Re: How to setup trust between 2003 SP1/R2 and MIT 1.4.3 ?
- From: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>
- Date: Mon, 1 May 2006 15:55:32 +0100
I searched a bit more and found some hints how to set it up. But I still
have a couple of problems. Does anybody have an idea why I get a
KRB5KDC_ERR_ETYPE_NOSUPP error when I try to access a webserver in the
WINDOWS domain from a MIT domain ?
Thank you
Markus
My sample setup:
1. OpenSuse with kdc opensuse.suse.home for SUSE.HOME realm for all systems
in *.suse.home domain (which is based on MIT 1.4.1)
2. Windows 2003 R2 kdc w2k3.windows2003.home for WINDOWS2003.HOME realm for
all systems in *.windows2003.home domain
3. Run Apache2 with mod_spnego on opensuse.suse.home allows all valid users
(the same host as kdc for testing only)
4. Run Apache2 with mod_spnego on w2k3.windows.home allows all valid users
(the same host as the kdc for testing with kfw 3.0 installed too to build
mod_spnego)
5. Windows XP system winxp.windows2003.home in realm WINDOWS2003.HOME
6. Run putty 0.57 fromVintela with SSPI support on Windows XP
Both kdc's have a user markus. The Windows kdc has also a user markus-a
which does not exist in the OpenSuse kdc
On OpenSuse markus had a .k5login file with:
markus@xxxxxxxxx
markus@xxxxxxxxxxxxxxxx
markus-a@xxxxxxxxxxxxxxxx
=======================================================================
Setup of kdc on OpenSuse with Apache2 and mod_spnego
#!/bin/ksh
DATE=`date +%Y%m%d.%H%M%S`
#
# OpenSuse binary locations
#
KDB5_UTIL=/usr/lib/mit/sbin/kdb5_util
KADMINLOCAL=/usr/lib/mit/sbin/kadmin.local
#
# Directories and Files
#
VARDIR=/var/lib/kerberos/krb5kdc
ETCDIR=/etc
APACHEDIR=/etc/apache2
KDC_CONF_DIR=${VARDIR}
KADM5ACL=${VARDIR}/kadm5.acl
#
# Realms
#
REALM=SUSE.HOME
REALM2=WINDOWS2003.HOME
KDC=opensuse.suse.home
KDC2=w2k3.windows2003.home
DOMAIN=suse.home
DOMAIN2=windows2003.home
#
PASS="UNIX000$"
#
# stop daemons
#
/etc/init.d/krb5kdc stop
/etc/init.d/kadmind stop
/etc/init.d/apache2 stop
#
# Save old configs
#
mkdir ${VARDIR}/version-${DATE}
mv ${KDC_CONF_DIR}/kdc.conf ${KDC_CONF_DIR}/kdc.conf-${DATE}
mv ${VARDIR}/principal* ${VARDIR}/version-${DATE}/
mv ${VARDIR}/kadm5* ${VARDIR}/version-${DATE}/
mv ${KADM5ACL} ${KADM5ACL}-${DATE}
mv ${VARDIR}/.k5.* ${VARDIR}/version-${DATE}/
mv ${ETCDIR}/krb5.conf ${ETCDIR}/krb5.conf-${DATE}
mv ${ETCDIR}/krb5.keytab ${ETCDIR}/krb5.keytab-${DATE}
mv ${APACHEDIR}/HTTP.keytab ${APACHEDIR}/HTTP.keytab-${DATE}
#
# Create kdc.conf
#
cat > ${KDC_CONF_DIR}/kdc.conf <<!
[kdcdefaults]
kdc_ports = 750,88
[realms]
${REALM} = {
database_name = ${VARDIR}/principal
admin_keytab = FILE:${VARDIR}/kadm5.keytab
acl_file = ${KADM5ACL}
key_stash_file = ${VARDIR}/.k5.${REALM}
kdc_ports = 750,88
supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal
des-cb
c-crc:normal des-cbc-md5:normal
kdc_supported_enctypes = rc4-hmac:normal
des3-cbc-sha1:normal de
s-cbc-crc:normal des-cbc-md5:normal
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
!
#
# Create krb5.conf
#
cat > ${ETCDIR}/krb5.conf <<!
[libdefaults]
default_realm = ${REALM}
dns_lookup_kdc = no
dns_lookup_realm = no
default_keytab_name = ${ETCDIR}/krb5.keytab
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
des-cbc-md5
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
[realms]
${REALM} = {
kdc = ${KDC}
admin_server = ${KDC}
}
${REALM2} = {
kdc = ${KDC2}
admin_server = ${KDC2}
}
[domain_realm]
.${DOMAIN} = ${REALM}
${DOMAIN} = ${REALM}
.${DOMAIN2} = ${REALM2}
${DOMAIN2} = ${REALM2}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
!
#
# Create database
#
${KDB5_UTIL} create -r ${REALM} -s <<!
${REALM}00$
${REALM}00$
!
#
# Create ACL file
#
cat > ${KADM5ACL} <<!
###############################################################################
#Kerberos_principal permissions [target_principal]
[restrictions]
###############################################################################
#
#*/admin@xxxxxxxxxxx *
*/admin@${REALM} *
!
#
# Create some principals
#
${KADMINLOCAL} <<!
addprinc -pw "${PASS}" krbtgt/${REALM}@${REALM2}
addprinc -pw "${PASS}" krbtgt/${REALM2}@${REALM}
addprinc -randkey host/${KDC}
addprinc -pw "Root" root/admin
addprinc -pw "Markus" markus/admin
addprinc -pw "markus" markus
addprinc -randkey HTTP/${KDC}
ktadd -k ${VARDIR}/kadm5.keytab kadmin/admin kadmin/changepw
ktadd -k ${ETCDIR}/krb5.keytab host/${KDC}
ktadd -k ${APACHEDIR}/HTTP.keytab HTTP/${KDC}
!
#
# Start daemons
#
/etc/init.d/krb5kdc start
/etc/init.d/kadmind start
chgrp www ${APACHEDIR}/HTTP.keytab
chmod g+r ${APACHEDIR}/HTTP.keytab
/etc/init.d/apache2 start
======================================================================================
Setup of Windows 2003 R2 KDC
Raise AD to Windows 2003 server forest functional level from AD Directory
and Trust tool. Then run
ksetup.exe /addkdc SUSE.HOME opensuse.suse.home
ksetup.exe /addrealmflags SUSE.HOME tcpsupported
netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /add /realm /twoway
/PasswordT:UNIX000$
netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /transitive:yes
netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /foresttransitive:yes
netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /addtln:suse.home
create HTTP/w2k3.windows2003.home principal with msktutil.
=======================================================================================
Now what I got working and what not !!
1) User WINDOWS2003\markus can connect with putty from Win XP to
opensuse.suse.home
2) User WINDOWS2003\markus can connect with IE from Win XP to
http://w2k3.windows2003.home
3) User WINDOWS2003\markus can connect with IE from Win XP to
http://opensuse.suse.home
=> 1) User WINDOWS2003\markus-a CAN NOT connect with putty from Win XP to
opensuse.suse.home (no port 88 traffic)
2) User WINDOWS2003\markus-a can connect with IE from Win XP to
http://w2k3.windows2003.home
3) User WINDOWS2003\markus-a can connect with IE from Win XP to
http://opensuse.suse.home
4) User WINDOWS2003\markus can connect with putty from Windows 2003 kdc
to opensuse.suse.home
5) User WINDOWS2003\markus can connect with IE from Windows 2003 kdc to
http://opensuse.suse.home
=> 6) User WINDOWS2003\markus CAN NOT connect with IE from Windows 2003 kdc
to http://w2k3.windows2003.home (no port 88 traffic)
7) User markus@xxxxxxxxx can connect with Firefox from OpenSuse to
http://opensuse.suse.home
8) User markus@xxxxxxxxxxxxxxxx can connect with Firefox from OpenSuse
to http://opensuse.suse.home
9) User markus@xxxxxxxxxxxxxxxx can connect with Firefox from OpenSuse
to http://w2k3.windows2003.home
=> 10) User markus@xxxxxxxxx CAN NOT connect with Firefox from OpenSuse to
http://w2k3.windows2003.home. I get a
KRB5KDC_ERR_ETYPE_NOSUPP error (see below capture of AS-REQ, AS-REP,
TGS-REQ, TGS-REP)
No. Time Source Destination Protocol
Info
435 51218.688966 opensuse.suse.home opensuse.suse.home KRB5
AS-REQ
Frame 435 (203 bytes on wire, 203 bytes captured)
Arrival Time: May 1, 2006 13:51:23.964058000
Time delta from previous packet: 217.931451000 seconds
Time since reference or first frame: 51218.688966000 seconds
Frame Number: 435
Packet Length: 203 bytes
