On Tue, 01 Oct 2002 05:44:05 +0000, Turbo Fredriksson wrote: >>>>>> "Tony" == Tony Hoyle <[EMAIL PROTECTED]> writes: > > Tony> Win2k still doesn't connect directly at all: > > Did you recreate the 'host/data.nodomain.org' principal (so that > it only have ONE key)? > Yes. More details... (probably *way* too much but everything's firewalled ATM).
1. There are no V4 keys AFAIK (I wouldn't know how to create these anyway). I don't think V4 is installed/configured as leash32 doesn't work and that's V4 only. The /etc/krb.conf and /etc/krb.realms files don't exist. 2. The times are definately in sync (since the MIT V5 client can connect). The KDC is also the local NTP server and the Win box is synced from it using the Windows time service. 3. 90% of the config is the default that debian installs (since I'm assuming the package maintainer knows better than me how to configure things). I think most of the realm stuff in /etc/krb5.conf is unnnecessary. These are the relevant keys: Principal: [EMAIL PROTECTED] Expiration date: [never] Last password change: Sat Sep 28 19:20:58 BST 2002 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Sep 30 22:21:01 BST 2002 ([EMAIL PROTECTED]) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 1 Key: vno 1, DES cbc mode with CRC-32, no salt Attributes: REQUIRES_PRE_AUTH Policy: [none] Principal: [EMAIL PROTECTED] Expiration date: [never] Last password change: Sat Sep 28 02:45:44 BST 2002 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Sep 30 22:20:54 BST 2002 ([EMAIL PROTECTED]) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 6 Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 1, DES cbc mode with CRC-32, no salt Key: vno 1, DES cbc mode with RSA-MD5, Version 4 Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3 Attributes: REQUIRES_PRE_AUTH Policy: [none] Principal: [EMAIL PROTECTED] Expiration date: [never] Last password change: [never] Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Sat Sep 28 02:44:26 BST 2002 ([EMAIL PROTECTED]) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 3 Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 1, DES cbc mode with CRC-32, no salt Key: vno 1, DES cbc mode with RSA-MD5, no salt Attributes: REQUIRES_PRE_AUTH Policy: [none] My /etc/krb5.conf: [libdefaults] default_realm = NODOMAIN.ORG # The following krb5.conf variables are only for MIT Kerberos. default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } [realms] NODOMAIN.ORG = { kdc = sisko.nodomain.org admin_server = sisko.nodomain.org } ATHENA.MIT.EDU = { kdc = kerberos.mit.edu:88 kdc = kerberos-1.mit.edu:88 kdc = kerberos-2.mit.edu:88 kdc = kerberos-3.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } MEDIA-LAB.MIT.EDU = { kdc = kerberos.media.mit.edu admin_server = kerberos.media.mit.edu } ZONE.MIT.EDU = { kdc = casio.mit.edu kdc = seiko.mit.edu admin_server = casio.mit.edu } MOOF.MIT.EDU = { kdc = three-headed-dogcow.mit.edu:88 kdc = three-headed-dogcow-1.mit.edu:88 admin_server = three-headed-dogcow.mit.edu } CYGNUS.COM = { kdc = KERBEROS.CYGNUS.COM kdc = KERBEROS-1.CYGNUS.COM admin_server = KERBEROS.CYGNUS.COM } GREY17.ORG = { kdc = kerberos.grey17.org admin_server = kerberos.grey17.org } IHTFP.ORG = { kdc = kerberos.ihtfp.org admin_server = kerberos.ihtfp.org } GNU.ORG = { kdc = kerberos.gnu.org kdc = kerberos-2.gnu.org kdc = kerberos-3.gnu.org admin_server = kerberos.gnu.org } 1TS.ORG = { kdc = kerberos.1ts.org admin_server = kerberos.1ts.org } GRATUITOUS.ORG = { kdc = kerberos.gratuitous.org admin_server = kerberos.gratuitous.org } DOOMCOM.ORG = { kdc = kerberos.doomcom.org admin_server = kerberos.doomcom.org } [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu [login] krb4_convert = true krb4_get_tickets = true /etc/krb5kdc/kdc.conf: [kdcdefaults] kdc_ports = 750,88 [realms] NODOMAIN.ORG = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal de s:normal des:v4 des:norealm des:onlyrealm des:afs3 default_principal_flags = +preauth } /etc/krb5.keytab on KDC: Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 3 09/28/02 02:46:26 [EMAIL PROTECTED] (Triple DES cbc mode with HMAC/sha1) 3 09/28/02 02:46:26 [EMAIL PROTECTED] (DES cbc mode with CRC-32) 3 09/28/02 02:46:44 [EMAIL PROTECTED] (Triple DES cbc mode with HMAC/sha1) 3 09/28/02 02:46:44 [EMAIL PROTECTED] (DES cbc mode with CRC-32) 3 09/30/02 12:37:58 [EMAIL PROTECTED] (Triple DES cbc mode with HMAC/sha1) 3 09/30/02 12:37:58 [EMAIL PROTECTED] (DES cbc mode with CRC-32) ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos