Hello,
I struggling with cross realm auth and I'd appreciate it if someone can
give me pointers.
The problem seems to be with enctypes. So I just asserted RC4 everywhere
and now I'm getting all the right tickets but ssh and smbclient still
aren't quite satisfied.
Info about the two domains and ssh / smbclient test results follows.
---- S.W.NET ----
MIT 1.3.4-46 on CentOS 4.4
I created KDC as usual but before creating the db I put the following
in my kdc.conf:
supported_enctypes = arcfour-hmac:normal
I created some principals and it confirmed the enctype was archfour-hmac:
kadmin.local: ktadd [EMAIL PROTECTED]
Entry for principal [EMAIL PROTECTED] with kvno 3, encryption type ArcFour
with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
krb5.conf is standard except I added W.NET to the [realms] and
[domain_realm] sections (not sure if that's necessary).
I created a host/[EMAIL PROTECTED] principal and exported it to the
/etc/krb5.keytab (for ssh).
---- W.NET ----
W2K3 standard
ktsetup /addkdc S.W.NET ls1.s.w.net
ktpass /MitRealmName S.W.NET /TrustEncryp RC4
Created two-way trust with AD Domains and Trusts.
Rebooted.
So with everything setup like above I tried ssh and smbclient.
-- Testing with SSH with W.NET TGT --
Ssh doesn't tell me much:
$ ssh -vvv [EMAIL PROTECTED]
...
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 192.168.2.20.
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we did not send a packet, disable method
but I can see I have the right tickets:
$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
05/02/07 21:35:40 05/03/07 07:36:11 krbtgt/[EMAIL PROTECTED]
renew until 05/03/07 21:35:40
05/02/07 21:36:23 05/03/07 07:36:11 krbtgt/[EMAIL PROTECTED]
renew until 05/03/07 21:35:40
05/02/07 21:36:04 05/03/07 07:36:11 host/[EMAIL PROTECTED]
renew until 05/02/07 21:36:04
Ssh with an S.W.NET TGT to ls1.s.w.net works fine (no password).
-- Testing with smbclient with S.W.NET TGT --
$ smbclient -k //dc1.w.net/tmp
signing_good: BAD SIG: seq 1
SMB Signature verification failed on incoming packet!
session setup failed: Server packet had invalid SMB signature!
again I have the right tickets:
$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
05/02/07 21:27:56 05/03/07 21:27:56 krbtgt/[EMAIL PROTECTED]
05/02/07 21:33:35 05/03/07 21:27:56 krbtgt/[EMAIL PROTECTED]
05/02/07 21:33:55 05/03/07 07:33:55 [EMAIL PROTECTED]
The signature in the SMB response packet is identical to the one
in the request packet (i.e. it was echo'd).
Any ideas?
Do I need to do anything special with DNS?
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
