How to setup trust between 2003 SP1/R2 and MIT 1.4.3 ? - Kerberos

This is a discussion on How to setup trust between 2003 SP1/R2 and MIT 1.4.3 ? - Kerberos ; Is there anywhere a howto for setting up a oneway or even twoway trust between a Windows 2003 SP1/R2 server and a MIT kdc with rc4-hmac encryption ? Thank you Markus...

+ Reply to Thread
Results 1 to 5 of 5

Thread: How to setup trust between 2003 SP1/R2 and MIT 1.4.3 ?

  1. How to setup trust between 2003 SP1/R2 and MIT 1.4.3 ?

    Is there anywhere a howto for setting up a oneway or even twoway trust
    between a Windows 2003 SP1/R2 server and a MIT kdc with rc4-hmac encryption
    ?

    Thank you
    Markus



  2. Re: How to setup trust between 2003 SP1/R2 and MIT 1.4.3 ?

    I searched a bit more and found some hints how to set it up. But I still
    have a couple of problems. Does anybody have an idea why I get a
    KRB5KDC_ERR_ETYPE_NOSUPP error when I try to access a webserver in the
    WINDOWS domain from a MIT domain ?

    Thank you
    Markus

    My sample setup:

    1. OpenSuse with kdc opensuse.suse.home for SUSE.HOME realm for all systems
    in *.suse.home domain (which is based on MIT 1.4.1)
    2. Windows 2003 R2 kdc w2k3.windows2003.home for WINDOWS2003.HOME realm for
    all systems in *.windows2003.home domain
    3. Run Apache2 with mod_spnego on opensuse.suse.home allows all valid users
    (the same host as kdc for testing only)
    4. Run Apache2 with mod_spnego on w2k3.windows.home allows all valid users
    (the same host as the kdc for testing with kfw 3.0 installed too to build
    mod_spnego)
    5. Windows XP system winxp.windows2003.home in realm WINDOWS2003.HOME
    6. Run putty 0.57 fromVintela with SSPI support on Windows XP

    Both kdc's have a user markus. The Windows kdc has also a user markus-a
    which does not exist in the OpenSuse kdc

    On OpenSuse markus had a .k5login file with:
    markus@SUSE.HOME
    markus@WINDOWS2003.HOME
    markus-a@WINDOWS2003.HOME

    ================================================== =====================

    Setup of kdc on OpenSuse with Apache2 and mod_spnego

    #!/bin/ksh
    DATE=`date +%Y%m%d.%H%M%S`
    #
    # OpenSuse binary locations
    #
    KDB5_UTIL=/usr/lib/mit/sbin/kdb5_util
    KADMINLOCAL=/usr/lib/mit/sbin/kadmin.local
    #
    # Directories and Files
    #
    VARDIR=/var/lib/kerberos/krb5kdc
    ETCDIR=/etc
    APACHEDIR=/etc/apache2
    KDC_CONF_DIR=${VARDIR}
    KADM5ACL=${VARDIR}/kadm5.acl
    #
    # Realms
    #
    REALM=SUSE.HOME
    REALM2=WINDOWS2003.HOME
    KDC=opensuse.suse.home
    KDC2=w2k3.windows2003.home
    DOMAIN=suse.home
    DOMAIN2=windows2003.home
    #
    PASS="UNIX000$"
    #
    # stop daemons
    #
    /etc/init.d/krb5kdc stop
    /etc/init.d/kadmind stop
    /etc/init.d/apache2 stop
    #
    # Save old configs
    #
    mkdir ${VARDIR}/version-${DATE}
    mv ${KDC_CONF_DIR}/kdc.conf ${KDC_CONF_DIR}/kdc.conf-${DATE}
    mv ${VARDIR}/principal* ${VARDIR}/version-${DATE}/
    mv ${VARDIR}/kadm5* ${VARDIR}/version-${DATE}/
    mv ${KADM5ACL} ${KADM5ACL}-${DATE}
    mv ${VARDIR}/.k5.* ${VARDIR}/version-${DATE}/

