Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Windows client authentication problem

16 views
Skip to first unread message

Viji V Nair

unread,
Dec 30, 2008, 12:30:58 PM12/30/08
to kerb...@mit.edu
Hi,

I am trying to authenticate windows xp clients to an MIT kerberos server.
The Server is on a Linux machine and I have both windows and Linux clients
on my network. I have followed the below steps, but no success.

Configured the kerberos server and Linux clients are authenticating
properly, but no success on windows clients. On the kerberos Server I have
created a host principal using the following command.

# kadmin -q "ank host/bmdata01.testing.com" (I tried kadmin -q "ank
host/bmdata01" also)

On the windows xp client(bmdata01),

C:> ksetup /setrealm TESTING.COM
C:> ksetup /addkdc TESTING.COM viji.bigmaps.com
C:> ksetup /setmachpassword <password>
C:> ksetup /mapuser ad...@TESTING.COM guest
C:> ksetup /mapuser * *

After the reboot windows is showing TESTING.COM as a Kerberos Realm on the
login screen, but when I try to login using a kerberos user it is throwing
the following error.

*"The system could not log you on. Make sure your user name and domain are
correct, and then type your password again. Letters in passwords must be
typed using the correct case."*

But the kerberos server is issuing the tickets, the log shows:

Dec 30 22:36:03 viji.testing.com krb5kdc[5179](info): AS_REQ (7 etypes {23
-133 -128 3 1 24 -135}) 172.16.33.112: NEEDED_PREAUTH: ad...@TESTING.COM for
krbtgt/TESTI...@TESTING.COM, Additional pre-authentication required
Dec 30 22:36:03 viji.testing.com krb5kdc[5179](info): AS_REQ (3 etypes {23 3
1}) 172.16.33.112: ISSUE: authtime 1230656763, etypes {rep=23 tkt=18
ses=23}, ad...@TESTING.COM for krbtgt/TESTI...@TESTING.COM
Dec 30 22:36:03 viji.testing.com krb5kdc[5179](info): TGS_REQ (7 etypes {23
-133 -128 3 1 24 -135}) 172.16.33.112: ISSUE: authtime 1230656763, etypes
{rep=23 tkt=18 ses=23}, ad...@TESTING.COM for host/bmdata01.testing.com@
TESTING.COM

I have found some article on Microsoft website, saying this is a bug and
apply the latest service pack (SP3), I even tried that, but no success.

http://support.microsoft.com/kb/825081

Similar Thread:
http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html

c:> ksetup.exe
default realm = TESTING.COM (external)
TESTING.COM:
kdc = viji.testing.com
Realm Flags = 0x0 none
Mapping all users (*) to guest.
Mapping admin to guest.

# cat /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = TESTING.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]
TESTING.COM = {
kdc = viji.testing.com:88
admin_server = viji.testing.com:749
default_domain = testing.com
}

[domain_realm]
.testing.com = TESTING.COM
testing.com = TESTING.COM

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

[dbmodules]
TESTING.COM = {
db_library = kldap
ldap_servers = ldap://127.0.0.1/
ldap_kerberos_container_dn = cn=kerberos,dc=testing,dc=com
ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=testing,dc=com
ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=testing,dc=com
ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
}

Any help on this will be greatly appreciated.


Thanks & Regards
Viji

Richard E. Silverman

unread,
Jan 29, 2009, 1:16:48 AM1/29/09
to
>>>>> "VVN" == Viji V Nair <vijivij...@gmail.com> writes:

VVN> Hi, I am trying to authenticate windows xp clients to an MIT
VVN> kerberos server. The Server is on a Linux machine and I have
VVN> both windows and Linux clients on my network. I have followed the
VVN> below steps, but no success.

VVN> Configured the kerberos server and Linux clients are
VVN> authenticating properly, but no success on windows clients. On
VVN> the kerberos Server I have created a host principal using the
VVN> following command.

