If I change the encryption type on my OpenSuse kdc to DES only and do the mapping on the use in AD and not via ksetup I can login with markus from domain SUSE.HOME.
Does this mean there is still no trust with rc4-hmac possible ?? Thanks Markus "Markus Moeller" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Three further observations > > => 1) User WINDOWS2003\markus-a CAN NOT connect with putty from Win XP to > opensuse.suse.home (no port 88 traffic) > I can connect as user WINDOWS2003\markus-a with putty 0.58 with > GSSAPI (e.g. MIT libraries) from Win XP to > opensuse.suse.home > => 10) User [EMAIL PROTECTED] CAN NOT connect with Firefox from OpenSuse to > http://w2k3.windows2003.home. I get a KRB5KDC_ERR_ETYPE_NOSUPP > error (see below capture of AS-REQ, > AS-REP, TGS-REQ, TGS-REP) > It works when I change the encryption types in krb5.conf to only > des on OpenSuse. > > and I CAN NOT login to the Win XP box as markus from domain SUSE.HOME. I > tried ksetup /mapuser * * with no suceess. > > Any idea what I need to change ? > > Thank you > Markus > > "Markus Moeller" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] >>I searched a bit more and found some hints how to set it up. But I still >>have a couple of problems. Does anybody have an idea why I get a >>KRB5KDC_ERR_ETYPE_NOSUPP error when I try to access a webserver in the >>WINDOWS domain from a MIT domain ? >> >> Thank you >> Markus >> >> My sample setup: >> >> 1. OpenSuse with kdc opensuse.suse.home for SUSE.HOME realm for all >> systems in *.suse.home domain (which is based on MIT 1.4.1) >> 2. Windows 2003 R2 kdc w2k3.windows2003.home for WINDOWS2003.HOME realm >> for all systems in *.windows2003.home domain >> 3. Run Apache2 with mod_spnego on opensuse.suse.home allows all valid >> users (the same host as kdc for testing only) >> 4. Run Apache2 with mod_spnego on w2k3.windows.home allows all valid >> users (the same host as the kdc for testing with kfw 3.0 installed too to >> build mod_spnego) >> 5. Windows XP system winxp.windows2003.home in realm WINDOWS2003.HOME >> 6. Run putty 0.57 fromVintela with SSPI support on Windows XP >> >> Both kdc's have a user markus. The Windows kdc has also a user markus-a >> which does not exist in the OpenSuse kdc >> >> On OpenSuse markus had a .k5login file with: >> [EMAIL PROTECTED] >> [EMAIL PROTECTED] >> [EMAIL PROTECTED] >> >> ======================================================================= >> >> Setup of kdc on OpenSuse with Apache2 and mod_spnego >> >> #!/bin/ksh >> DATE=`date +%Y%m%d.%H%M%S` >> # >> # OpenSuse binary locations >> # >> KDB5_UTIL=/usr/lib/mit/sbin/kdb5_util >> KADMINLOCAL=/usr/lib/mit/sbin/kadmin.local >> # >> # Directories and Files >> # >> VARDIR=/var/lib/kerberos/krb5kdc >> ETCDIR=/etc >> APACHEDIR=/etc/apache2 >> KDC_CONF_DIR=${VARDIR} >> KADM5ACL=${VARDIR}/kadm5.acl >> # >> # Realms >> # >> REALM=SUSE.HOME >> REALM2=WINDOWS2003.HOME >> KDC=opensuse.suse.home >> KDC2=w2k3.windows2003.home >> DOMAIN=suse.home >> DOMAIN2=windows2003.home >> # >> PASS="UNIX000$" >> # >> # stop daemons >> # >> /etc/init.d/krb5kdc stop >> /etc/init.d/kadmind stop >> /etc/init.d/apache2 stop >> # >> # Save old configs >> # >> mkdir ${VARDIR}/version-${DATE} >> mv ${KDC_CONF_DIR}/kdc.conf ${KDC_CONF_DIR}/kdc.conf-${DATE} >> mv ${VARDIR}/principal* ${VARDIR}/version-${DATE}/ >> mv ${VARDIR}/kadm5* ${VARDIR}/version-${DATE}/ >> mv ${KADM5ACL} ${KADM5ACL}-${DATE} >> mv ${VARDIR}/.k5.