I should have research better in the old archives. With ktpass /MITRealmName SUSE.HOME /trustencryp rc4 run on the Windows kdc I get now a trust with RC4 encryption.
Markus "Markus Moeller" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > If I change the encryption type on my OpenSuse kdc to DES only and do the > mapping on the use in AD and not via ksetup I can login with markus from > domain SUSE.HOME. > > Does this mean there is still no trust with rc4-hmac possible ?? > > Thanks > Markus > > "Markus Moeller" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] >> Three further observations >> >> => 1) User WINDOWS2003\markus-a CAN NOT connect with putty from Win XP to >> opensuse.suse.home (no port 88 traffic) >> I can connect as user WINDOWS2003\markus-a with putty 0.58 with >> GSSAPI (e.g. MIT libraries) from Win XP to >> opensuse.suse.home >> => 10) User [EMAIL PROTECTED] CAN NOT connect with Firefox from OpenSuse >> to >> http://w2k3.windows2003.home. I get a KRB5KDC_ERR_ETYPE_NOSUPP >> error (see below capture of AS-REQ, >> AS-REP, TGS-REQ, TGS-REP) >> It works when I change the encryption types in krb5.conf to only >> des on OpenSuse. >> >> and I CAN NOT login to the Win XP box as markus from domain SUSE.HOME. I >> tried ksetup /mapuser * * with no suceess. >> >> Any idea what I need to change ? >> >> Thank you >> Markus >> >> "Markus Moeller" <[EMAIL PROTECTED]> wrote in message >> news:[EMAIL PROTECTED] >>>I searched a bit more and found some hints how to set it up. But I still >>>have a couple of problems. Does anybody have an idea why I get a >>>KRB5KDC_ERR_ETYPE_NOSUPP error when I try to access a webserver in the >>>WINDOWS domain from a MIT domain ? >>> >>> Thank you >>> Markus >>> >>> My sample setup: >>> >>> 1. OpenSuse with kdc opensuse.suse.home for SUSE.HOME realm for all >>> systems in *.suse.home domain (which is based on MIT 1.4.1) >>> 2. Windows 2003 R2 kdc w2k3.windows2003.home for WINDOWS2003.HOME realm >>> for all systems in *.windows2003.home domain >>> 3. Run Apache2 with mod_spnego on opensuse.suse.home allows all valid >>> users (the same host as kdc for testing only) >>> 4. Run Apache2 with mod_spnego on w2k3.windows.home allows all valid >>> users (the same host as the kdc for testing with kfw 3.0 installed too >>> to build mod_spnego) >>> 5. Windows XP system winxp.windows2003.home in realm WINDOWS2003.HOME >>> 6. Run putty 0.57 fromVintela with SSPI support on Windows XP >>> >>> Both kdc's have a user markus. The Windows kdc has also a user markus-a >>> which does not exist in the OpenSuse kdc >>> >>> On OpenSuse markus had a .k5login file with: >>> [EMAIL PROTECTED] >>> [EMAIL PROTECTED] >>> [EMAIL PROTECTED] >>> >>> ======================================================================= >>> >>> Setup of kdc on OpenSuse with Apache2 and mod_spnego >>> >>> #!/bin/ksh >>> DATE=`date +%Y%m%d.%H%M%S` >>> # >>> # OpenSuse binary locations >>> # >>> KDB5_UTIL=/usr/lib/mit/sbin/kdb5_util >>> KADMINLOCAL=/usr/lib/mit/sbin/kadmin.local >>> # >>> # Directories and Files >>> # >>> VARDIR=/var/lib/kerberos/krb5kdc >>> ETCDIR=/etc >>> APACHEDIR=/etc/apache2 >>> KDC_CONF_DIR=${VARDIR} >>> KADM5ACL=${VARDIR}/kadm5.acl >>> # >>> # Realms >>> # >>> REALM=SUSE.HOME >>> REALM2=WINDOWS2003.HOME >>> KDC=opensuse.suse.home >>> KDC2=w2k3.windows2003.home >>> DOMAIN=suse.home >>> DOMAIN2=windows2003.home >>> # >>> PASS="UNIX000$" >>> # >>> # stop daemons >>> # >>> /etc/init.d/krb5kdc stop >>> /etc/init.d/kadmind stop >>> /etc/init.d/apache2 stop >>> # >>> # Save old configs >>> # >>> mkdir ${VARDIR}/version-${DATE} >>> mv ${KDC_CONF_DIR}/kdc.conf ${KDC_CONF_DIR}/kdc.conf-${DATE} >>> mv ${VARDIR}/principal* ${VARDIR}/version-${DATE}/ >>> mv ${VARDIR}/kadm5* ${VARDIR}/version-${DATE}/ >>> mv ${KADM5ACL} ${KADM5ACL}-${DATE} >>> mv ${VARDIR}/.k5.* ${VARDIR}/version-${DATE}/ >>> >>> mv ${ETCDIR}/krb5.conf ${ETCDIR}/krb5.conf-${DATE} >>> mv ${ETCDIR}/krb5.keytab ${ETCDIR}/krb5.keytab-${DATE} >>> >>> mv ${APACHEDIR}/HTTP.keytab ${APACHEDIR}/HTTP.keytab-${DATE} >>> # >>> # Create kdc.conf >>> # >>> cat > ${KDC_CONF_DIR}/kdc.conf <<! >>> [kdcdefaults] >>> kdc_ports = 750,88 >>> [realms] >>> ${REALM} = { >>> database_name = ${VARDIR}/principal >>> admin_keytab = FILE:${VARDIR}/kadm5.keytab >>> acl_file = ${KADM5ACL} >>> key_stash_file = ${VARDIR}/.k5.${REALM} >>> kdc_ports = 750,88 >>> supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal >>> des-cb >>> c-crc:normal des-cbc-md5:normal >>> kdc_supported_enctypes = rc4-hmac:normal >>> des3-cbc-sha1:normal de >>> s-cbc-crc:normal des-cbc-md5:normal >>> max_life = 10h 0m 0s >>> max_renewable_life = 7d 0h 0m 0s >>> } >>> [logging] >>> kdc = FILE:/var/log/kdc.log >>> admin_server = FILE:/var/log/kadmin.log >>> ! >>> # >>> # Create krb5.conf >>> # >>> cat > ${ETCDIR}/krb5.conf <<! >>> [libdefaults] >>> default_realm = ${REALM} >>> dns_lookup_kdc = no >>> dns_lookup_realm = no >>> default_keytab_name = ${ETCDIR}/krb5.keytab >>> default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc >>> des-cbc-md5 >>> default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc >>> des-cbc-md5 >>> permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc >>> des-cbc-md5 >>> [realms] >>> ${REALM} = { >>> kdc = ${KDC} >>> admin_server = ${KDC} >>> } >>> ${REALM2} = { >>> kdc = ${KDC2} >>> admin_server = ${KDC2} >>> } >>> [domain_realm] >>> .${DOMAIN} = ${REALM} >>> ${DOMAIN} = ${REALM} >>> .${DOMAIN2} = ${REALM2} >>> ${DOMAIN2} = ${REALM2} >>> >>> [logging] >>> kdc = FILE:/var/log/krb5kdc.log >>> admin_server = FILE:/var/log/kadmin.log >>> default = FILE:/var/log/krb5lib.log >>> ! >>> # >>> # Create database >>> # >>> ${KDB5_UTIL} create -r ${REALM} -s <<! >>> ${REALM}00$ >>> ${REALM}00$ >>> ! >>> # >>> # Create ACL file >>> # >>> cat > ${KADM5ACL} <<! >>> ############################################################################### >>> #Kerberos_principal permissions [target_principal] >>> [restrictions] >>> ############################################################################### >>> # >>> #*/[EMAIL PROTECTED] * >>> */[EMAIL PROTECTED] * >>> ! >>> # >>> # Create some principals >>> # >>> ${KADMINLOCAL} <<! >>> addprinc -pw "${PASS}" krbtgt/[EMAIL PROTECTED] >>> addprinc -pw "${PASS}" krbtgt/[EMAIL PROTECTED] >>> addprinc -randkey host/${KDC} >>> addprinc -pw "Root" root/admin >>> addprinc -pw "Markus" markus/admin >>> addprinc -pw "markus" markus >>> addprinc -randkey HTTP/${KDC} >>> ktadd -k ${VARDIR}/kadm5.keytab kadmin/admin kadmin/changepw >>> ktadd -k ${ETCDIR}/krb5.keytab host/${KDC} >>> ktadd -k ${APACHEDIR}/HTTP.keytab HTTP/${KDC} >>> ! >>> # >>> # Start daemons >>> # >>> /etc/init.d/krb5kdc start >>> /etc/init.d/kadmind start >>> chgrp www ${APACHEDIR}/HTTP.keytab >>> chmod g+r ${APACHEDIR}/HTTP.keytab >>> /etc/init.d/apache2 start >>> >>> >>> ====================================================================================== >>> >>> Setup of Windows 2003 R2 KDC >>> >>> Raise AD to Windows 2003 server forest functional level from AD >>> Directory and Trust tool. Then run >>> >>> ksetup.exe /addkdc SUSE.HOME opensuse.suse.home >>> ksetup.exe /addrealmflags SUSE.HOME tcpsupported >>> >>> >>> netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /add /realm /twoway >>> /PasswordT:UNIX000$ >>> netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /transitive:yes >>> netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /foresttransitive:yes >>> netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /addtln:suse.home >>> >>> create HTTP/w2k3.windows2003.home principal with msktutil. >>> >>> ======================================================================================= >>> >>> Now what I got working and what not !! >>> >>> 1) User WINDOWS2003\markus can connect with putty from Win XP to >>> opensuse.suse.home >>> 2) User WINDOWS2003\markus can connect with IE from Win XP to >>> http://w2k3.windows2003.home >>> 3) User WINDOWS2003\markus can connect with IE from Win XP to >>> http://opensuse.suse.home >>> >>> => 1) User WINDOWS2003\markus-a CAN NOT connect with putty from Win XP >>> to opensuse.suse.home (no port 88 traffic) >>> 2) User WINDOWS2003\markus-a can connect with IE from Win XP to >>> http://w2k3.windows2003.home >>> 3) User WINDOWS2003\markus-a can connect with IE from Win XP to >>> http://opensuse.suse.home >>> >>> 4) User WINDOWS2003\markus can connect with putty from Windows 2003 >>> kdc to opensuse.suse.home >>> 5) User WINDOWS2003\markus can connect with IE from Windows 2003 kdc >>> to http://opensuse.suse.home >>> => 6) User WINDOWS2003\markus CAN NOT connect with IE from Windows 2003 >>> kdc to http://w2k3.windows2003.home (no port 88 traffic) >>> >>> 7) User [EMAIL PROTECTED] can connect with Firefox from OpenSuse to >>> http://opensuse.suse.home >>> 8) User [EMAIL PROTECTED] can connect with Firefox from >>> OpenSuse to http://opensuse.suse.home >>> 9) User [EMAIL PROTECTED] can connect with Firefox from >>> OpenSuse to http://w2k3.windows2003.home >>> => 10) User [EMAIL PROTECTED] CAN NOT connect with Firefox from OpenSuse >>> to http://w2k3.windows2003.home. I get a >>> KRB5KDC_ERR_ETYPE_NOSUPP error (see below capture of AS-REQ, AS-REP, >>> TGS-REQ, TGS-REP) >>> >>> >>> >>> No. Time Source Destination Protocol >>> Info >>> 435 51218.688966 opensuse.suse.home opensuse.suse.home KRB5 >>> AS-REQ >>> >>> Frame 435 (203 bytes on wire, 203 bytes captured) >>> Arrival Time: May 1, 2006 13:51:23.964058000 >>> Time delta from previous packet: 217.931451000 seconds >>> Time since reference or first frame: 51218.688966000 seconds >>> Frame Number: 435 >>> Packet Length: 203 bytes >>> Capture Length: 203 bytes >>> Protocols in frame: sll:ip:udp:kerberos >>> Linux cooked capture >>> Packet type: Unicast to us (0) >>> Link-layer address type: 772 >>> Link-layer address length: 0 >>> Source: <MISSING> >>> Protocol: IP (0x0800) >>> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst: >>> opensuse.suse.home (192.168.1.7) >>> Version: 4 >>> Header length: 20 bytes >>> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) >>> 0000 00.. = Differentiated Services Codepoint: Default (0x00) >>> .... ..0. = ECN-Capable Transport (ECT): 0 >>> .... ...0 = ECN-CE: 0 >>> Total Length: 187 >>> Identification: 0x34ac (13484) >>> Flags: 0x04 (Don't Fragment) >>> 0... = Reserved bit: Not set >>> .1.. = Don't fragment: Set >>> ..0. = More fragments: Not set >>> Fragment offset: 0 >>> Time to live: 64 >>> Protocol: UDP (0x11) >>> Header checksum: 0x8227 [correct] >>> Good: True >>> Bad : False >>> Source: opensuse.suse.home (192.168.1.7) >>> Destination: opensuse.suse.home (192.168.1.7) >>> User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88) >>> Source port: 32885 (32885) >>> Destination port: kerberos (88) >>> Length: 167 >>> Checksum: 0x8417 [incorrect, should be 0x1303] >>> Kerberos AS-REQ >>> Pvno: 5 >>> MSG Type: AS-REQ (10) >>> KDC_REQ_BODY >>> Padding: 0 >>> KDCOptions: 00000010 (Renewable OK) >>> .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT >>> use forwardable tickets >>> ..0. .... .... .... .... .... .... .... = Forwarded: This is >>> NOT a forwarded ticket >>> ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT >>> use proxiable tickets >>> .... 0... .... .... .... .... .... .... = Proxy: This ticket >>> has NOT been proxied >>> .... .0.. .... .... .... .... .... .... = Allow Postdate: We >>> do NOT allow the ticket to be postdated >>> .... ..0. .... .... .... .... .... .... = Postdated: This >>> ticket is NOT postdated >>> .... .... 0... .... .... .... .... .... = Renewable: This >>> ticket is NOT renewable >>> .... .... ...0 .... .... .... .... .... = Opt HW Auth: False >>> .... .... .... ...0 .... .... .... .... = Canonicalize: This >>> is NOT a canonicalized ticket request >>> .... .... .... .... .... .... ..0. .... = Disable Transited >>> Check: Transited checking is NOT disabled >>> .... .... .... .... .... .... ...1 .... = Renewable OK: We >>> accept RENEWED tickets >>> .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do >>> NOT encrypt the tkt inside the skey >>> .... .... .... .... .... .... .... ..0. = Renew: This is NOT >>> a request to renew a ticket >>> .... .... .... .... .... .... .... ...0 = Validate: This is >>> NOT a request to validate a postdated ticket >>> Client Name (Principal): markus >>> Name-type: Principal (1) >>> Name: markus >>> Realm: SUSE.HOME >>> Server Name (Unknown): krbtgt/SUSE.HOME >>> Name-type: Unknown (0) >>> Name: krbtgt >>> Name: SUSE.HOME >>> from: 2006-05-01 12:51:23 (Z) >>> till: 2006-05-02 12:51:23 (Z) >>> Nonce: 1146487883 >>> Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 >>> Encryption type: rc4-hmac (23) >>> Encryption type: des3-cbc-sha1 (16) >>> Encryption type: des-cbc-crc (1) >>> Encryption type: des-cbc-md5 (3) >>> >>> No. Time Source Destination Protocol >>> Info >>> 436 51218.693811 opensuse.suse.home opensuse.suse.home KRB5 >>> AS-REP >>> >>> Frame 436 (598 bytes on wire, 598 bytes captured) >>> Arrival Time: May 1, 2006 13:51:23.968903000 >>> Time delta from previous packet: 0.004845000 seconds >>> Time since reference or first frame: 51218.693811000 seconds >>> Frame Number: 436 >>> Packet Length: 598 bytes >>> Capture Length: 598 bytes >>> Protocols in frame: sll:ip:udp:kerberos >>> Linux cooked capture >>> Packet type: Unicast to us (0) >>> Link-layer address type: 772 >>> Link-layer address length: 0 >>> Source: <MISSING> >>> Protocol: IP (0x0800) >>> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst: >>> opensuse.suse.home (192.168.1.7) >>> Version: 4 >>> Header length: 20 bytes >>> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) >>> 0000 00.. = Differentiated Services Codepoint: Default (0x00) >>> .... ..0. = ECN-Capable Transport (ECT): 0 >>> .... ...0 = ECN-CE: 0 >>> Total Length: 582 >>> Identification: 0x001e (30) >>> Flags: 0x04 (Don't Fragment) >>> 0... = Reserved bit: Not set >>> .1.. = Don't fragment: Set >>> ..0. = More fragments: Not set >>> Fragment offset: 0 >>> Time to live: 64 >>> Protocol: UDP (0x11) >>> Header checksum: 0xb52a [correct] >>> Good: True >>> Bad : False >>> Source: opensuse.suse.home (192.168.1.7) >>> Destination: opensuse.suse.home (192.168.1.7) >>> User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885) >>> Source port: kerberos (88) >>> Destination port: 32885 (32885) >>> Length: 562 >>> Checksum: 0x85a2 [incorrect, should be 0x84dc] >>> Kerberos AS-REP >>> Pvno: 5 >>> MSG Type: AS-REP (11) >>> padata: Unknown:19 >>> Type: Unknown (19) >>> Value: 30073005A003020117 >>> Client Realm: SUSE.HOME >>> Client Name (Principal): markus >>> Name-type: Principal (1) >>> Name: markus >>> Ticket >>> Tkt-vno: 5 >>> Realm: SUSE.HOME >>> Server Name (Unknown): krbtgt/SUSE.HOME >>> Name-type: Unknown (0) >>> Name: krbtgt >>> Name: SUSE.HOME >>> enc-part rc4-hmac >>> Encryption type: rc4-hmac (23) >>> Kvno: 1 >>> enc-part: 4057A7166A1CC59F143F9B74A72F0B16CA629616DD0E96F1... >>> enc-part rc4-hmac >>> Encryption type: rc4-hmac (23) >>> enc-part: E0E5CF0DBFEF8C3326CE6F3CB5CFFD73A355696BCD0E95CB... >>> >>> No. Time Source Destination Protocol >>> Info >>> 443 51229.309113 opensuse.suse.home opensuse.suse.home KRB5 >>> TGS-REQ >>> >>> Frame 443 (652 bytes on wire, 652 bytes captured) >>> Arrival Time: May 1, 2006 13:51:34.584205000 >>> Time delta from previous packet: 10.615302000 seconds >>> Time since reference or first frame: 51229.309113000 seconds >>> Frame Number: 443 >>> Packet Length: 652 bytes >>> Capture Length: 652 bytes >>> Protocols in frame: sll:ip:udp:kerberos >>> Linux cooked capture >>> Packet type: Unicast to us (0) >>> Link-layer address type: 772 >>> Link-layer address length: 0 >>> Source: <MISSING> >>> Protocol: IP (0x0800) >>> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst: >>> opensuse.suse.home (192.168.1.7) >>> Version: 4 >>> Header length: 20 bytes >>> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) >>> 0000 00.. = Differentiated Services Codepoint: Default (0x00) >>> .... ..0. = ECN-Capable Transport (ECT): 0 >>> .... ...0 = ECN-CE: 0 >>> Total Length: 636 >>> Identification: 0x3f0b (16139) >>> Flags: 0x04 (Don't Fragment) >>> 0... = Reserved bit: Not set >>> .1.. = Don't fragment: Set >>> ..0. = More fragments: Not set >>> Fragment offset: 0 >>> Time to live: 64 >>> Protocol: UDP (0x11) >>> Header checksum: 0x7607 [correct] >>> Good: True >>> Bad : False >>> Source: opensuse.suse.home (192.168.1.7) >>> Destination: opensuse.suse.home (192.168.1.7) >>> User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88) >>> Source port: 32885 (32885) >>> Destination port: kerberos (88) >>> Length: 616 >>> Checksum: 0x85d8 [incorrect, should be 0x7d06] >>> Kerberos TGS-REQ >>> Pvno: 5 >>> MSG Type: TGS-REQ (12) >>> padata: PA-TGS-REQ >>> Type: PA-TGS-REQ (1) >>> Value: 6E82019D30820199A003020105A10302010EA20703050000... >>> AP-REQ >>> Pvno: 5 >>> MSG Type: AP-REQ (14) >>> Padding: 0 >>> APOptions: 00000000 >>> .0.. .... .... .... .... .... .... .... = Use Session >>> Key: Do NOT use the session key to encrypt the ticket >>> ..0. .... .... .... .... .... .... .... = Mutual >>> required: Mutual authentication is NOT required >>> Ticket >>> Tkt-vno: 5 >>> Realm: SUSE.HOME >>> Server Name (Unknown): krbtgt/SUSE.HOME >>> Name-type: Unknown (0) >>> Name: krbtgt >>> Name: SUSE.HOME >>> enc-part rc4-hmac >>> Encryption type: rc4-hmac (23) >>> Kvno: 1 >>> enc-part: >>> 4057A7166A1CC59F143F9B74A72F0B16CA629616DD0E96F1... >>> Authenticator rc4-hmac >>> Encryption type: rc4-hmac (23) >>> Authenticator data: >>> B7008BD37B307572105D0107E309A30F6E89F74B4663A474... >>> KDC_REQ_BODY >>> Padding: 0 >>> KDCOptions: 00800000 (Renewable) >>> .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT >>> use forwardable tickets >>> ..0. .... .... .... .... .... .... .... = Forwarded: This is >>> NOT a forwarded ticket >>> ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT >>> use proxiable tickets >>> .... 