Capture Length: 203 bytes
Protocols in frame: sll:ip:udp:kerberos
Linux cooked capture
Packet type: Unicast to us (0)
Link-layer address type: 772
Link-layer address length: 0
Source: <MISSING>
Protocol: IP (0x0800)
Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
opensuse.suse.home (192.168.1.7)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 187
Identification: 0x34ac (13484)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0x8227 [correct]
Good: True
Bad : False
Source: opensuse.suse.home (192.168.1.7)
Destination: opensuse.suse.home (192.168.1.7)
User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88)
Source port: 32885 (32885)
Destination port: kerberos (88)
Length: 167
Checksum: 0x8417 [incorrect, should be 0x1303]
Kerberos AS-REQ
Pvno: 5
MSG Type: AS-REQ (10)
KDC_REQ_BODY
Padding: 0
KDCOptions: 00000010 (Renewable OK)
.0.. .... .... .... .... .... .... .... = Forwardable: Do NOT
use forwardable tickets
..0. .... .... .... .... .... .... .... = Forwarded: This is NOT
a forwarded ticket
...0 .... .... .... .... .... .... .... = Proxyable: Do NOT use
proxiable tickets
.... 0... .... .... .... .... .... .... = Proxy: This ticket has
NOT been proxied
.... .0.. .... .... .... .... .... .... = Allow Postdate: We do
NOT allow the ticket to be postdated
.... ..0. .... .... .... .... .... .... = Postdated: This ticket
is NOT postdated
.... .... 0... .... .... .... .... .... = Renewable: This ticket
is NOT renewable
.... .... ...0 .... .... .... .... .... = Opt HW Auth: False
.... .... .... ...0 .... .... .... .... = Canonicalize: This is
NOT a canonicalized ticket request
.... .... .... .... .... .... ..0. .... = Disable Transited
Check: Transited checking is NOT disabled
.... .... .... .... .... .... ...1 .... = Renewable OK: We
accept RENEWED tickets
.... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do
NOT encrypt the tkt inside the skey
.... .... .... .... .... .... .... ..0. = Renew: This is NOT a
request to renew a ticket
.... .... .... .... .... .... .... ...0 = Validate: This is NOT
a request to validate a postdated ticket
Client Name (Principal): markus
Name-type: Principal (1)
Name: markus
Realm: SUSE.HOME
Server Name (Unknown): krbtgt/SUSE.HOME
Name-type: Unknown (0)
Name: krbtgt
Name: SUSE.HOME
from: 2006-05-01 12:51:23 (Z)
till: 2006-05-02 12:51:23 (Z)
Nonce: 1146487883
Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
Encryption type: rc4-hmac (23)
Encryption type: des3-cbc-sha1 (16)
Encryption type: des-cbc-crc (1)
Encryption type: des-cbc-md5 (3)
No. Time Source Destination Protocol
Info
436 51218.693811 opensuse.suse.home opensuse.suse.home KRB5
AS-REP
Frame 436 (598 bytes on wire, 598 bytes captured)
Arrival Time: May 1, 2006 13:51:23.968903000
Time delta from previous packet: 0.004845000 seconds
Time since reference or first frame: 51218.693811000 seconds
Frame Number: 436
Packet Length: 598 bytes
Capture Length: 598 bytes
Protocols in frame: sll:ip:udp:kerberos
Linux cooked capture
Packet type: Unicast to us (0)
Link-layer address type: 772
Link-layer address length: 0
Source: <MISSING>
Protocol: IP (0x0800)
Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
opensuse.suse.home (192.168.1.7)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 582
Identification: 0x001e (30)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0xb52a [correct]
Good: True
Bad : False
Source: opensuse.suse.home (192.168.1.7)
Destination: opensuse.suse.home (192.168.1.7)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885)
Source port: kerberos (88)
Destination port: 32885 (32885)
Length: 562
Checksum: 0x85a2 [incorrect, should be 0x84dc]
Kerberos AS-REP
Pvno: 5
MSG Type: AS-REP (11)
padata: Unknown:19
Type: Unknown (19)
Value: 30073005A003020117
Client Realm: SUSE.HOME
Client Name (Principal): markus
Name-type: Principal (1)
Name: markus
Ticket
Tkt-vno: 5
Realm: SUSE.HOME
Server Name (Unknown): krbtgt/SUSE.HOME
Name-type: Unknown (0)
Name: krbtgt
Name: SUSE.HOME
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 1
enc-part: 4057A7166A1CC59F143F9B74A72F0B16CA629616DD0E96F1...