* ${VARDIR}/version-${DATE}/ >> >> mv ${ETCDIR}/krb5.conf ${ETCDIR}/krb5.conf-${DATE} >> mv ${ETCDIR}/krb5.keytab ${ETCDIR}/krb5.keytab-${DATE} >> >> mv ${APACHEDIR}/HTTP.keytab ${APACHEDIR}/HTTP.keytab-${DATE} >> # >> # Create kdc.conf >> # >> cat > ${KDC_CONF_DIR}/kdc.conf <<! >> [kdcdefaults] >> kdc_ports = 750,88 >> [realms] >> ${REALM} = { >> database_name = ${VARDIR}/principal >> admin_keytab = FILE:${VARDIR}/kadm5.keytab >> acl_file = ${KADM5ACL} >> key_stash_file = ${VARDIR}/.k5.${REALM} >> kdc_ports = 750,88 >> supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal >> des-cb >> c-crc:normal des-cbc-md5:normal >> kdc_supported_enctypes = rc4-hmac:normal >> des3-cbc-sha1:normal de >> s-cbc-crc:normal des-cbc-md5:normal >> max_life = 10h 0m 0s >> max_renewable_life = 7d 0h 0m 0s >> } >> [logging] >> kdc = FILE:/var/log/kdc.log >> admin_server = FILE:/var/log/kadmin.log >> ! >> # >> # Create krb5.conf >> # >> cat > ${ETCDIR}/krb5.conf <<! >> [libdefaults] >> default_realm = ${REALM} >> dns_lookup_kdc = no >> dns_lookup_realm = no >> default_keytab_name = ${ETCDIR}/krb5.keytab >> default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc >> des-cbc-md5 >> default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc >> des-cbc-md5 >> permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc >> des-cbc-md5 >> [realms] >> ${REALM} = { >> kdc = ${KDC} >> admin_server = ${KDC} >> } >> ${REALM2} = { >> kdc = ${KDC2} >> admin_server = ${KDC2} >> } >> [domain_realm] >> .${DOMAIN} = ${REALM} >> ${DOMAIN} = ${REALM} >> .${DOMAIN2} = ${REALM2} >> ${DOMAIN2} = ${REALM2} >> >> [logging] >> kdc = FILE:/var/log/krb5kdc.log >> admin_server = FILE:/var/log/kadmin.log >> default = FILE:/var/log/krb5lib.log >> ! >> # >> # Create database >> # >> ${KDB5_UTIL} create -r ${REALM} -s <<! >> ${REALM}00$ >> ${REALM}00$ >> ! >> # >> # Create ACL file >> # >> cat > ${KADM5ACL} <<! >> ############################################################################### >> #Kerberos_principal permissions [target_principal] >> [restrictions] >> ############################################################################### >> # >> #*/[EMAIL PROTECTED] * >> */[EMAIL PROTECTED] * >> ! >> # >> # Create some principals >> # >> ${KADMINLOCAL} <<! >> addprinc -pw "${PASS}" krbtgt/[EMAIL PROTECTED] >> addprinc -pw "${PASS}" krbtgt/[EMAIL PROTECTED] >> addprinc -randkey host/${KDC} >> addprinc -pw "Root" root/admin >> addprinc -pw "Markus" markus/admin >> addprinc -pw "markus" markus >> addprinc -randkey HTTP/${KDC} >> ktadd -k ${VARDIR}/kadm5.keytab kadmin/admin kadmin/changepw >> ktadd -k ${ETCDIR}/krb5.keytab host/${KDC} >> ktadd -k ${APACHEDIR}/HTTP.keytab HTTP/${KDC} >> ! >> # >> # Start daemons >> # >> /etc/init.d/krb5kdc start >> /etc/init.d/kadmind start >> chgrp www ${APACHEDIR}/HTTP.keytab >> chmod g+r ${APACHEDIR}/HTTP.keytab >> /etc/init.d/apache2 start >> >> >> ====================================================================================== >> >> Setup of Windows 2003 R2 KDC >> >> Raise AD to Windows 2003 server forest functional level from AD Directory >> and Trust tool. Then run >> >> ksetup.exe /addkdc SUSE.HOME opensuse.suse.home >> ksetup.exe /addrealmflags SUSE.HOME tcpsupported >> >> >> netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /add /realm /twoway >> /PasswordT:UNIX000$ >> netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /transitive:yes >> netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /foresttransitive:yes >> netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /addtln:suse.home >> >> create HTTP/w2k3.windows2003.home principal with msktutil. >> >> ======================================================================================= >> >> Now what I got working and what not !! >> >> 1) User WINDOWS2003\markus can connect with putty from Win XP to >> opensuse.suse.home >> 2) User WINDOWS2003\markus can connect with IE from Win XP to >> http://w2k3.windows2003.home >> 3) User WINDOWS2003\markus can connect with IE from Win XP to >> http://opensuse.suse.home >> >> => 1) User WINDOWS2003\markus-a CAN NOT connect with putty from Win XP to >> opensuse.suse.home (no port 88 traffic) >> 2) User WINDOWS2003\markus-a can connect with IE from Win XP to >> http://w2k3.windows2003.home >> 3) User WINDOWS2003\markus-a can connect with IE from Win XP to >> http://opensuse.suse.home >> >> 4) User WINDOWS2003\markus can connect with putty from Windows 2003 >> kdc to opensuse.suse.home >> 5) User WINDOWS2003\markus can connect with IE from Windows 2003 kdc >> to http://opensuse.suse.home >> => 6) User WINDOWS2003\markus CAN NOT connect with IE from Windows 2003 >> kdc to http://w2k3.windows2003.home (no port 88 traffic) >> >> 7) User [EMAIL PROTECTED] can connect with Firefox from OpenSuse to >> http://opensuse.suse.home >> 8) User [EMAIL PROTECTED] can connect with Firefox from >> OpenSuse to http://opensuse.suse.home >> 9) User [EMAIL PROTECTED] can connect with Firefox from >> OpenSuse to http://w2k3.windows2003.home >> => 10) User [EMAIL PROTECTED] CAN NOT connect with Firefox from OpenSuse >> to http://w2k3.windows2003.home. I get a >> KRB5KDC_ERR_ETYPE_NOSUPP error (see below capture of AS-REQ, AS-REP, >> TGS-REQ, TGS-REP) >> >> >> >> No. Time Source Destination Protocol >> Info >> 435 51218.688966 opensuse.suse.home opensuse.suse.home KRB5 >> AS-REQ >> >> Frame 435 (203 bytes on wire, 203 bytes captured) >> Arrival Time: May 1, 2006 13:51:23.964058000 >> Time delta from previous packet: 217.931451000 seconds >> Time since reference or first frame: 51218.688966000 seconds >> Frame Number: 435 >> Packet Length: 203 bytes >> Capture Length: 203 bytes >> Protocols in frame: sll:ip:udp:kerberos >> Linux cooked capture >> Packet type: Unicast to us (0) >> Link-layer address type: 772 >> Link-layer address length: 0 >> Source: <MISSING> >> Protocol: IP (0x0800) >> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst: >> opensuse.suse.home (192.168.1.7) >> Version: 4 >> Header length: 20 bytes >> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) >> 0000 00.. = Differentiated Services Codepoint: Default (0x00) >> .... ..0. = ECN-Capable Transport (ECT): 0 >> .... ...0 = ECN-CE: 0 >> Total Length: 187 >> Identification: 0x34ac (13484) >> Flags: 0x04 (Don't Fragment) >> 0... = Reserved bit: Not set >> .1.. = Don't fragment: Set >> ..0. = More fragments: Not set >> Fragment offset: 0 >> Time to live: 64 >> Protocol: UDP (0x11) >> Header checksum: 0x8227 [correct] >> Good: True >> Bad : False >> Source: opensuse.suse.home (192.168.1.7) >> Destination: opensuse.suse.home (192.168.1.7) >> User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88) >> Source port: 32885 (32885) >> Destination port: kerberos (88) >> Length: 167 >> Checksum: 0x8417 [incorrect, should be 0x1303] >> Kerberos AS-REQ >> Pvno: 5 >> MSG Type: AS-REQ (10) >> KDC_REQ_BODY >> Padding: 0 >> KDCOptions: 00000010 (Renewable OK) >> .