VVN> # kadmin -q "ank host/bmdata01.testing.com" (I tried kadmin -q
VVN> "ank host/bmdata01" also)

VVN> On the windows xp client(bmdata01),

VVN> C:> ksetup /setrealm TESTING.COM C:> ksetup /addkdc TESTING.COM
VVN> viji.bigmaps.com C:> ksetup /setmachpassword <password> C:>
VVN> ksetup /mapuser ad...@TESTING.COM guest C:> ksetup /mapuser * *

VVN> After the reboot windows is showing TESTING.COM as a Kerberos
VVN> Realm on the login screen, but when I try to login using a
VVN> kerberos user it is throwing the following error.

VVN> *"The system could not log you on. Make sure your user name and
VVN> domain are correct, and then type your password again. Letters in
VVN> passwords must be typed using the correct case."*

VVN> But the kerberos server is issuing the tickets, the log shows:

VVN> Dec 30 22:36:03 viji.testing.com krb5kdc[5179](info): AS_REQ (7
VVN> etypes {23 -133 -128 3 1 24 -135}) 172.16.33.112: NEEDED_PREAUTH:
VVN> ad...@TESTING.COM for krbtgt/TESTI...@TESTING.COM, Additional
VVN> pre-authentication required Dec 30 22:36:03 viji.testing.com
VVN> krb5kdc[5179](info): AS_REQ (3 etypes {23 3 1}) 172.16.33.112:
VVN> ISSUE: authtime 1230656763, etypes {rep=23 tkt=18 ses=23},
VVN> ad...@TESTING.COM for krbtgt/TESTI...@TESTING.COM Dec 30
VVN> 22:36:03 viji.testing.com krb5kdc[5179](info): TGS_REQ (7 etypes
VVN> {23 -133 -128 3 1 24 -135}) 172.16.33.112: ISSUE: authtime
VVN> 1230656763, etypes {rep=23 tkt=18 ses=23}, ad...@TESTING.COM for
VVN> host/bmdata01.testing.com@ TESTING.COM

Make sure both the machine and user principals on the KDC only have RC4 or
DES keys. The session key here is RC4 (23), but the ticket is AES (18).

VVN> I have found some article on Microsoft website, saying this is a
VVN> bug and apply the latest service pack (SP3), I even tried that,
VVN> but no success.

VVN> http://support.microsoft.com/kb/825081

VVN> Similar Thread:
VVN> http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html

VVN> c:> ksetup.exe default realm = TESTING.COM (external)
VVN> TESTING.COM: kdc = viji.testing.com Realm Flags = 0x0 none
VVN> Mapping all users (*) to guest. Mapping admin to guest.

VVN> # cat /etc/krb5.conf

VVN> [logging] default = FILE:/var/log/krb5libs.log kdc =
VVN> FILE:/var/log/krb5kdc.log admin_server =
VVN> FILE:/var/log/kadmind.log

VVN> [libdefaults] default_realm = TESTING.COM dns_lookup_realm = true
VVN> dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes

VVN> [realms] TESTING.COM = { kdc = viji.testing.com:88 admin_server =
VVN> viji.testing.com:749 default_domain = testing.com
VVN> }

[domain_realm]
VVN> .testing.com = TESTING.COM testing.com = TESTING.COM

VVN> [appdefaults] pam = { debug = false ticket_lifetime = 36000
VVN> renew_lifetime = 36000 forwardable = true krb4_convert = false
VVN> }

[dbmodules]
VVN> TESTING.COM = { db_library = kldap ldap_servers =
VVN> ldap://127.0.0.1/ ldap_kerberos_container_dn =
VVN> cn=kerberos,dc=testing,dc=com ldap_kdc_dn =
VVN> uid=kdc,cn=sysaccounts,cn=etc,dc=testing,dc=com ldap_kadmind_dn =
VVN> uid=kdc,cn=sysaccounts,cn=etc,dc=testing,dc=com
VVN> ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
VVN> }

Any help on this will be greatly appreciated.


VVN> Thanks & Regards Viji

--
Richard Silverman
r...@qoxp.net

0 new messages