0... .... .... .... .... .... .... = Proxy: This ticket >>> has NOT been proxied >>> .... .0.. .... .... .... .... .... .... = Allow Postdate: We >>> do NOT allow the ticket to be postdated >>> .... ..0. .... .... .... .... .... .... = Postdated: This >>> ticket is NOT postdated >>> .... .... 1... .... .... .... .... .... = Renewable: This >>> ticket is RENEWABLE >>> .... .... ...0 .... .... .... .... .... = Opt HW Auth: False >>> .... .... .... ...0 .... .... .... .... = Canonicalize: This >>> is NOT a canonicalized ticket request >>> .... .... .... .... .... .... ..0. .... = Disable Transited >>> Check: Transited checking is NOT disabled >>> .... .... .... .... .... .... ...0 .... = Renewable OK: We do >>> NOT accept renewed tickets >>> .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do >>> NOT encrypt the tkt inside the skey >>> .... .... .... .... .... .... .... ..0. = Renew: This is NOT >>> a request to renew a ticket >>> .... .... .... .... .... .... .... ...0 = Validate: This is >>> NOT a request to validate a postdated ticket >>> Realm: SUSE.HOME >>> Server Name (Unknown): krbtgt/WINDOWS2003.HOME >>> Name-type: Unknown (0) >>> Name: krbtgt >>> Name: WINDOWS2003.HOME >>> from: 2006-05-01 12:51:23 (Z) >>> till: 2006-05-01 22:51:23 (Z) >>> rtime: 2006-05-02 12:51:23 (Z) >>> Nonce: 1146487891 >>> Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 >>> Encryption type: rc4-hmac (23) >>> Encryption type: des3-cbc-sha1 (16) >>> Encryption type: des-cbc-crc (1) >>> Encryption type: des-cbc-md5 (3) >>> >>> No. Time Source Destination Protocol >>> Info >>> 444 51229.328348 opensuse.suse.home opensuse.suse.home KRB5 >>> TGS-REP >>> >>> Frame 444 (629 bytes on wire, 629 bytes captured) >>> Arrival Time: May 1, 2006 13:51:34.603440000 >>> Time delta from previous packet: 0.019235000 seconds >>> Time since reference or first frame: 51229.328348000 seconds >>> Frame Number: 444 >>> Packet Length: 629 bytes >>> Capture Length: 629 bytes >>> Protocols in frame: sll:ip:udp:kerberos >>> Linux cooked capture >>> Packet type: Unicast to us (0) >>> Link-layer address type: 772 >>> Link-layer address length: 0 >>> Source: <MISSING> >>> Protocol: IP (0x0800) >>> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst: >>> opensuse.suse.home (192.168.1.7) >>> Version: 4 >>> Header length: 20 bytes >>> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) >>> 0000 00.. = Differentiated Services Codepoint: Default (0x00) >>> .... ..0. = ECN-Capable Transport (ECT): 0 >>> .... ...0 = ECN-CE: 0 >>> Total Length: 613 >>> Identification: 0x001f (31) >>> Flags: 0x04 (Don't Fragment) >>> 0... = Reserved bit: Not set >>> .1.. = Don't fragment: Set >>> ..0. = More fragments: Not set >>> Fragment offset: 0 >>> Time to live: 64 >>> Protocol: UDP (0x11) >>> Header checksum: 0xb50a [correct] >>> Good: True >>> Bad : False >>> Source: opensuse.suse.home (192.168.1.7) >>> Destination: opensuse.suse.home (192.168.1.7) >>> User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885) >>> Source port: kerberos (88) >>> Destination port: 32885 (32885) >>> Length: 593 >>> Checksum: 0x85c1 [incorrect, should be 0x3f5c] >>> Kerberos TGS-REP >>> Pvno: 5 >>> MSG Type: TGS-REP (13) >>> Client Realm: SUSE.HOME >>> Client Name (Principal): markus >>> Name-type: Principal (1) >>> Name: markus >>> Ticket >>> Tkt-vno: 5 >>> Realm: SUSE.HOME >>> Server Name (Unknown): krbtgt/WINDOWS2003.HOME >>> Name-type: Unknown (0) >>> Name: krbtgt >>> Name: WINDOWS2003.HOME >>> enc-part rc4-hmac >>> Encryption type: rc4-hmac (23) >>> Kvno: 1 >>> enc-part: 46B8A78EEFCA7160D04C0C723040660AF957F1C8AF3B4BDE... >>> enc-part rc4-hmac >>> Encryption type: rc4-hmac (23) >>> enc-part: 981F6F1C48DBB164CDAB8E7C4439D8C29B9DD584929E8580... >>> >>> No. Time Source Destination Protocol >>> Info >>> 445 51229.329735 opensuse.suse.home windows2003.windows2003.home >>> KRB5 TGS-REQ >>> >>> Frame 445 (651 bytes on wire, 651 bytes captured) >>> Arrival Time: May 1, 2006 13:51:34.604827000 >>> Time delta from previous packet: 0.001387000 seconds >>> Time since reference or first frame: 51229.329735000 seconds >>> Frame Number: 445 >>> Packet Length: 651 bytes >>> Capture Length: 651 bytes >>> Protocols in frame: sll:ip:udp:kerberos >>> Linux cooked capture >>> Packet type: Sent by us (4) >>> Link-layer address type: 1 >>> Link-layer address length: 6 >>> Source: Vmware_02:d5:f5 (00:0c:29:02:d5:f5) >>> Protocol: IP (0x0800) >>> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst: >>> windows2003.windows2003.home (192.168.1.5) >>> Version: 4 >>> Header length: 20 bytes >>> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) >>> 0000 00.. = Differentiated Services Codepoint: Default (0x00) >>> .... ..0. = ECN-Capable Transport (ECT): 0 >>> .... ...0 = ECN-CE: 0 >>> Total Length: 635 >>> Identification: 0x3f10 (16144) >>> Flags: 0x04 (Don't Fragment) >>> 0... = Reserved bit: Not set >>> .1.. = Don't fragment: Set >>> ..0. = More fragments: Not set >>> Fragment offset: 0 >>> Time to live: 64 >>> Protocol: UDP (0x11) >>> Header checksum: 0x7605 [correct] >>> Good: True >>> Bad : False >>> Source: opensuse.suse.home (192.168.1.7) >>> Destination: windows2003.windows2003.home (192.168.1.5) >>> User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88) >>> Source port: 32885 (32885) >>> Destination port: kerberos (88) >>> Length: 615 >>> Checksum: 0x9902 [correct] >>> Kerberos TGS-REQ >>> Pvno: 5 >>> MSG Type: TGS-REQ (12) >>> padata: PA-TGS-REQ >>> Type: PA-TGS-REQ (1) >>> Value: 6E8201BA308201B6A003020105A10302010EA20703050000... >>> AP-REQ >>> Pvno: 5 >>> MSG Type: AP-REQ (14) >>> Padding: 0 >>> APOptions: 00000000 >>> .0.. .... .... .... .... .... .... .... = Use Session >>> Key: Do NOT use the session key to encrypt the ticket >>> ..0. .... .... .... .... .... .... .... = Mutual >>> required: Mutual authentication is NOT required >>> Ticket >>> Tkt-vno: 5 >>> Realm: SUSE.HOME >>> Server Name (Unknown): krbtgt/WINDOWS2003.HOME >>> Name-type: Unknown (0) >>> Name: krbtgt >>> Name: WINDOWS2003.HOME >>> enc-part rc4-hmac >>> Encryption type: rc4-hmac (23) >>> Kvno: 1 >>> enc-part: >>> 46B8A78EEFCA7160D04C0C723040660AF957F1C8AF3B4BDE... >>> Authenticator rc4-hmac >>> Encryption type: rc4-hmac (23) >>> Authenticator data: >>> FE71BE32F2BFF609F021A368F6DAF66CC42C00C7508FB8E2... >>> KDC_REQ_BODY >>> Padding: 0 >>> KDCOptions: 00800000 (Renewable) >>> .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT >>> use forwardable tickets >>> ..0. .... .... .... .... .... .... .... = Forwarded: This is >>> NOT a forwarded ticket >>> ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT >>> use proxiable tickets >>> .... 0... .... .... .... .... .... .... = Proxy: This ticket >>> has NOT been proxied >>> .... .0.. .... .... .... .... .... .... = Allow Postdate: We >>> do NOT allow the ticket to be postdated >>> .... ..0. .... .... .... .... .... .... = Postdated: This >>> ticket is NOT postdated >>> .... .... 