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT >> use forwardable tickets >> ..0. .... .... .... .... .... .... .... = Forwarded: This is >> NOT a forwarded ticket >> ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT >> use proxiable tickets >> .... 0... .... .... .... .... .... .... = Proxy: This ticket >> has NOT been proxied >> .... .0.. .... .... .... .... .... .... = Allow Postdate: We >> do NOT allow the ticket to be postdated >> .... ..0. .... .... .... .... .... .... = Postdated: This >> ticket is NOT postdated >> .... .... 0... .... .... .... .... .... = Renewable: This >> ticket is NOT renewable >> .... .... ...0 .... .... .... .... .... = Opt HW Auth: False >> .... .... .... ...0 .... .... .... .... = Canonicalize: This >> is NOT a canonicalized ticket request >> .... .... .... .... .... .... ..0. .... = Disable Transited >> Check: Transited checking is NOT disabled >> .... .... .... .... .... .... ...1 .... = Renewable OK: We >> accept RENEWED tickets >> .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do >> NOT encrypt the tkt inside the skey >> .... .... .... .... .... .... .... ..0. = Renew: This is NOT a >> request to renew a ticket >> .... .... .... .... .... .... .... ...0 = Validate: This is >> NOT a request to validate a postdated ticket >> Client Name (Principal): markus >> Name-type: Principal (1) >> Name: markus >> Realm: SUSE.HOME >> Server Name (Unknown): krbtgt/SUSE.HOME >> Name-type: Unknown (0) >> Name: krbtgt >> Name: SUSE.HOME >> from: 2006-05-01 12:51:23 (Z) >> till: 2006-05-02 12:51:23 (Z) >> Nonce: 1146487883 >> Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 >> Encryption type: rc4-hmac (23) >> Encryption type: des3-cbc-sha1 (16) >> Encryption type: des-cbc-crc (1) >> Encryption type: des-cbc-md5 (3) >> >> No. Time Source Destination Protocol >> Info >> 436 51218.693811 opensuse.suse.home opensuse.suse.home KRB5 >> AS-REP >> >> Frame 436 (598 bytes on wire, 598 bytes captured) >> Arrival Time: May 1, 2006 13:51:23.968903000 >> Time delta from previous packet: 0.004845000 seconds >> Time since reference or first frame: 51218.693811000 seconds >> Frame Number: 436 >> Packet Length: 598 bytes >> Capture Length: 598 bytes >> Protocols in frame: sll:ip:udp:kerberos >> Linux cooked capture >> Packet type: Unicast to us (0) >> Link-layer address type: 772 >> Link-layer address length: 0 >> Source: <MISSING> >> Protocol: IP (0x0800) >> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst: >> opensuse.suse.home (192.168.1.7) >> Version: 4 >> Header length: 20 bytes >> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) >> 0000 00.. = Differentiated Services Codepoint: Default (0x00) >> .... ..0. = ECN-Capable Transport (ECT): 0 >> .... ...0 = ECN-CE: 0 >> Total Length: 582 >> Identification: 0x001e (30) >> Flags: 0x04 (Don't Fragment) >> 0... = Reserved bit: Not set >> .1.. = Don't fragment: Set >> ..0. = More fragments: Not set >> Fragment offset: 0 >> Time to live: 64 >> Protocol: UDP (0x11) >> Header checksum: 0xb52a [correct] >> Good: True >> Bad : False >> Source: opensuse.suse.home (192.168.1.7) >> Destination: opensuse.suse.home (192.168.1.7) >> User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885) >> Source port: kerberos (88) >> Destination port: 32885 (32885) >> Length: 562 >> Checksum: 0x85a2 [incorrect, should be 0x84dc] >> Kerberos AS-REP >> Pvno: 5 >> MSG Type: AS-REP (11) >> padata: Unknown:19 >> Type: Unknown (19) >> Value: 30073005A003020117 >> Client Realm: SUSE.HOME >> Client Name (Principal): markus >> Name-type: Principal (1) >> Name: markus >> Ticket >> Tkt-vno: 5 >> Realm: SUSE.HOME >> Server Name (Unknown): krbtgt/SUSE.HOME >> Name-type: Unknown (0) >> Name: krbtgt >> Name: SUSE.HOME >> enc-part rc4-hmac >> Encryption type: rc4-hmac (23) >> Kvno: 1 >> enc-part: 4057A7166A1CC59F143F9B74A72F0B16CA629616DD0E96F1... >> enc-part rc4-hmac >> Encryption type: rc4-hmac (23) >> enc-part: E0E5CF0DBFEF8C3326CE6F3CB5CFFD73A355696BCD0E95CB... >> >> No. Time Source Destination Protocol >> Info >> 443 51229.309113 opensuse.suse.home opensuse.suse.home KRB5 >> TGS-REQ >> >> Frame 443 (652 bytes on wire, 652 bytes captured) >> Arrival Time: May 1, 2006 13:51:34.584205000 >> Time delta from previous packet: 10.615302000 seconds >> Time since reference or first frame: 51229.309113000 seconds >> Frame Number: 443 >> Packet Length: 652 bytes >> Capture Length: 652 bytes >> Protocols in frame: sll:ip:udp:kerberos >> Linux cooked capture >> Packet type: Unicast to us (0) >> Link-layer address type: 772 >> Link-layer address length: 0 >> Source: <MISSING> >> Protocol: IP (0x0800) >> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst: >> opensuse.suse.home (192.168.1.7) >> Version: 4 >> Header length: 20 bytes >> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) >> 0000 00.. = Differentiated Services Codepoint: Default (0x00) >> .... ..0. = ECN-Capable Transport (ECT): 0 >> .... ...0 = ECN-CE: 0 >> Total Length: 636 >> Identification: 0x3f0b (16139) >> Flags: 0x04 (Don't Fragment) >> 0... = Reserved bit: Not set >> .1.. = Don't fragment: Set >> ..0. = More fragments: Not set >> Fragment offset: 0 >> Time to live: 64 >> Protocol: UDP (0x11) >> Header checksum: 0x7607 [correct] >> Good: True >> Bad : False >> Source: opensuse.suse.home (192.168.1.7) >> Destination: opensuse.suse.home (192.168.1.7) >> User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88) >> Source port: 32885 (32885) >> Destination port: kerberos (88) >> Length: 616 >> Checksum: 0x85d8 [incorrect, should be 0x7d06] >> Kerberos TGS-REQ >> Pvno: 5 >> MSG Type: TGS-REQ (12) >> padata: PA-TGS-REQ >> Type: PA-TGS-REQ (1) >> Value: 6E82019D30820199A003020105A10302010EA20703050000... >> AP-REQ >> Pvno: 5 >> MSG Type: AP-REQ (14) >> Padding: 0 >> APOptions: 00000000 >> .0.. .... .... .... .... .... .... .... = Use Session >> Key: Do NOT use the session key to encrypt the ticket >> ..0. .... .... .... .... .... .... .... = Mutual >> required: Mutual authentication is NOT required >> Ticket >> Tkt-vno: 5 >> Realm: SUSE.HOME >> Server Name (Unknown): krbtgt/SUSE.HOME >> Name-type: Unknown (0) >> Name: krbtgt >> Name: SUSE.HOME >> enc-part rc4-hmac >> Encryption type: rc4-hmac (23) >> Kvno: 1 >> enc-part: >> 4057A7166A1CC59F143F9B74A72F0B16CA629616DD0E96F1... >> Authenticator rc4-hmac >> Encryption type: rc4-hmac (23) >> Authenticator data: >> B7008BD37B307572105D0107E309A30F6E89F74B4663A474... >> KDC_REQ_BODY >> Padding: 0 >> KDCOptions: 00800000 (Renewable) >> .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT >> use forwardable tickets >> ..0. .... .... .... .... .... .... .... = Forwarded: This is >> NOT a forwarded ticket >> ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT >> use proxiable tickets >> .... 0... .... .... .... .... .... .... = Proxy: This ticket >> has NOT been proxied >> .... .0.. .... .... .... .... .... .... = Allow Postdate: We >> do NOT allow the ticket to be postdated >> .... ..0. .... .... .... .... .... .... = Postdated: This >> ticket is NOT postdated >> .... .... 1... .... .... .... .... .... = Renewable: This >> ticket is RENEWABLE >> .... .... ...0 .... .... .... .... .... = Opt HW Auth: False >> .... .... .... ...0 .... .... .... .... = Canonicalize: This >> is NOT a canonicalized ticket request >> .... .... .... .... .... .... ..0. .... = Disable Transited >> Check: Transited checking is NOT disabled >> .... .... .... .... .... .... ...0 .... = Renewable OK: We do >> NOT accept renewed tickets >> .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do >> NOT encrypt the tkt inside the skey >> .... .... .... .... .... .... .... ..0. = Renew: This is NOT a >> request to renew a ticket >> .... .... .... .... .... .... .... ...0 = Validate: This is >> NOT a request to validate a postdated ticket >> Realm: SUSE.HOME >> Server Name (Unknown): krbtgt/WINDOWS2003.HOME >> Name-type: Unknown (0) >> Name: krbtgt >> Name: WINDOWS2003.HOME >> from: 2006-05-01 12:51:23 (Z) >> till: 2006-05-01 22:51:23 (Z) >> rtime: 2006-05-02 12:51:23 (Z) >> Nonce: 1146487891 >> Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 >> Encryption type: rc4-hmac (23) >> Encryption type: des3-cbc-sha1 (16) >> Encryption type: des-cbc-crc (1) >> Encryption type: des-cbc-md5 (3) >> >> No. Time Source Destination Protocol >> Info >> 444 51229.328348 opensuse.suse.home opensuse.suse.home KRB5 >> TGS-REP >> >> Frame 444 (629 bytes on wire, 629 bytes captured) >> Arrival Time: May 1, 2006 13:51:34.603440000 >> Time delta from previous packet: 0.019235000 seconds >> Time since reference or first frame: 51229.328348000 seconds >> Frame Number: 444 >> Packet Length: 629 bytes >> Capture Length: 629 bytes >> Protocols in frame: sll:ip:udp:kerberos >> Linux cooked capture >> Packet type: Unicast to us (0) >> Link-layer address type: 772 >> Link-layer address length: 0 >> Source: <MISSING> >> Protocol: IP (0x0800) >> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst: >> opensuse.suse.home (192.168.1.7) >> Version: 4 >> Header length: 20 bytes >> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) >> 0000 00.. = Differentiated Services Codepoint: Default (0x00) >> .... ..0. = ECN-Capable Transport (ECT): 0 >> .... ...0 = ECN-CE: 0 >> Total Length: 613 >> Identification: 0x001f (31) >> Flags: 0x04 (Don't Fragment) >> 0... = Reserved bit: Not set >> .1.. = Don't fragment: Set >> ..0. = More fragments: Not set >> Fragment offset: 0 >> Time to live: 64 >> Protocol: UDP (0x11) >> Header checksum: 0xb50a [correct] >> Good: True >> Bad : False >> Source: opensuse.suse.home (192.168.1.7) >> Destination: opensuse.suse.home (192.168.1.7) >> User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885) >> Source port: kerberos (88) >> Destination port: 32885 (32885) >> Length: 593 >> Checksum: 0x85c1 [incorrect, should be 0x3f5c] >> Kerberos TGS-REP >> Pvno: 5 >> MSG Type: TGS-REP (13) >> Client Realm: SUSE.HOME >> Client Name (Principal): markus >> Name-type: Principal (1) >> Name: markus >> Ticket >> Tkt-vno: 5 >> Realm: SUSE.HOME >> Server Name (Unknown): krbtgt/WINDOWS2003.HOME >> Name-type: Unknown (0) >> Name: krbtgt >> Name: WINDOWS2003.HOME >> enc-part rc4-hmac >> Encryption type: rc4-hmac (23) >> Kvno: 1 >> enc-part: 46B8A78EEFCA7160D04C0C723040660AF957F1C8AF3B4BDE... >> enc-part rc4-hmac >> Encryption type: rc4-hmac (23) >> enc-part: 981F6F1C48DBB164CDAB8E7C4439D8C29B9DD584929E8580... >> >> No. Time Source Destination Protocol >> Info >> 445 51229.329735 opensuse.suse.home windows2003.windows2003.home >> KRB5 TGS-REQ >> >> Frame 445 (651 bytes on wire, 651 bytes captured) >> Arrival Time: May 1, 2006 13:51:34.604827000 >> Time delta from previous packet: 0.001387000 seconds >> Time since reference or first frame: 51229.329735000 seconds >> Frame Number: 445 >> Packet Length: 651 bytes >> Capture Length: 651 bytes >> Protocols in frame: sll:ip:udp:kerberos >> Linux cooked capture >> Packet type: Sent by us (4) >> Link-layer address type: 1 >> Link-layer address length: 6 >> Source: Vmware_02:d5:f5 (00:0c:29:02:d5:f5) >> Protocol: IP (0x0800) >> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst: >> windows2003.windows2003.home (192.168.1.5) >> Version: 4 >> Header length: 20 bytes >> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) >> 0000 00.. = Differentiated Services Codepoint: Default (0x00) >> .... ..0. = ECN-Capable Transport (ECT): 0 >> .... ...0 = ECN-CE: 0 >> Total Length: 635 >> Identification: 0x3f10 (16144) >> Flags: 0x04 (Don't Fragment) >> 0... = Reserved bit: Not set >> .1.. = Don't fragment: Set >> ..0. = More fragments: Not set >> Fragment offset: 0 >> Time to live: 64 >> Protocol: UDP (0x11) >> Header checksum: 0x7605 [correct] >> Good: True >> Bad : False >> Source: opensuse.suse.home (192.168.1.7) >> Destination: windows2003.windows2003.home (192.168.1.5) >> User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88) >> Source port: 32885 (32885) >> Destination port: kerberos (88) >> Length: 615 >> Checksum: 0x9902 [correct] >> Kerberos TGS-REQ >> Pvno: 5 >> MSG Type: TGS-REQ (12) >> padata: PA-TGS-REQ >> Type: PA-TGS-REQ (1) >> Value: 6E8201BA308201B6A003020105A10302010EA20703050000... >> AP-REQ >> Pvno: 5 >> MSG Type: AP-REQ (14) >> Padding: 0 >> APOptions: 00000000 >> .0.. .... .... .... .... .... .... .... = Use Session >> Key: Do NOT use the session key to encrypt the ticket >> ..0. .... .... .... .... .... .... .... = Mutual >> required: Mutual authentication is NOT required >> Ticket >> Tkt-vno: 5 >> Realm: SUSE.HOME >> Server Name (Unknown): krbtgt/WINDOWS2003.HOME >> Name-type: Unknown (0) >> Name: krbtgt >> Name: WINDOWS2003.HOME >> enc-part rc4-hmac >> Encryption type: rc4-hmac (23) >> Kvno: 1 >> enc-part: >> 46B8A78EEFCA7160D04C0C723040660AF957F1C8AF3B4BDE... >> Authenticator rc4-hmac >> Encryption type: rc4-hmac (23) >> Authenticator data: >> FE71BE32F2BFF609F021A368F6DAF66CC42C00C7508FB8E2... >> KDC_REQ_BODY >> Padding: 0 >> KDCOptions: 00800000 (Renewable) >> .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT >> use forwardable tickets >> ..0. .... .... .... .... .... .... .... = Forwarded: This is >> NOT a forwarded ticket >> ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT >> use proxiable tickets >> .... 0... .... .... .... .... .... .... = Proxy: This ticket >> has NOT been proxied >> .... .0.. .... .... .... .... .... .... = Allow Postdate: We >> do NOT allow the ticket to be postdated >> .... ..0. .... .... .... .... .... .... = Postdated: This >> ticket is NOT postdated >> .... .... 