W2K SSO authentication against MIT Kerberos (1.3.2) problem from Wolfram Klaus on 2004-03-11 (tru64-unix-managers)

From: Wolfram Klaus <klaus_at_physik.fu-berlin.de>
Date: Wed, 10 Mar 2004 13:26:42 +0100 (CET)

Dear list,
We are currrently in the process of setting up a centralized
authentication server for Linux, W2k, and Tru64. The central AS is a
MIT KDC on a Linux machine. Authentication from Linux and W2k (cross
realm trust with ADS) works fine, but so far I cannot get the Tru64
Boxes to authenticate against the KDC.

Tru64 System: 5.1B + PK3 (=5.1B-1?)
              W2KSSO installed

w2ksetup fails when invoking "creacct -h `hostname` -u". So I tried a
simple kinit:

  Password for klaus_at_PHYSIK.FU-BERLIN.DE:
  kinit
  KDC reply did not match expectations

>From a tcpdump I could see, that the Tru64 kinit uses
Pre_authentication. The Pre_authentication seems to succeed on the
KDC. Here is the relevant part of the KDC's log file:

Mar 10 13:10:38 z63 krb5kdc[14024](info): AS_REQ (1 etypes {5}) 160.45.33.151: BAD_ENCRYPTION_TYPE: klaus_at_PHYSIK.FU-BERLIN.DE for krbtgt/PHYSIK.FU-BERLIN.DE_at_PHYSIK.FU-BERLIN.DE, KDC has no support for encryption type
Mar 10 13:10:38 z63 krb5kdc[14024](info): AS_REQ (1 etypes {3}) 160.45.33.151: BAD_ENCRYPTION_TYPE: klaus_at_PHYSIK.FU-BERLIN.DE for krbtgt/PHYSIK.FU-BERLIN.DE_at_PHYSIK.FU-BERLIN.DE, KDC has no support for encryption type
Mar 10 13:10:38 z63 krb5kdc[14024](info): AS_REQ (1 etypes {1}) 160.45.33.151: ISSUE: authtime 1078920638, etypes {rep=1 tkt=16 ses=1}, klaus_at_PHYSIK.FU-BERLIN.DE for krbtgt/PHYSIK.FU-BERLIN.DE_at_PHYSIK.FU-BERLIN.DE

OK, our KDC currenly has only etypes 1 and 16 for principals, but this
shouldn't be a problem.

What exactly is it, that Tru64's kinit is expecting from the kdc and
not getting?

If it helps here is the principal klaus_at_PHYSIK.FU-BERLIN.DE

  kadmin: getprinc klaus
  Principal: klaus_at_PHYSIK.FU-BERLIN.DE
  Expiration date: [never]
  Last password change: Thu Mar 04 12:09:23 CET 2004
  Password expiration date: [none]
  Maximum ticket life: 1 day 00:00:00
  Maximum renewable life: 0 days 00:00:00
  Last modified: Thu Mar 04 12:09:23 CET 2004 (kadmind_at_PHYSIK.FU-BERLIN.DE)
  Last successful authentication: [never]
  Last failed authentication: [never]
  Failed password attempts: 0
  Number of keys: 2
  Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
  Key: vno 2, DES cbc mode with CRC-32, no salt
  Attributes:
  Policy: [none]

And yes, I put the KDC's hostname and IP in /etc/hosts just to make
sure this is not the problem. Is this really needed?

TIA for any ideas!

-- 
Wolfram Klaus  (Wolfram.Klaus_at_physik.fu-berlin.de)        
Free University Berlin
Physics Department

Received on Wed Mar 10 2004 - 12:29:51 NZDT

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:44 NZDT