Jeffrey Altman wrote: > First off, the Windows Telnet service does not support Kerberos > authentication therefore you cannot except to use Telnet as a test > protocol from the HP system to the Windows AD.
True, I was assuming that the telnet session was using pam_kerberos for authentication on the hp-ux side (non Kerborized telnet) > > As for Doug's problem with no support for RC4-HMAC in his version of > MIT Kerberos I suggest that he upgrade his MIT Kerberos to 1.3.1 Ah..., if it was only that simple... :) I'm using the HP supplied Kerberos client s/w (PAM_Kerberos and SIS) which is based on an older version of the MIT Kerberos. > in order to gain support for RC4-HMAC. What the "use DES ..." setting > via the UI does is instruct Windows to use a DES session key not a DES > ticket key. Good to know.. > > I believe that if you want to set an account to only use DES for the > ticket encryption that you must do so using the /DesOnly switch when > mapping a Service Principal Name to an account and producing a keytab > file with ktpass.exe (from the W2K3 Support Tools found on the CD.) According to the ktpass commandline help the default is "do" which I read as DesOnly. I tried with the -DesOnly switch (along with -crypto DES-CBC-CRC since the HP-UX Kerberos client does not support des-cbc-md5). The bevaior changed, ticket is now encrytped with des-cbc-md5 but this doesn't help since it's not supported with the hp-ux kerberos s/w. > > If you are installing Kerberos for Windows on the Win2003 server > you must set the registry key Just using the standard Windows 2003/AD Enteprise Server. > > HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters > AllowTGTSessionKey = 0x1 (DWORD) > > if you want to allow KfW to import Windows LSA credentials into the > MIT ccache via either ms2mit or Leash. > > Jeffrey Altman > > > > Ryan Odgers wrote: > >> Hi Doug, >> >> still on win2000 >> I can authenticate and get tgt ticket with kinit >> I can get service ticket with kinit -S >> pamkrbval returns all PASSED >> nsquery search against ldap returns values in AD >> (I still seem to need a dummy entry in /etc/passwd for kerberos to create >> credential cache)?? >> Well, don't know what else to do >> >> Thanks >> "Doug Lamoureux" <[EMAIL PROTECTED]> wrote in message >> news:[EMAIL PROTECTED] >> >>> Ryan, >>> Are you running Windows 2003? I've just run into a problem with >> >> >> Win2k3 >> >>> encrypting the client tickets with rc4-hmac: >>> >>> # kinit -S host/myhost.acme.com dougl >>> Password for [EMAIL PROTECTED]: >>> # klist -e >>> Ticket cache: /tmp/krb5cc_0 >>> Default principal: host/[EMAIL PROTECTED] >>> Valid starting Expires Service principal >>> 01/22/04 09:54:57 01/22/04 19:54:57 >> >> >> host/[EMAIL PROTECTED] >> >>> Etype (skey, tkt): DES cbc mode with CRC-32, etype 23 >>> >>> etype 23 is RC4-HMAC >>> >>> (ethereal trace shows rc4-hmac) >>> >>> I've seen a number of suggestions to set the "Use DES encryption" >>> flag on >> >> >> the >> >>> users account and reset the password, but that has not resolved the >> >> >> problem. >> >>> Checkout your syslog.log file for potential errors. You don't have to >> >> >> setup >> >>> cross-realm authentication for ldap-ux/kerberos to work with AD on hp-ux >> >> >> (you >> >>> will if you want to have multi-domain support). Make sure you can >>> see the >> >> >> user >> >>> defined in AD: >>> >>> # pwget -n dougl >>> dougl:*:10001:20::/home/dougl:/usr/bin/ksh >>> # /usr/contrib/bin/nsquery passwd dougl ldap >>> >>> Using "ldap" for the passwd policy. >>> >>> Searching ldap for dougl >>> User name: dougl >>> User Id: 10001 >>> Group Id: 20 >>> Gecos: >>> Home Directory: /home/dougl >>> Shell: /usr/bin/ksh >>> >>> Switch configuration: Terminates Search >>> >>> Then make sure you can use kinit to authenticate: >>> >>> # kinit dougl >>> Password for [EMAIL PROTECTED]: >>> >>> You can also validate the Kerberos client configuration using pamkrbval: >>> >>> # /usr/sbin/pamkrbval >>> >>> Validating the pam configuration files >>> ---------- --- --- ------------- ----- >>> >>> Validating the /etc/pam.conf file >>> [PASS] : The validation of config file: /etc/pam.conf passed >>> >>> [NOTICE] : The validation of config file: /etc/pam_user.conf is not done >>> as libpam_updbe library is not configured >>> >>> Validating the kerberos config file >>> ---------- --- -------- ------ ----- >>> [PASS] : Initialization of kerberos passed >>> >>> Connecting to default Realm >>> ---------- -- ------- ----- >>> [PASS] : Default Realm is issuing tickets >>> >>> Validating the keytab entry for the host service principal >>> ---------- --- ------ ----- --- --- ---- ------- --------- >>> /usr/sbin/pamkrbval: Program lacks support for encryption type for this >> >> >> entry >> >>> [FAIL] : The keytab validation Failed >>> >>> Cheers, >>> Doug >>> >>> >>> Ryan Odgers wrote: >>> >>> >>>> (I apologize if this has already been posted, I am new to this list) >>>> >>>> Hi, >>>> >>>> What is the trick to getting services to work via kerberos? >>>> >>>> I have been playing around with trying to use kerberos as a SSO for our >>>> environment, but am a bit confused. >>>> >>>> To date: >>>> I have installed and configured MS SFU 3.5 (services for Unix) on our >> >> >> AD, >> >>>> extended the schema. >>>> I have an HP-UX 11.11 machine in which I have setup the LDAP client to >> >> >> talk >> >>>> to the AD via kerberos. I can successfully search the AD and can login >> >> >> with >> >>>> windows credentials via a keytab created for the host. >>>> >>>> The telnet service in HP-UX is kerberos aware, but after creating a >> >> >> service >> >>>> instance and keytab file for the telnet service in AD, and importing >> >> >> into >> >>>> the unix keytab file, I cannot telnet into unix via kerberos. I have >>>> followed Microsoft's doc on inter-operability, but cannot get the >> >> >> services >> >>>> side of kerberos to work. >>>> >>>> If the KDC is win2000 and the kerberos client is UNIX or MIT, does >>>> cross-realm authentication still need to be set up? >>>> It is the same kerberos realm, the unix machine points to the 2000 KDC >> >> >> as >> >>>> its server. >>>> >>>> Any help is VERY appreciated >>>> Ryan >>>> >>>> >>> >> >> ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