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
enc-part: E0E5CF0DBFEF8C3326CE6F3CB5CFFD73A355696BCD0E95CB...
No. Time Source Destination Protocol
Info
443 51229.309113 opensuse.suse.home opensuse.suse.home KRB5
TGS-REQ
Frame 443 (652 bytes on wire, 652 bytes captured)
Arrival Time: May 1, 2006 13:51:34.584205000
Time delta from previous packet: 10.615302000 seconds
Time since reference or first frame: 51229.309113000 seconds
Frame Number: 443
Packet Length: 652 bytes
Capture Length: 652 bytes
Protocols in frame: sll:ip:udp:kerberos
Linux cooked capture
Packet type: Unicast to us (0)
Link-layer address type: 772
Link-layer address length: 0
Source: <MISSING>
Protocol: IP (0x0800)
Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
opensuse.suse.home (192.168.1.7)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 636
Identification: 0x3f0b (16139)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0x7607 [correct]
Good: True
Bad : False
Source: opensuse.suse.home (192.168.1.7)
Destination: opensuse.suse.home (192.168.1.7)
User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88)
Source port: 32885 (32885)
Destination port: kerberos (88)
Length: 616
Checksum: 0x85d8 [incorrect, should be 0x7d06]
Kerberos TGS-REQ
Pvno: 5
MSG Type: TGS-REQ (12)
padata: PA-TGS-REQ
Type: PA-TGS-REQ (1)
Value: 6E82019D30820199A003020105A10302010EA20703050000...
AP-REQ
Pvno: 5
MSG Type: AP-REQ (14)
Padding: 0
APOptions: 00000000
.0.. .... .... .... .... .... .... .... = Use Session
Key: Do NOT use the session key to encrypt the ticket
..0. .... .... .... .... .... .... .... = Mutual
required: Mutual authentication is NOT required
Ticket
Tkt-vno: 5
Realm: SUSE.HOME
Server Name (Unknown): krbtgt/SUSE.HOME
Name-type: Unknown (0)
Name: krbtgt
Name: SUSE.HOME
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 1
enc-part:
4057A7166A1CC59F143F9B74A72F0B16CA629616DD0E96F1...
Authenticator rc4-hmac
Encryption type: rc4-hmac (23)
Authenticator data:
B7008BD37B307572105D0107E309A30F6E89F74B4663A474...
KDC_REQ_BODY
Padding: 0
KDCOptions: 00800000 (Renewable)
.0.. .... .... .... .... .... .... .... = Forwardable: Do NOT
use forwardable tickets
..0. .... .... .... .... .... .... .... = Forwarded: This is NOT
a forwarded ticket
...0 .... .... .... .... .... .... .... = Proxyable: Do NOT use
proxiable tickets
.... 0... .... .... .... .... .... .... = Proxy: This ticket has
NOT been proxied
.... .0.. .... .... .... .... .... .... = Allow Postdate: We do
NOT allow the ticket to be postdated
.... ..0. .... .... .... .... .... .... = Postdated: This ticket
is NOT postdated
.... .... 1... .... .... .... .... .... = Renewable: This ticket
is RENEWABLE
.... .... ...0 .... .... .... .... .... = Opt HW Auth: False
.... .... .... ...0 .... .... .... .... = Canonicalize: This is
NOT a canonicalized ticket request
.... .... .... .... .... .... ..0. .... = Disable Transited
Check: Transited checking is NOT disabled
.... .... .... .... .... .... ...0 .... = Renewable OK: We do
NOT accept renewed tickets
.... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do
NOT encrypt the tkt inside the skey
.... .... .... .... .... .... .... ..0. = Renew: This is NOT a
request to renew a ticket
.... .... .... .... .... .... .... ...0 = Validate: This is NOT
a request to validate a postdated ticket
Realm: SUSE.HOME
Server Name (Unknown): krbtgt/WINDOWS2003.HOME
Name-type: Unknown (0)
Name: krbtgt
Name: WINDOWS2003.HOME
from: 2006-05-01 12:51:23 (Z)
till: 2006-05-01 22:51:23 (Z)
rtime: 2006-05-02 12:51:23 (Z)
Nonce: 1146487891
Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
Encryption type: rc4-hmac (23)
Encryption type: des3-cbc-sha1 (16)