1... .... .... .... .... .... = Renewable: This >> ticket is RENEWABLE >> .... .... ...0 .... .... .... .... .... = Opt HW Auth: False >> .... .... .... ...0 .... .... .... .... = Canonicalize: This >> is NOT a canonicalized ticket request >> .... .... .... .... .... .... ..0. .... = Disable Transited >> Check: Transited checking is NOT disabled >> .... .... .... .... .... .... ...0 .... = Renewable OK: We do >> NOT accept renewed tickets >> .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do >> NOT encrypt the tkt inside the skey >> .... .... .... .... .... .... .... ..0. = Renew: This is NOT a >> request to renew a ticket >> .... .... .... .... .... .... .... ...0 = Validate: This is >> NOT a request to validate a postdated ticket >> Realm: WINDOWS2003.HOME >> Server Name (Service and Host): HTTP/w2k3.windows2003.home >> Name-type: Service and Host (3) >> Name: HTTP >> Name: w2k3.windows2003.home >> till: 2006-05-01 22:51:23 (Z) >> Nonce: 1146487891 >> Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 >> Encryption type: rc4-hmac (23) >> Encryption type: des3-cbc-sha1 (16) >> Encryption type: des-cbc-crc (1) >> Encryption type: des-cbc-md5 (3) >> >> No. Time Source Destination Protocol >> Info >> 446 51229.334347 windows2003.windows2003.home opensuse.suse.home KRB5 >> KRB Error: KRB5KDC_ERR_ETYPE_NOSUPP >> >> Frame 446 (151 bytes on wire, 151 bytes captured) >> Arrival Time: May 1, 2006 13:51:34.609439000 >> Time delta from previous packet: 0.004612000 seconds >> Time since reference or first frame: 51229.334347000 seconds >> Frame Number: 446 >> Packet Length: 151 bytes >> Capture Length: 151 bytes >> Protocols in frame: sll:ip:udp:kerberos >> Linux cooked capture >> Packet type: Unicast to us (0) >> Link-layer address type: 1 >> Link-layer address length: 6 >> Source: Vmware_71:05:9f (00:0c:29:71:05:9f) >> Protocol: IP (0x0800) >> Internet Protocol, Src: windows2003.windows2003.home (192.168.1.5), Dst: >> opensuse.suse.home (192.168.1.7) >> Version: 4 >> Header length: 20 bytes >> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) >> 0000 00.. = Differentiated Services Codepoint: Default (0x00) >> .... ..0. = ECN-Capable Transport (ECT): 0 >> .... ...0 = ECN-CE: 0 >> Total Length: 135 >> Identification: 0xdebe (57022) >> Flags: 0x00 >> 0... = Reserved bit: Not set >> .0.. = Don't fragment: Not set >> ..0. = More fragments: Not set >> Fragment offset: 0 >> Time to live: 128 >> Protocol: UDP (0x11) >> Header checksum: 0xd84a [correct] >> Good: True >> Bad : False >> Source: windows2003.windows2003.home (192.168.1.5) >> Destination: opensuse.suse.home (192.168.1.7) >> User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885) >> Source port: kerberos (88) >> Destination port: 32885 (32885) >> Length: 115 >> Checksum: 0xb7f8 [correct] >> Kerberos KRB-ERROR >> Pvno: 5 >> MSG Type: KRB-ERROR (30) >> stime: 2006-05-01 12:51:33 (Z) >> susec: 907050 >> error_code: KRB5KDC_ERR_ETYPE_NOSUPP (14) >> Realm: WINDOWS2003.HOME >> Server Name (Service and Host): HTTP/w2k3.windows2003.home >> Name-type: Service and Host (3) >> Name: HTTP >> Name: w2k3.windows2003.home >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> "Markus Moeller" <[EMAIL PROTECTED]> wrote in message >> news:[EMAIL PROTECTED] >>> Is there anywhere a howto for setting up a oneway or even twoway trust >>> between a Windows 2003 SP1/R2 server and a MIT kdc with rc4-hmac >>> encryption ? >>> >>> Thank you >>> Markus >>> >> >> > > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
