVER: authtime 1033020129, turbo@<MYREALM.TLD> for host/majorskan.<MYDOMAIN.TLD>@<MYREALM.TLD>, Server not found in Kerberos database ----- s n i p ----- Previosly, I've solved this by adding the principal to the system keytab (on the host). This was obviosly wrong... What are all those encryption types? Do I miss some? ----- s n i p ----- rmgztk:~# kadmin.local -q 'getprinc host/majorskan.<MYDOMAIN.TLD>' [...] Number of keys: 6 Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 2, DES cbc mode with CRC-32, no salt Key: vno 2, DES cbc mode with RSA-MD5, Version 4 Key: vno 2, DES cbc mode with RSA-MD5, Version 5 - No Realm Key: vno 2, DES cbc mode with RSA-MD5, Version 5 - Realm Only Key: vno 2, DES cbc mode with RSA-MD5, AFS version 3 Attributes: REQUIRES_PRE_AUTH ----- s n i p ----- Maybe I should remove the attributes? Would that help (I'll try, but...). -- security Soviet subway 747 fissionable Qaddafi FBI Nazi Saddam Hussein Ft. Meade 767 Khaddafi arrangements BATF iodine [See http://www.aclu.org/echelonwatch/index.html for more about this] ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos