Definately remove the "REQUIRES_PRE_AUTH" flag from the principal for majorskan (which is your windows 2000 machine, if I'm not mistaken). When the KDC is forcing the WIN2K client to generate PRE_AUTH data the client includes additional information (I think it's SID) in the Authorization_Data field of the ticket. One way or the other the Logon will fail because MIT's KDC does not support these microsoft extensions. I can guarentee that preauth on a principal will make your login fail when that login is coming from a Win2K machine to an MIT KDC.
I didn't have much luck finding the specification of the extension's on MS's site, but here's a mirror I found off google searching on "Microsoft Authorization Data Specification": http://home.xnet.com/~catena/ms-kerberos.shtml If you want to wade through that, feel free, but I would reccomend just removing the REQUIRES_PRE_AUTH: kadmin: modify_principal -requires_preauth host/majorskan.<MYDOMAIN.TLD> HTH, Steve Harper University of Utah On Thu, 26 Sep 2002, Turbo Fredriksson wrote: > 'a local or AD account'. I don't have AD, but I _DO_ have a local > account. > > The keytab on the KDC. I got the error > > ----- s n i p ----- > Sep 26 08:02:19 rmgztk krb5kdc[1075](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 >-135}) <IP_OF_FIREWALL_AT_HOME>(88): UNKNOWN_SERVER: authtime 1033020129, >turbo@<MYREALM.TLD> for host/majorskan.<MYDOMAIN.TLD>@<MYREALM.TLD>, Server not found >in Kerberos database > ----- s n i p ----- > > Previosly, I've solved this by adding the principal to the system > keytab (on the host). This was obviosly wrong... > > > > What are all those encryption types? Do I miss some? > > ----- s n i p ----- > rmgztk:~# kadmin.local -q 'getprinc host/majorskan.<MYDOMAIN.TLD>' > [...] > Number of keys: 6 > Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt > Key: vno 2, DES cbc mode with CRC-32, no salt > Key: vno 2, DES cbc mode with RSA-MD5, Version 4 > Key: vno 2, DES cbc mode with RSA-MD5, Version 5 - No Realm > Key: vno 2, DES cbc mode with RSA-MD5, Version 5 - Realm Only > Key: vno 2, DES cbc mode with RSA-MD5, AFS version 3 > Attributes: REQUIRES_PRE_AUTH > ----- s n i p ----- > > Maybe I should remove the attributes? Would that help (I'll try, but...). > -- > security Soviet subway 747 fissionable Qaddafi FBI Nazi Saddam Hussein > Ft. Meade 767 Khaddafi arrangements BATF iodine > [See http://www.aclu.org/echelonwatch/index.html for more about this] > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > http://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos