Dear Claudia, we have just tested a similar environment.
As Douglas points out the encryption types might be the problem. To solve this you should try the following: Windows only supports these enctypes: aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal rc4-hmac:normal des-cbc-crc:normal des-cbc-md5:normal (all written in krb5.conf/MIT nomenclature <http://dict.leo.org/ende?lp=ende&p=wLMDfwkAA&search=nomenclature&trestr=0x8001>) -> the des-cbc-XXX types are insecure and disabled in Server 2008 (R2) and MIT Kerberos by default -> the aes types are only supported by Server 2008, Server 2008 R2, Vista, Win7, not in Server 2003/XP or older => for testing rc4-hmac:normal is the easiest solution as supported in all versions from Win2000 to Win2008R2 In our testing environment we use -> kdc.conf: supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal rc4-hmac:normal but as Douglas pointed out that might be unnecessary -> krb5.conf default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac -> Server 2008 R2 as DC and Domain/Forest functional level -> WinXp and Win7 Clients When you need 3des types for some reason (Unix based services where you have no choice) or don't know how to get it out of MIT Kerberos without starting from beginning, you have to be careful what you do when creating the cross-realm principal in MIT. It should help best to tell kadmin.lokal exactly what to use when creating the cross-realm-principals: kadmin.lokal:> addprinc -requires_preauth -e "rc4-hmac:normal" krbtgt/[email protected] gives you only the rc4:hmac principal, which should work with any Windows AD functional level or server Version kadmin.lokal:> addprinc -requires_preauth -e "aes256-cts-hmac-sha1-96:normal" krbtgt/[email protected] is best if you never plan to use any DC older than Windows 2008 If MIT needs to Trust AD (which means any MIT based UNIX Service needs to be accessible by a AD user using his AD password, four normal pass-thru authentication this is not necessary): kadmin.lokal:> addprinc -requires_preauth -e "aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal rc4-hmac:normal" krbtgt/[email protected] (here i use all enc-types Server 2008 might think are a good idea to use for tickets used by MIT tgt) The see what you have done up to now (maybe the non-working 3des in the principal) try this: kadmin.lokal:> get_principal krbtgt/[email protected] It shows you all, especially the enc-types used, concerning the principal. The rest of the story: - On the windows machine "on both Windows 7 and Windows server 2008, using "ksetup /addRealm ......" is the right thing to do... - be careful with dns names (especially reverse lookup) and "hosttoreal" mappings, which can help you causing or solving problems -- it cost us some days to figure that out in the end ;-) After being able to login as [email protected] on a AD.MYDOMAIN.COM-integrated workstation, using services on a second computer (simple smb file share for example) is the next step... ++Robert On 27.08.2010 17:50, Douglas E. Engert wrote: > >> It seems to me that there is still problems with the encryption type. > Based on the error message, AD does not like one or both of these either > because it does not support it (3DES) or it thinks the W7 does not support it. > > The main difference is Windows has no support for 3DES, and both newer > MIT and Windows turn off DES by default. > > >> However, I've followed the suggestions of Ross to enble aes. And I think >> most parts of the entypes are already enabled by default. >> >> In the kdc.conf on mit kdc, I've set: >> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal >> des-hmac-sha1:normal des-cbc >> -md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 >> rc4-mac:normal aes256-cts:norm >> al > You should not need to use the supported_enctypes. > >> Do I need to set "default_entypes; default_tkt_enctypes; >> default_tgt_enctypes; permitted_entypes" in the "krb5.conf" file? When I >> check some documents on line, not all of them have this configuration. > I would try without these. > -- Dr. Robert Wehn _ __ _´-`_ [email protected] Rechenzentrum | | | \| | | \ www.rz.uni-augsburg.de Universitätsstraße 8 | |_| \ \ | | ` \ Tel: +49 821 598-2047 86159 Augsburg, Germany \___/ \__| |_/\_\ Fax: +49 821 598-2028 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