Encryption type: des-cbc-crc (1)
Encryption type: des-cbc-md5 (3)
No. Time Source Destination Protocol
Info
444 51229.328348 opensuse.suse.home opensuse.suse.home KRB5
TGS-REP
Frame 444 (629 bytes on wire, 629 bytes captured)
Arrival Time: May 1, 2006 13:51:34.603440000
Time delta from previous packet: 0.019235000 seconds
Time since reference or first frame: 51229.328348000 seconds
Frame Number: 444
Packet Length: 629 bytes
Capture Length: 629 bytes
Protocols in frame: sll:ip:udp:kerberos
Linux cooked capture
Packet type: Unicast to us (0)
Link-layer address type: 772
Link-layer address length: 0
Source: <MISSING>
Protocol: IP (0x0800)
Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
opensuse.suse.home (192.168.1.7)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 613
Identification: 0x001f (31)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0xb50a [correct]
Good: True
Bad : False
Source: opensuse.suse.home (192.168.1.7)
Destination: opensuse.suse.home (192.168.1.7)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885)
Source port: kerberos (88)
Destination port: 32885 (32885)
Length: 593
Checksum: 0x85c1 [incorrect, should be 0x3f5c]
Kerberos TGS-REP
Pvno: 5
MSG Type: TGS-REP (13)
Client Realm: SUSE.HOME
Client Name (Principal): markus
Name-type: Principal (1)
Name: markus
Ticket
Tkt-vno: 5
Realm: SUSE.HOME
Server Name (Unknown): krbtgt/WINDOWS2003.HOME
Name-type: Unknown (0)
Name: krbtgt
Name: WINDOWS2003.HOME
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 1
enc-part: 46B8A78EEFCA7160D04C0C723040660AF957F1C8AF3B4BDE...
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
enc-part: 981F6F1C48DBB164CDAB8E7C4439D8C29B9DD584929E8580...
No. Time Source Destination Protocol
Info
445 51229.329735 opensuse.suse.home windows2003.windows2003.home KRB5
TGS-REQ
Frame 445 (651 bytes on wire, 651 bytes captured)
Arrival Time: May 1, 2006 13:51:34.604827000
Time delta from previous packet: 0.001387000 seconds
Time since reference or first frame: 51229.329735000 seconds
Frame Number: 445
Packet Length: 651 bytes
Capture Length: 651 bytes
Protocols in frame: sll:ip:udp:kerberos
Linux cooked capture
Packet type: Sent by us (4)
Link-layer address type: 1
Link-layer address length: 6
Source: Vmware_02:d5:f5 (00:0c:29:02:d5:f5)
Protocol: IP (0x0800)
Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
windows2003.windows2003.home (192.168.1.5)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 635
Identification: 0x3f10 (16144)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0x7605 [correct]
Good: True
Bad : False
Source: opensuse.suse.home (192.168.1.7)
Destination: windows2003.windows2003.home (192.168.1.5)
User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88)
Source port: 32885 (32885)
Destination port: kerberos (88)
Length: 615
Checksum: 0x9902 [correct]
Kerberos TGS-REQ
Pvno: 5
MSG Type: TGS-REQ (12)
padata: PA-TGS-REQ
Type: PA-TGS-REQ (1)
Value: 6E8201BA308201B6A003020105A10302010EA20703050000...
AP-REQ
Pvno: 5
MSG Type: AP-REQ (14)
Padding: 0
APOptions: 00000000
.0.. .... .... .... .... .... .... .... = Use Session
Key: Do NOT use the session key to encrypt the ticket
..0. .... .... .... .... .... .... .... = Mutual
required: Mutual authentication is NOT required
Ticket
Tkt-vno: 5
Realm: SUSE.HOME
Server Name (Unknown): krbtgt/WINDOWS2003.HOME
Name-type: Unknown (0)
Name: krbtgt
Name: WINDOWS2003.HOME
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 1
enc-part:
46B8A78EEFCA7160D04C0C723040660AF957F1C8AF3B4BDE...
Authenticator rc4-hmac
Encryption type: rc4-hmac (23)
Authenticator data:
FE71BE32F2BFF609F021A368F6DAF66CC42C00C7508FB8E2...
