[28049] in Kerberos
Re: Negotiate on Windows with cross-realm trust AD and MIT Kereros.
daemon@ATHENA.MIT.EDU (Mikkel Kruse Johnsen)
Tue Jul 17 15:00:31 2007
From: Mikkel Kruse Johnsen <mikkel@linet.dk>
To: kerberos <kerberos@mit.edu>
In-Reply-To: <f76c3n$1bb$1@sea.gmane.org>
Date: Tue, 17 Jul 2007 09:41:46 +0200
Message-Id: <1184658106.3276.3.camel@tux.lib.cbs.dk>
Mime-Version: 1.0
Reply-To: mikkel@linet.dk
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi
Yes that did the trick.
netdom trust HHK.DK /domain:CBS.DK /foresttransitive:yesnetdom trust HHK.DK /domain:CBS.DK /addtln:cbs.dk
This is very cool, now the windows clients get theHTTP/sugi.cbs.dk@CBS.DK when using mkj.lib@HHK.DK.
The problem is now that I get this:
[Tue Jul 17 09:33:34 2007] [debug] src/mod_auth_kerb.c(1432): [client130.226.36.30] kerb_authenticate_user entered with user (NULL) andauth_type Kerberos[Tue Jul 17 09:33:34 2007] [debug] src/mod_auth_kerb.c(1432): [client130.226.36.30] kerb_authenticate_user entered with user (NULL) andauth_type Kerberos[Tue Jul 17 09:33:34 2007] [debug] src/mod_auth_kerb.c(1147): [client130.226.36.30] Acquiring creds for HTTP/sugi.cbs.dk@CBS.DK[Tue Jul 17 09:33:34 2007] [debug] src/mod_auth_kerb.c(1266): [client130.226.36.30] Verifying client data using KRB5 GSS-API[Tue Jul 17 09:33:34 2007] [debug] src/mod_auth_kerb.c(1282): [client130.226.36.30] Verification returned code 851968[Tue Jul 17 09:33:34 2007] [error] [client 130.226.36.30]gss_accept_sec_context() failed: Unspecified GSS failure. Minor codemay provide more information (Cannot allocate memory)
Any suggestions ?
/Mikkel
On Fri, 2007-07-13 at 00:05 +0100, Markus Moeller wrote:
> I think you need to tell AD that keys for systems in the cbs.dk domain can > be retrieved frpm CBS.DK.> > Try netdom trust HHK.DK /domain:CBS.DK /addtln:cbs.dk on your kdc.> > > > Markus> > > "Mikkel Kruse Johnsen" <mikkel@linet.dk> wrote in message > news:1184231952.3026.34.camel@tux.lib.cbs.dk...> > Hi Everyone> >> > What I want to do is to be able to athenticate (Negotiate) from firefox,> > IE7 on Windows and Linux.> >> > What I have is an MS Active Directory 2003 (but running in 2000 mode)> > with realm "HHK.DK" then I have a Linux Kerberos server (RHEL5 64bit)> > with realm "CBS.DK". I have made a two-way trust between them.> > (http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx#EVCAC).> >> > That seems to work because:> >> > On Linux: (using user in linux kerberos)> >> > ---> > kinit mkj.lib@CBS.DK> > klist -e -f> > Ticket cache: FILE:/tmp/krb5cc_500> > Default principal: mkj.lib@CBS.DK> >> > Valid starting Expires Service principal> > 07/09/07 12:09:43 07/10/07 12:09:43 krbtgt/CBS.DK@CBS.DK> > Flags: FI, Etype (skey, tkt): Triple DES cbc mode with> > HMAC/sha1, Triple DES cbc mode with HMAC/sha1> > ---> >> > Going to my test server it works, phpinfo() gives me:> > ---> > _SERVER["REMOTE_USER"]mkj.lib@CBS.DK> > _SERVER["AUTH_TYPE"]Negotiate> > ---> > klist -e -f> > Ticket cache: FILE:/tmp/krb5cc_500> > Default principal: mkj.lib@CBS.DK> >> > Valid starting Expires Service principal> > 07/09/07 12:09:43 07/10/07 12:09:43 krbtgt/CBS.DK@CBS.DK> > Flags: FI, Etype (skey, tkt): Triple DES cbc mode with> > HMAC/sha1, Triple DES cbc mode with HMAC/sha1> > 07/09/07 12:10:40 07/10/07 12:09:43 HTTP/sugi.cbs.dk@CBS.DK> > Flags: FT, Etype (skey, tkt): Triple DES cbc mode with> > HMAC/sha1, ArcFour with HMAC/md5> > ---> >> > Still on Linux (using user in AD)> >> > ---> > kinit mkj.lib@HHK.DK> > Password for mkj.lib@HHK.DK:> > [mkj@tux ~]$ klist -e -f> > Ticket cache: FILE:/tmp/krb5cc_500> > Default principal: mkj.lib@HHK.DK> >> > Valid starting Expires Service