I think I need to provide more information about my setup:
- I used UMICH patch for cross realm auth, I can see from the log file that the
cross-realm ticket is issued by MIT Realm
- The krbtgt/[EMAIL PROTECTED] and krbtgt/[EMAIL PROTECTED] key is des-cbc-crc32
- the TGT in win client:
Cached TGT:
ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: lara
DomainName: ADIANTO.COM�
TargetDomainName: ADIANTO.COM�
AltTargetDomainName: ADIANTO.COM�
TicketFlags: 0x40c00000
KeyExpirationTime: 1/1/1601 8:00:00
StartTime: 7/29/2004 19:32:15
EndTime: 7/30/2004 19:32:15
RenewUntil: 7/29/2004 19:32:15
TimeSkew: 1/1/1601 8:00:00
- the tickets:
Cached Tickets: (2)
Server: krbtgt/[EMAIL PROTECTED]
KerbTicket Encryption Type: Kerberos DES-CBC-MD5
End Time: 7/30/2004 19:32:15
Renew Time: 7/29/2004 19:32:15
Server: host/[EMAIL PROTECTED]
KerbTicket Encryption Type: Kerberos DES-CBC-MD5
End Time: 7/30/2004 19:32:15
Renew Time: 7/29/2004 19:32:15
regards,
lara
Lara Adianto <[EMAIL PROTECTED]> wrote:
Hi,
I have a strange problem with cross-realm authentication.
It's a windows 2000 machine authenticating to an MIT KDC, then it accesses a computer
in a windows domain. This should be possible theoritically with ksetup, and all the
necessary steps described in the step by step kerberos interoperability document.
However, this is what happen in my environment:
1. The user is able to login into windows 2000 machine with his credential in MT KDC.
The windows 2000 is configured to be a member of workgroup. However, when I examine
the setting setup using ksetup, this is what I got:
ksetup:
default realm = ADIANTO.COM (external)
ADIANTO.COM:
kdc = kerberos.adianto.com
Failed to create Kerberos key: 5 (0x5)
I'm not sure whether the last line is fatal.
2. When the user tried to access a computer in a windows domain (should be possible
due to the cross realm setup), the following error occured:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 594
Date: 7/29/2004
Time: 7:37:30 PM
User: N/A
Computer: TEST
Description:
A Kerberos Error Message was received:
on logon session InitializeSecurityContext
Client Time:
Server Time:
Error Code: 11:36:30.0000 7/29/2004 (null) 0x29
Extended Error: KRB_AP_ERR_MODIFIED
Client Realm:
Client Name:
Server Realm: WINDOMAIN.COM
Server Name: krbtgt/WINDOMAIN.COM
Target Name: HOST/[EMAIL PROTECTED]
Error Text:
File:
Line:
Error Data is in record data.
Win2kServer is the computer that Test tried to access, belonged to WINDOMAIN, which is
a windows domain.
My guess is that the Failed to generate key caused the KRB_AP_ERR_MODIFIED...
but I can't confirm it...
I'm not sure what caused it to fail to generate the key...
I've followed the steps in the step by step kerberos interoperability document
carefully...
Any clue ?
regards,
lara
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de
Maupassant -
------------------------------------------------------------------------------------
---------------------------------
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