1... .... .... .... .... .... = Renewable: This >>> ticket is RENEWABLE >>> .... .... ...0 .... .... .... .... .... = Opt HW Auth: False >>> .... .... .... ...0 .... .... .... .... = Canonicalize: This >>> is NOT a canonicalized ticket request >>> .... .... .... .... .... .... ..0. .... = Disable Transited >>> Check: Transited checking is NOT disabled >>> .... .... .... .... .... .... ...0 .... = Renewable OK: We do >>> NOT accept renewed tickets >>> .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do >>> NOT encrypt the tkt inside the skey >>> .... .... .... .... .... .... .... ..0. = Renew: This is NOT >>> a request to renew a ticket >>> .... .... .... .... .... .... .... ...0 = Validate: This is >>> NOT a request to validate a postdated ticket >>> Realm: WINDOWS2003.HOME >>> Server Name (Service and Host): HTTP/w2k3.windows2003.home >>> Name-type: Service and Host (3) >>> Name: HTTP >>> Name: w2k3.windows2003.home >>> till: 2006-05-01 22:51:23 (Z) >>> Nonce: 1146487891 >>> Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 >>> Encryption type: rc4-hmac (23) >>> Encryption type: des3-cbc-sha1 (16) >>> Encryption type: des-cbc-crc (1) >>> Encryption type: des-cbc-md5 (3) >>> >>> No. Time Source Destination Protocol >>> Info >>> 446 51229.334347 windows2003.windows2003.home opensuse.suse.home KRB5 >>> KRB Error: KRB5KDC_ERR_ETYPE_NOSUPP >>> >>> Frame 446 (151 bytes on wire, 151 bytes captured) >>> Arrival Time: May 1, 2006 13:51:34.609439000 >>> Time delta from previous packet: 0.004612000 seconds >>> Time since reference or first frame: 51229.334347000 seconds >>> Frame Number: 446 >>> Packet Length: 151 bytes >>> Capture Length: 151 bytes >>> Protocols in frame: sll:ip:udp:kerberos >>> Linux cooked capture >>> Packet type: Unicast to us (0) >>> Link-layer address type: 1 >>> Link-layer address length: 6 >>> Source: Vmware_71:05:9f (00:0c:29:71:05:9f) >>> Protocol: IP (0x0800) >>> Internet Protocol, Src: windows2003.windows2003.home (192.168.1.5), Dst: >>> opensuse.suse.home (192.168.1.7) >>> Version: 4 >>> Header length: 20 bytes >>> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) >>> 0000 00.. = Differentiated Services Codepoint: Default (0x00) >>> .... ..0. = ECN-Capable Transport (ECT): 0 >>> .... ...0 = ECN-CE: 0 >>> Total Length: 135 >>> Identification: 0xdebe (57022) >>> Flags: 0x00 >>> 0... = Reserved bit: Not set >>> .0.. = Don't fragment: Not set >>> ..0. = More fragments: Not set >>> Fragment offset: 0 >>> Time to live: 128 >>> Protocol: UDP (0x11) >>> Header checksum: 0xd84a [correct] >>> Good: True >>> Bad : False >>> Source: windows2003.windows2003.home (192.168.1.5) >>> Destination: opensuse.suse.home (192.168.1.7) >>> User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885) >>> Source port: kerberos (88) >>> Destination port: 32885 (32885) >>> Length: 115 >>> Checksum: 0xb7f8 [correct] >>> Kerberos KRB-ERROR >>> Pvno: 5 >>> MSG Type: KRB-ERROR (30) >>> stime: 2006-05-01 12:51:33 (Z) >>> susec: 907050 >>> error_code: KRB5KDC_ERR_ETYPE_NOSUPP (14) >>> Realm: WINDOWS2003.HOME >>> Server Name (Service and Host): HTTP/w2k3.windows2003.home >>> Name-type: Service and Host (3) >>> Name: HTTP >>> Name: w2k3.windows2003.home >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> "Markus Moeller" <[EMAIL PROTECTED]> wrote in message >>> news:[EMAIL PROTECTED] >>>> Is there anywhere a howto for setting up a oneway or even twoway trust >>>> between a Windows 2003 SP1/R2 server and a MIT kdc with rc4-hmac >>>> encryption ? >>>> >>>> Thank you >>>> Markus >>>> >>> >>> >> >> > > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
