Hi there. Providing more information in the hope that someone will be able to help:
This is the process I've followed. In Windows 2008 (MEL.DOMAIN.COM domain): Started Active Directory Domain and Trusts Right click on the domain name -> Properties. Select Trusts -> New Trusts Entered M.DOMAIN.COM ; made it two ways ; non-transitive ; typed the password. Validate.. On MIT kdc machine (M.DOMAIN.COM realm) kadmin.local: kadmin.local: ank +requires_preauth krbtgt/[email protected] WARNING: no policy specified for krbtgt/[email protected]; defaulting to no policy Enter password for principal "krbtgt/[email protected]": Re-enter password for principal "krbtgt/[email protected]": Principal "krbtgt/[email protected]" created. kadmin.local: ank +requires_preauth krbtgt/[email protected] WARNING: no policy specified for krbtgt/[email protected]; defaulting to no policy Enter password for principal "krbtgt/[email protected]": Re-enter password for principal "krbtgt/[email protected]": Principal "krbtgt/[email protected]" created. In the above, I used the same password (32 random characters) as I used in Windows 2008 server. Edited /etc/krb5.conf on the kdc as follow: [libdefaults] default_realm = M.DOMAIN.COM [realms] M.DOMAIN.COM = { admin_server = m.domain.com kdc = m.domain.com } MEL.DOMAIN.COM = { admin_server = ad.domain.com kdc = ad.domain.com } [domain_realm] domain.com = M.DOMAIN.COM .domain.com = M.DOMAIN.COM .m.domain.com = M.DOMAIN.COM .mel.domain.com = MEL.DOMAIN.COM [capaths] MEL.DOMAIN.COM.COM = { M.DOMAIN.COM = . } M.DOMAIN.COM = { MEL.DOMAIN.COM = . } --- On the web server using mod_auth_kerb: I set the /etc/krb5.conf as above... People with a M.DOMAIN.COM ticket, can connect fine as that's what it is configured for. On my PC ; I then got a ticket as [email protected] ; and try to connect to the web server ; and it fails prompting me for a username/password (it's setup to accept any user with kerberos authtype) On the KDC; in the log I see: Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0, <unknown client> for HTTP/[email protected], Decrypt integrity check failed Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0, <unknown client> for HTTP/[email protected], Decrypt integrity check failed Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0, <unknown client> for HTTP/[email protected], Decrypt integrity check failed Feb 07 16:10:54 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.108: PROCESS_TGS: authtime 0, <unknown client> for HTTP/[email protected], Decrypt integrity check failed Which lead me to believe that there's an incorrect password set somewhere... but which one ? I'm a tad puzzled about what's going on.. If someone could shed some lights it would be greatly appreciated. Thank you Jean-Yves ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