principal> > 07/09/07 12:12:02 07/09/07 22:12:08 krbtgt/HHK.DK@HHK.DK> > renew until 07/10/07 12:12:02, Flags: FRIA> > Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5> > ----> >> > Web page says:> > ----> > _SERVER["REMOTE_USER"]mkj.lib@HHK.DK> > _SERVER["AUTH_TYPE"]Negotiate> > ----> > klist -e -f> > Ticket cache: FILE:/tmp/krb5cc_500> > Default principal: mkj.lib@HHK.DK> >> > Valid starting Expires Service principal> > 07/09/07 12:12:02 07/09/07 22:12:08 krbtgt/HHK.DK@HHK.DK> > renew until 07/10/07 12:12:02, Flags: FRIA> > Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5> > 07/09/07 12:12:40 07/09/07 22:12:08 krbtgt/CBS.DK@HHK.DK> > renew until 07/10/07 12:12:02, Flags: FRAO> > Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with> > RSA-MD5> > 07/09/07 12:12:41 07/09/07 22:12:08 HTTP/sugi.cbs.dk@CBS.DK> > renew until 07/09/07 12:12:41, Flags: FRAT> > Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, ArcFour> > with HMAC/md5> > ----> >> >> > Now on Windows joined to HHK.DK and logged in as "mkj.lib"> >> > ----> > C:\Program Files\Resource Kit>klist tickets> >> > Cached Tickets: (11)> >> > Server: krbtgt/HHK.DK@HHK.DK> > KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)> > End Time: 7/9/2007 19:26:55> > Renew Time: 7/16/2007 9:26:55> >> >> > Server: krbtgt/HHK.DK@HHK.DK> > KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)> > End Time: 7/9/2007 19:26:55> > Renew Time: 7/16/2007 9:26:55> >> >> > Server: cifs/etrust.hhk.dk@HHK.DK> > KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)> > End Time: 7/9/2007 19:26:55> > Renew Time: 7/16/2007 9:26:55> >> >> > Server: cifs/HHK-02@HHK.DK> > KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)> > End Time: 7/9/2007 19:26:55> > Renew Time: 7/16/2007 9:26:55> >> >> > Server: cifs/ITS-AMO.hhk.dk@HHK.DK> > KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)> > End Time: 7/9/2007 19:26:55> > Renew Time: 7/16/2007 9:26:55> >> >> > Server: cifs/ns1.hhk.dk@HHK.DK> > KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)> > End Time: 7/9/2007 19:26:55> > Renew Time: 7/16/2007 9:26:55> >> >> > Server: cifs/HHK-02.hhk.dk@HHK.DK> > KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)> > End Time: 7/9/2007 19:26:55> > Renew Time: 7/16/2007 9:26:55> >> >> > Server: cifs/NS2.hhk.dk@HHK.DK> > KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)> > End Time: 7/9/2007 19:26:55> > Renew Time: 7/16/2007 9:26:55> >> >> > Server: ldap/NS2.hhk.dk/hhk.dk@HHK.DK> > KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)> > End Time: 7/9/2007 19:26:55> > Renew Time: 7/16/2007 9:26:55> >> >> > Server: LDAP/NS2.hhk.dk@HHK.DK> > KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)> > End Time: 7/9/2007 19:26:55> > Renew Time: 7/16/2007 9:26:55> >> >> > Server: host/tuxwin.hhk.dk@HHK.DK> > KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)> > End Time: 7/9/2007 19:26:55> > Renew Time: 7/16/2007 9:26:55> > -----> >> > But entering the the web page:> > ---> > Authorization Required> > This server could not verify that you are authorized to access the> > document requested. Either you supplied the wrong credentials (e.g., bad> > password), or your browser doesn't understand how to supply the> > credentials required.