KDC_REQ_BODY
Padding: 0
KDCOptions: 00800000 (Renewable)
.0.. .... .... .... .... .... .... .... = Forwardable: Do NOT
use forwardable tickets
..0. .... .... .... .... .... .... .... = Forwarded: This is NOT
a forwarded ticket
...0 .... .... .... .... .... .... .... = Proxyable: Do NOT use
proxiable tickets
.... 0... .... .... .... .... .... .... = Proxy: This ticket has
NOT been proxied
.... .0.. .... .... .... .... .... .... = Allow Postdate: We do
NOT allow the ticket to be postdated
.... ..0. .... .... .... .... .... .... = Postdated: This ticket
is NOT postdated
.... .... 1... .... .... .... .... .... = Renewable: This ticket
is RENEWABLE
.... .... ...0 .... .... .... .... .... = Opt HW Auth: False
.... .... .... ...0 .... .... .... .... = Canonicalize: This is
NOT a canonicalized ticket request
.... .... .... .... .... .... ..0. .... = Disable Transited
Check: Transited checking is NOT disabled
.... .... .... .... .... .... ...0 .... = Renewable OK: We do
NOT accept renewed tickets
.... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do
NOT encrypt the tkt inside the skey
.... .... .... .... .... .... .... ..0. = Renew: This is NOT a
request to renew a ticket
.... .... .... .... .... .... .... ...0 = Validate: This is NOT
a request to validate a postdated ticket
Realm: WINDOWS2003.HOME
Server Name (Service and Host): HTTP/w2k3.windows2003.home
Name-type: Service and Host (3)
Name: HTTP
Name: w2k3.windows2003.home
till: 2006-05-01 22:51:23 (Z)
Nonce: 1146487891
Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
Encryption type: rc4-hmac (23)
Encryption type: des3-cbc-sha1 (16)
Encryption type: des-cbc-crc (1)
Encryption type: des-cbc-md5 (3)
No. Time Source Destination Protocol
Info
446 51229.334347 windows2003.windows2003.home opensuse.suse.home KRB5
KRB Error: KRB5KDC_ERR_ETYPE_NOSUPP
Frame 446 (151 bytes on wire, 151 bytes captured)
Arrival Time: May 1, 2006 13:51:34.609439000
Time delta from previous packet: 0.004612000 seconds
Time since reference or first frame: 51229.334347000 seconds
Frame Number: 446
Packet Length: 151 bytes
Capture Length: 151 bytes
Protocols in frame: sll:ip:udp:kerberos
Linux cooked capture
Packet type: Unicast to us (0)
Link-layer address type: 1
Link-layer address length: 6
Source: Vmware_71:05:9f (00:0c:29:71:05:9f)
Protocol: IP (0x0800)
Internet Protocol, Src: windows2003.windows2003.home (192.168.1.5), Dst:
opensuse.suse.home (192.168.1.7)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 135
Identification: 0xdebe (57022)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0xd84a [correct]
Good: True
Bad : False
Source: windows2003.windows2003.home (192.168.1.5)
Destination: opensuse.suse.home (192.168.1.7)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885)
Source port: kerberos (88)
Destination port: 32885 (32885)
Length: 115
Checksum: 0xb7f8 [correct]
Kerberos KRB-ERROR
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2006-05-01 12:51:33 (Z)
susec: 907050
error_code: KRB5KDC_ERR_ETYPE_NOSUPP (14)
Realm: WINDOWS2003.HOME
Server Name (Service and Host): HTTP/w2k3.windows2003.home
Name-type: Service and Host (3)
Name: HTTP
Name: w2k3.windows2003.home
"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message
news:444bcbd2$0$23157$ed2e19e4@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Is there anywhere a howto for setting up a oneway or even twoway trust
between a Windows 2003 SP1/R2 server and a MIT kdc with rc4-hmac
encryption ?
Thank you
Markus
.
- Follow-Ups:
- Re: How to setup trust between 2003 SP1/R2 and MIT 1.4.3 ?
- From: Markus Moeller
- Re: How to setup trust between 2003 SP1/R2 and MIT 1.4.3 ?
- Prev by Date: Re: Kerberos V5 supported Character Set
- Next by Date: Error in Network Identity Manager
- Previous by thread: Re: Kerberos V5 supported Character Set
- Next by thread: Re: How to setup trust between 2003 SP1/R2 and MIT 1.4.3 ?
- Index(es):
Relevant Pages
|
