How about the encryption types? Windows only supports 2 types of encryption. I didn't mention it before because I think one of them is the default for MIT Kerberos.
Let's see... DES-CBC-CRC and DES-CBC-MD5 according to the "step by step" guide. Can you try removing all other encryption types from your KDC and trying again? I'm baffled by the inability to disable pre-authentication. Gotta see a packet trace to understand that. ERX >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of >Turbo Fredriksson >Sent: Thursday, September 26, 2002 1:51 PM >To: [EMAIL PROTECTED] >Subject: Re: Win logon to a MIT Kerberos V KDC? > > >>>>>> "Steve" == Steve Harper <[EMAIL PROTECTED]> writes: > > Steve> Definately remove the "REQUIRES_PRE_AUTH" flag from the > Steve> principal for majorskan (which is your windows 2000 > Steve> machine, if I'm not mistaken). > > Steve> kadmin: modify_principal -requires_preauth > Steve> host/majorskan.<MYDOMAIN.TLD> > >I've tried that, but it didn't help. I then tought of removing and >then re-adding the principal again. No change. > >----- s n i p ----- >kadmin.local: delprinc host/majorskan.bayour.com >kadmin.local: ank -pw <SECRET> -requires_preauth >host/majorskan.<MYDOMAIN.TLD> >kadmin.local: getprinc host/majorskan.<MYDOMAIN.TLD> >Principal: host/majorskan.<MYDOMAIN.TLD>@<MYREALM.TLD> >Number of keys: 6 >Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt >Key: vno 1, DES cbc mode with CRC-32, no salt >Key: vno 1, DES cbc mode with RSA-MD5, Version 4 >Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm >Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only >Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3 >Attributes: >Policy: [none] >kadmin.local: q >rmgztk:~# tail -f /var/log/kerberos/krb5kdc.log -n0 >Sep 26 19:28:21 rmgztk krb5kdc[1075](info): AS_REQ (7 etypes {23 >-133 -128 3 1 24 -135}) <IP_OF_FIREWALL_AT_HOME>(88): >NEEDED_PREAUTH: turbo@<MYREALM.TLD> for >krbtgt/<MYREALM.TLD>@<MYREALM.TLD>, Additional pre-authentication required >Sep 26 19:28:21 rmgztk krb5kdc[1075](info): AS_REQ (2 etypes {3 1}) ><IP_OF_FIREWALL_AT_HOME>(88): ISSUE: authtime 1033061301, etypes >{rep=3 tkt=16 ses=1}, turbo@<MYREALM.TLD> for >krbtgt/<MYREALM.TLD>@<MYREALM.TLD> >Sep 26 19:28:21 rmgztk krb5kdc[1075](info): TGS_REQ (7 etypes {23 >-133 -128 3 1 24 -135}) <IP_OF_FIREWALL_AT_HOME>(88): ISSUE: >authtime 1033061301, etypes {rep=1 tkt=16 ses=1}, >turbo@<MYREALM.TLD> for host/majorskan.<MYREALM.TLD>@<MYREALM.TLD> >----- s n i p ----- > >It _STILL_ require pre-auth! I even tried removing the > > default_principal_flags = +preauth > >from the kdc.conf (and restarted the KDC)!! > >Oh, and I also removed pre-auth requirements from the 'krbtgt/<MYREALM.TLD>' >and 'turbo' principals... Then it don't request/require pre-auth: > >----- s n i p ----- >rmgztk:~# tail -f /var/log/kerberos/krb5kdc.log -n0 >Sep 26 19:49:38 rmgztk krb5kdc[1075](info): AS_REQ (7 etypes {23 >-133 -128 3 1 24 -135}) <IP_OF_FIREWALL_AT_HOME>(88): ISSUE: >authtime 1033062578, etypes {rep=3 tkt=16 ses=1}, >turbo@<MYREALM.TLD> for krbtgt/<MYREALM.TLD>@<MYREALM.TLD> >Sep 26 19:49:43 rmgztk krb5kdc[1075](info): TGS_REQ (7 etypes {23 >-133 -128 3 1 24 -135}) <IP_OF_FIREWALL_AT_HOME>(88): ISSUE: >authtime 1033062578, etypes {rep=1 tkt=16 ses=1}, >turbo@<MYREALM.TLD> for host/majorskan.<MYDOMAIN.TLD>@<MYREALM.TLD> >----- s n i p ----- > >Closer. I don't get the pre-auth any more. But I'm still not logged in... :( > > Steve> When the KDC is forcing the WIN2K client to generate > Steve> PRE_AUTH data the client includes additional information (I > Steve> think it's SID) in the Authorization_Data field of the > Steve> ticket. One way or the other the Logon will fail because > Steve> MIT's KDC does not support these microsoft extensions. I > Steve> can guarentee that preauth on a principal will make your > Steve> login fail when that login is coming from a Win2K machine > Steve> to an MIT KDC. > >Sounds reasonable (well, 'understanding' anyway :). > > >So, re-cap. The principals 'krbtgt/<MYREALM.TLD>', >'host/majorskan.<MYDOMAIN.TLD>' >and 'turbo' all have been modified with '-requires_preauth'... > >Windows have been restarted after all this had been done... Naturaly :) >(and had 'ksetup /setcomputerpassword <SECRET>' done). > > Steve> http://home.xnet.com/~catena/ms-kerberos.shtml > Steve> If you want to wade through that, feel free, but I would > Steve> reccomend just removing the REQUIRES_PRE_AUTH: > >I'll read that when I have more time :) >________________________________________________ >Kerberos mailing list [EMAIL PROTECTED] >http://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
