[28034] in Kerberos

home help back first fref pref prev next nref lref last post

Negotiate on Windows with cross-realm trust AD and MIT Kereros.

daemon@ATHENA.MIT.EDU (Mikkel Kruse Johnsen)
Thu Jul 12 18:49:07 2007

From: Mikkel Kruse Johnsen <mikkel@linet.dk>
To: kerberos@mit.edu
Date: Thu, 12 Jul 2007 11:19:12 +0200
Message-Id: <1184231952.3026.34.camel@tux.lib.cbs.dk>
Mime-Version: 1.0
Reply-To: mikkel@linet.dk
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit

Hi Everyone
What I want to do is to be able to athenticate (Negotiate) from firefox,IE7 on Windows and Linux.
What I have is an MS Active Directory 2003 (but running in 2000 mode)with realm "HHK.DK" then I have a Linux Kerberos server (RHEL5 64bit)with realm "CBS.DK". I have made a two-way trust between them.(http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx#EVCAC).
That seems to work because:
On Linux: (using user in linux kerberos)
---kinit mkj.lib@CBS.DKklist -e -fTicket cache: FILE:/tmp/krb5cc_500Default principal: mkj.lib@CBS.DK
Valid starting     Expires            Service principal07/09/07 12:09:43  07/10/07 12:09:43  krbtgt/CBS.DK@CBS.DK        Flags: FI, Etype (skey, tkt): Triple DES cbc mode withHMAC/sha1, Triple DES cbc mode with HMAC/sha1 ---
Going to my test server it works, phpinfo() gives me:---_SERVER["REMOTE_USER"]mkj.lib@CBS.DK _SERVER["AUTH_TYPE"]Negotiate---klist -e -fTicket cache: FILE:/tmp/krb5cc_500Default principal: mkj.lib@CBS.DK
Valid starting     Expires            Service principal07/09/07 12:09:43  07/10/07 12:09:43  krbtgt/CBS.DK@CBS.DK        Flags: FI, Etype (skey, tkt): Triple DES cbc mode withHMAC/sha1, Triple DES cbc mode with HMAC/sha1 07/09/07 12:10:40  07/10/07 12:09:43  HTTP/sugi.cbs.dk@CBS.DK        Flags: FT, Etype (skey, tkt): Triple DES cbc mode withHMAC/sha1, ArcFour with HMAC/md5 ---
Still on Linux (using user in AD)
---kinit mkj.lib@HHK.DKPassword for mkj.lib@HHK.DK: [mkj@tux ~]$ klist -e -fTicket cache: FILE:/tmp/krb5cc_500Default principal: mkj.lib@HHK.DK
Valid starting     Expires            Service principal07/09/07 12:12:02  07/09/07 22:12:08  krbtgt/HHK.DK@HHK.DK        renew until 07/10/07 12:12:02, Flags: FRIA        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 ----
Web page says:----_SERVER["REMOTE_USER"]mkj.lib@HHK.DK _SERVER["AUTH_TYPE"]Negotiate----klist -e -fTicket cache: FILE:/tmp/krb5cc_500Default principal: mkj.lib@HHK.DK
Valid starting     Expires            Service principal07/09/07 12:12:02  07/09/07 22:12:08  krbtgt/HHK.DK@HHK.DK        renew until 07/10/07 12:12:02, Flags: FRIA        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 07/09/07 12:12:40  07/09/07 22:12:08  krbtgt/CBS.DK@HHK.DK        renew until 07/10/07 12:12:02, Flags: FRAO        Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode withRSA-MD5 07/09/07 12:12:41  07/09/07 22:12:08  HTTP/sugi.cbs.dk@CBS.DK        renew until 07/09/07 12:12:41, Flags: FRAT        Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, ArcFourwith HMAC/md5 ----

Now on Windows joined to HHK.DK and logged in as "mkj.lib"
----C:\Program Files\Resource Kit>klist tickets
Cached Tickets: (11)
   Server: krbtgt/HHK.DK@HHK.DK      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)      End Time: 7/9/2007 19:26:55      Renew Time: 7/16/2007 9:26:55

   Server: krbtgt/HHK.DK@HHK.DK      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)      End Time: 7/9/2007 19:26:55      Renew Time: 7/16/2007 9:26:55

   Server: cifs/etrust.hhk.dk@HHK.DK      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)      End Time: 7/9/2007 19:26:55      Renew Time: 7/16/2007 9:26:55

   Server: cifs/HHK-02@HHK.DK      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)      End Time: 7/9/2007 19:26:55      Renew Time: 7/16/2007 9:26:55

   Server: cifs/ITS-AMO.hhk.dk@HHK.DK      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)      End Time: 7/9/2007 19:26:55      Renew Time: 7/16/2007 9:26:55

   Server: cifs/ns1.hhk.dk@HHK.DK      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)      End Time: 7/9/2007 19:26:55      Renew Time: 7/16/2007 9:26:55

   Server: cifs/HHK-02.hhk.dk@HHK.DK      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)      End Time: 7/9/2007 19:26:55      Renew Time: 7/16/2007 9:26:55

   Server: cifs/NS2.hhk.dk@HHK.DK      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)      End Time: 7/9/2007 19:26:55      Renew Time: 7/16/2007 9:26:55

   Server: ldap/NS2.hhk.dk/hhk.dk@HHK.DK      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)      End Time: 7/9/2007 19:26:55      Renew Time: 7/16/2007 9:26:55

   Server: LDAP/NS2.hhk.dk@HHK.DK      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)      End Time: 7/9/2007 19:26:55      Renew Time: 7/16/2007 9:26:55

   Server: host/tuxwin.hhk.dk@HHK.DK      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)      End Time: 7/9/2007 19:26:55      Renew Time: 7/16/2007 9:26:55-----
But entering the the web page:---Authorization RequiredThis server could not verify that you are authorized to access thedocument requested. Either you supplied the wrong credentials (e.g., badpassword), or your browser doesn't understand how to supply thecredentials required.
----Apache error log:----[Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1432): [client130.226.36.172] kerb_authenticate_user entered with user (NULL) andauth_type Kerberos[Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1432): [client130.226.36.172] kerb_authenticate_user entered with user (NULL) andauth_type Kerberos[Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1147): [client130.226.36.172] Acquiring creds for HTTP/sugi.cbs.dk@CBS.DK[Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1266): [client130.226.36.172] Verifying client data using KRB5 GSS-API[Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1282): [client130.226.36.172] Verification returned code 589824[Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1309): [client130.226.36.172] Warning: received token seems to be NTLM, which isn'tsupported by the Kerberos module. Check your IE configuration.[Mon Jul 09 12:16:21 2007] [error] [client 130.226.36.172]gss_accept_sec_context() failed: Invalid token was supplied (No error)----
I have followd alle the instructions, "Integrated logon is on", my sitesis in Local Sites and proxy is turned off. The same error is usingfirefox, have set the trusted-uri and delegation-uris in about:config to"cbs.dk,hhk.dk". (did the same under linux and it works).
Any help is appreciated


.htacces:---AuthType KerberosAuthName "CBS Login"KrbAuthRealms CBS.DK HHK.DKKrbServiceName HTTP/sugi.cbs.dk@CBS.DKKrb5Keytab /etc/httpd/conf/httpd.keytabKrbSaveCredentials onKrbMethodNegotiate onKrbMethodK5Passwd offrequire valid-user----Have tried with out KrbServiceName set and with "KrbServiceName HTTP"and still no luck.

krb5.conf----[logging]default = FILE:/var/log/krb5libs.logkdc = FILE:/var/log/krb5kdc.logadmin_server = FILE:/var/log/kadmind.log
[libdefaults]default_realm = CBS.DKdns_lookup_realm = falsedns_lookup_kdc = falseticket_lifetime = 24hforwardable = yesdefault_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5noaddresses = no
[realms]CBS.DK = {  kdc = kerberos.cbs.dk:88  admin_server = kerberos.cbs.dk:749  default_domain = cbs.dk}HHK.DK = {  kdc = ns1.hhk.dk:88  admin_server = ns1.hhk.dk:749  default_domain = hhk.dk}
[domain_realm].cbs.dk = CBS.DKcbs.dk = CBS.DK.hhk.dk = HHK.DKhhk.dk = HHK.DK
[kdc]profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]pam = {   debug = false   ticket_lifetime = 36000   renew_lifetime = 36000   forwardable = true   krb4_convert = false}-
kdc.conf----[kdcdefaults]acl_file = /var/kerberos/krb5kdc/kadm5.acldict_file = /usr/share/dict/wordsadmin_keytab = /var/kerberos/krb5kdc/kadm5.keytabv4_mode = nopreauth
[realms]CBS.DK = {  #master_key_type = des3-hmac-sha1  supported_enctypes = rc4-hmac:normal des3-hmac-sha1:normalarcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normaldes-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3}---











Mikkel Kruse JohnsenLinetØrholmgade 6 st tv2200 København N
Tlf: +45 2128 7793email: mikkel@linet.dkwww: http://www.linet.dk________________________________________________Kerberos mailing list           Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post