We have previously successfully set up cross-realm between our heimdal realm and a windows server 2008 r2 based AD domain, but I'm now trying to set up cross-realm to a 2k3 based AD domain and having problems.
On the windows side, they have entered our realm in lowercase which may cause some issues at some point but I don't think I'm getting far enough to strike that yet. If I kinit a user principle from the windows domain then try to ssh into one of our machines it fails with "KDC has no support for encryption type" icon% kinit [email protected] [email protected]'s Password: icon% klist -v Credentials cache: FILE:/tmp/krb5cc_XXX Principal: [email protected] Cache version: 4 Server: krbtgt/[email protected] Client: [email protected] Ticket etype: arcfour-hmac-md5, kvno 2 Ticket length: 1192 Auth time: Jun 16 12:37:55 2011 End time: Jun 16 22:37:55 2011 Renew till: Jun 23 12:37:55 2011 Ticket flags: pre-authent, initial, renewable, forwardable Addresses: addressless icon% ssh -v debretts [...] debug1: Miscellaneous failure (see text) KDC has no support for encryption type [...] wireshark shows me that its sending a TGS-REQ to the AD KDC for the cross realm tgt krbtgt/[email protected] with encryption types: aes256-cts-hmac-sha1-96 aes128-cts-hmac- sha1-96 des3-cdc-sha rc4-hmac and that the KDC is returning KRB5KDC_ERR_ETYPE_NOSUPP surely the rc4-hmac type should be supported? What is going on here? cheers mark ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