> >> > ----> > Apache error log:> > ----> > [Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1432): [client> > 130.226.36.172] kerb_authenticate_user entered with user (NULL) and> > auth_type Kerberos> > [Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1432): [client> > 130.226.36.172] kerb_authenticate_user entered with user (NULL) and> > auth_type Kerberos> > [Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1147): [client> > 130.226.36.172] Acquiring creds for HTTP/sugi.cbs.dk@CBS.DK> > [Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1266): [client> > 130.226.36.172] Verifying client data using KRB5 GSS-API> > [Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1282): [client> > 130.226.36.172] Verification returned code 589824> > [Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1309): [client> > 130.226.36.172] Warning: received token seems to be NTLM, which isn't> > supported by the Kerberos module. Check your IE configuration.> > [Mon Jul 09 12:16:21 2007] [error] [client 130.226.36.172]> > gss_accept_sec_context() failed: Invalid token was supplied (No error)> > ----> >> > I have followd alle the instructions, "Integrated logon is on", my sites> > is in Local Sites and proxy is turned off. The same error is using> > firefox, have set the trusted-uri and delegation-uris in about:config to> > "cbs.dk,hhk.dk". (did the same under linux and it works).> >> > Any help is appreciated> >> >> >> > .htacces:> > ---> > AuthType Kerberos> > AuthName "CBS Login"> > KrbAuthRealms CBS.DK HHK.DK> > KrbServiceName HTTP/sugi.cbs.dk@CBS.DK> > Krb5Keytab /etc/httpd/conf/httpd.keytab> > KrbSaveCredentials on> > KrbMethodNegotiate on> > KrbMethodK5Passwd off> > require valid-user> > ----> > Have tried with out KrbServiceName set and with "KrbServiceName HTTP"> > and still no luck.> >> >> > krb5.conf> > ----> > [logging]> > default = FILE:/var/log/krb5libs.log> > kdc = FILE:/var/log/krb5kdc.log> > admin_server = FILE:/var/log/kadmind.log> >> > [libdefaults]> > default_realm = CBS.DK> > dns_lookup_realm = false> > dns_lookup_kdc = false> > ticket_lifetime = 24h> > forwardable = yes> > default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5> > default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5> > permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5> > noaddresses = no> >> > [realms]> > CBS.DK = {> > kdc = kerberos.cbs.dk:88> > admin_server = kerberos.cbs.dk:749> > default_domain = cbs.dk> > }> > HHK.DK = {> > kdc = ns1.hhk.dk:88> > admin_server = ns1.hhk.dk:749> > default_domain = hhk.dk> > }> >> > [domain_realm]> > .cbs.dk = CBS.DK> > cbs.dk = CBS.DK> > .hhk.dk = HHK.DK> > hhk.dk = HHK.DK> >> > [kdc]> > profile = /var/kerberos/krb5kdc/kdc.conf> >> > [appdefaults]> > pam = {> > debug = false> > ticket_lifetime = 36000> > renew_lifetime = 36000> > forwardable = true> > krb4_convert = false> > }> > -> >> > kdc.conf> > ----> > [kdcdefaults]> > acl_file = /var/kerberos/krb5kdc/kadm5.acl> > dict_file = /usr/share/dict/words> > admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab> > v4_mode = nopreauth> >> > [realms]> > CBS.DK = {> > #master_key_type = des3-hmac-sha1> > supported_enctypes = rc4-hmac:normal des3-hmac-sha1:normal> > arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal> > des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3> > }> > ---> >> >> >> >> >> >> >> >> >> >> >> >> > Mikkel Kruse Johnsen> > Linet> > rholmgade 6 st tv> > 2200 Kbenhavn N> >> > Tlf: +45 2128 7793> > email: mikkel@linet.dk> > www: http://www.linet.dk> > ________________________________________________> > Kerberos mailing list Kerberos@mit.edu> > https://mailman.mit.edu/mailman/listinfo/kerberos> > > > > > > > !DSPAM:4696b58e127294042098162!> ________________________________________________> Kerberos mailing list Kerberos@mit.edu> https://mailman.mit.edu/mailman/listinfo/kerberos> > > !DSPAM:4696b58e127294042098162!
Mikkel Kruse JohnsenLinetØrholmgade 6 st tv2200 København N
Tlf: +45 2128 7793email: mikkel@linet.dkwww: http://www.linet.dk________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos