Subject: Kerberos testing... limited success
To: None <tech-net@netbsd.org>
From: Pete Vickers <pete.vickers@uk.adtranz.com>
List: tech-net
Date: 01/12/2001 16:48:55
Hi All,
After my discovery that NetBSD has integrated Heimdal yesterday, I've been
trying to get it to use an MS Win2k KDC all today...with limited success :-/
background info:
---------------
Server = ukdesdc001.transtest 172.16.96.159 [Win2k SP1 PDC,KDC,DNS]
Client = ukdews0001.transtest 172.16.96.155 [NetBSD 1.5]
username ukpv0001 password = xxxxxxx
Method:
-------
1. On W2k PDC [KDC] create USER account for UNIX host, in GUI:
username = ukdews0001; password = xxxxxxx
2. map username to kerberos principal, create keytab file:
c:\>ktpass -princ host/ukdews0001.transtest@TRANSTEST -mapuser
[con't] ukdews0001 -pass xxxxx -out ukdews0001.keytab
Successfully mapped host/ukdews0001.transtest to ukdews0001.
Key created.
Output keytab to ukdews0001.keytab:
Keytab version: 0x502
keysize 62 host/ukdews0001.transtest@TRANSTEST ptype 1 (KRB5_NT_PRINCIPAL)
vno 1..
etype 0x1 (DES-CBC-CRC) keylength 8 (0x4xxxxxxxxxxxxx)
Account has been set for DES-only encryption.
3. transfer keytab file to client
via FTP [...would be more secure in reality]
4. check keytab file:
# ktutil -f ukdews0001.keytab list
Version Type Principal
1 des-cbc-crc host/ukdews0001.transtest@TRANSTEST
5. install keytab file:
# ktutil -f ukdews0001.keytab copy ukdews0001.keytab /etc/krb5.keytab
6. create keberos config file on unix host:
# cat /etc/krb5.conf
|------------------------------------------------------------------------------|
| |
|[lib_defaults] |
| default_domain = TRANSTEST |
| default_etypes = des-cbc-crc |
| default_etypes_des = des-cbc-crc |
| |
|[domain_realm] |
| .transtest = TRANSTEST |
| |
|[realms] |
| TRANSTEST = { |
| kdc = ukdesdc001.transtest |
| default_domain = transtest |
| } |
| |
|[logging] |
| default = FILE:/var/log/k5.txt |
| |
|------------------------------------------------------------------------------|
7. create user account on unix host
# useradd [...] ukpv0001 [with password as something_different ]
8. attempt user login... fails
login: ukpv0001
password: ******
"Unable to verify Kerberos v5 TGT: ukdews0001.transtest"
Tcpdump captures packets to/from KDC:
|------------------------------------------------------------------------------|
|16:03:20.492416 ukdews0001.65471 > ukdesdc001.transtest.kerberos: (ttl 64, id|
|526) |
|16:03:20.493442 ukdesdc001.transtest.kerberos > ukdews0001.65471: (ttl 128, |
|id5943) |
|------------------------------------------------------------------------------|
Error on console:
login: Kerberos v5 TGT bad: KDC has no support for checksum type.
9. however once in [via 'su -l' instead] ukpv0001 can succesfully get a ticket:
% kinit
ukpv0001@TRANSTEST's Password: ******
%
10. and list it:
|------------------------------------------------------------------------------|
|% klist -v |
|Credentials cache: FILE:/tmp/krb5cc_1000 |
| Principal: ukpv0001@TRANSTEST |
| Cache version: 4 |
| |
|Server: krbtgt/TRANSTEST@TRANSTEST |
|Ticket etype: des-cbc-md5 |
|Auth time: Jan 12 15:53:03 2001 |
|End time: Jan 13 01:52:58 2001 |
|Ticket flags: initial, pre-authenticated |
|Addresses: IPv4:172.16.96.155, IPv6:::1, IPv4:127.0.0.1 |
|------------------------------------------------------------------------------|
11. then erase it & try different encryption type:
%kdestroy
% kinit -e des-cbc-crc
ukpv0001@TRANSTEST's Password: *******
%
12. and list it:
|------------------------------------------------------------------------------|
|% klist -v |
|Credentials cache: FILE:/tmp/krb5cc_1000 |
| Principal: ukpv0001@TRANSTEST |
| Cache version: 4 |
| |
|Server: krbtgt/TRANSTEST@TRANSTEST |
|Ticket etype: des-cbc-crc |
|Auth time: Jan 12 15:58:20 2001 |
|End time: Jan 13 01:58:17 2001 |
|Ticket flags: initial, pre-authenticated |
|Addresses: IPv4:172.16.96.155, IPv6:::1, IPv4:127.0.0.1 |
|------------------------------------------------------------------------------|
The question is why does 'login' fail when 'kinit' [appears to] work ? maybe I
need to set another default encryption type in /etc/krb5.conf for checksums to
fix it ?
any thoughts welcomed...
Pete