On 6/15/2011 8:07 PM, Mark Davies wrote: > We have previously successfully set up cross-realm between our heimdal > realm and a windows server 2008 r2 based AD domain, but I'm now trying > to set up cross-realm to a 2k3 based AD domain and having problems. > > On the windows side, they have entered our realm in lowercase which > may cause some issues at some point but I don't think I'm getting far > enough to strike that yet. > > If I kinit a user principle from the windows domain then try to ssh > into one of our machines it fails with "KDC has no support for > encryption type" > > icon% kinit [email protected] > [email protected]'s Password: > icon% klist -v > Credentials cache: FILE:/tmp/krb5cc_XXX > Principal: [email protected] > Cache version: 4 > > Server: krbtgt/[email protected] > Client: [email protected] > Ticket etype: arcfour-hmac-md5, kvno 2 > Ticket length: 1192 > Auth time: Jun 16 12:37:55 2011 > End time: Jun 16 22:37:55 2011 > Renew till: Jun 23 12:37:55 2011 > Ticket flags: pre-authent, initial, renewable, forwardable > Addresses: addressless > > icon% ssh -v debretts > [...] > debug1: Miscellaneous failure (see text) > KDC has no support for encryption type > [...] > > > wireshark shows me that its sending a TGS-REQ to the AD KDC > for the cross realm tgt krbtgt/[email protected] > with encryption types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 > des3-cdc-sha rc4-hmac > and that the KDC is returning KRB5KDC_ERR_ETYPE_NOSUPP > > surely the rc4-hmac type should be supported?
Yes it should be. But when you setup the cross realm trust, did W2K3 assume the MIT realm could only do DES? Id the des-only bit on in the TGT account in AD? DES is off by default in most Kerberos and W2008. > What is going on here? > > cheers > mark > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