    mv ${ETCDIR}/krb5.conf ${ETCDIR}/krb5.conf-${DATE}
    mv ${ETCDIR}/krb5.keytab ${ETCDIR}/krb5.keytab-${DATE}

    mv ${APACHEDIR}/HTTP.keytab ${APACHEDIR}/HTTP.keytab-${DATE}
    #
    # Create kdc.conf
    #
    cat > ${KDC_CONF_DIR}/kdc.conf < [kdcdefaults]
    kdc_ports = 750,88
    [realms]
    ${REALM} = {
    database_name = ${VARDIR}/principal
    admin_keytab = FILE:${VARDIR}/kadm5.keytab
    acl_file = ${KADM5ACL}
    key_stash_file = ${VARDIR}/.k5.${REALM}
    kdc_ports = 750,88
    supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal
    des-cb
    c-crc:normal des-cbc-md5:normal
    kdc_supported_enctypes = rc4-hmac:normal
    des3-cbc-sha1:normal de
    s-cbc-crc:normal des-cbc-md5:normal
    max_life = 10h 0m 0s
    max_renewable_life = 7d 0h 0m 0s
    }
    [logging]
    kdc = FILE:/var/log/kdc.log
    admin_server = FILE:/var/log/kadmin.log
    !
    #
    # Create krb5.conf
    #
    cat > ${ETCDIR}/krb5.conf < [libdefaults]
    default_realm = ${REALM}
    dns_lookup_kdc = no
    dns_lookup_realm = no
    default_keytab_name = ${ETCDIR}/krb5.keytab
    default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
    des-cbc-md5
    default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
    des-cbc-md5
    permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    [realms]
    ${REALM} = {
    kdc = ${KDC}
    admin_server = ${KDC}
    }
    ${REALM2} = {
    kdc = ${KDC2}
    admin_server = ${KDC2}
    }
    [domain_realm]
    .${DOMAIN} = ${REALM}
    ${DOMAIN} = ${REALM}
    .${DOMAIN2} = ${REALM2}
    ${DOMAIN2} = ${REALM2}

    [logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log
    !
    #
    # Create database
    #
    ${KDB5_UTIL} create -r ${REALM} -s < ${REALM}00$
    ${REALM}00$
    !
    #
    # Create ACL file
    #
    cat > ${KADM5ACL} < ################################################## #############################
    #Kerberos_principal permissions [target_principal]
    [restrictions]
    ################################################## #############################
    #
    #*/admin@EXAMPLE.COM *
    */admin@${REALM} *
    !
    #
    # Create some principals
    #
    ${KADMINLOCAL} < addprinc -pw "${PASS}" krbtgt/${REALM}@${REALM2}
    addprinc -pw "${PASS}" krbtgt/${REALM2}@${REALM}
    addprinc -randkey host/${KDC}
    addprinc -pw "Root" root/admin
    addprinc -pw "Markus" markus/admin
    addprinc -pw "markus" markus
    addprinc -randkey HTTP/${KDC}
    ktadd -k ${VARDIR}/kadm5.keytab kadmin/admin kadmin/changepw
    ktadd -k ${ETCDIR}/krb5.keytab host/${KDC}
    ktadd -k ${APACHEDIR}/HTTP.keytab HTTP/${KDC}
    !
    #
    # Start daemons
    #
    /etc/init.d/krb5kdc start
    /etc/init.d/kadmind start
    chgrp www ${APACHEDIR}/HTTP.keytab
    chmod g+r ${APACHEDIR}/HTTP.keytab
    /etc/init.d/apache2 start


    ================================================== ====================================

    Setup of Windows 2003 R2 KDC

    Raise AD to Windows 2003 server forest functional level from AD Directory
    and Trust tool. Then run

    ksetup.exe /addkdc SUSE.HOME opensuse.suse.home
    ksetup.exe /addrealmflags SUSE.HOME tcpsupported


    netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /add /realm /twoway
    /PasswordT:UNIX000$
    netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /transitive:yes
    netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /foresttransitive:yes
    netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /addtln:suse.home

    create HTTP/w2k3.windows2003.home principal with msktutil.

    ================================================== =====================================

    Now what I got working and what not !!

    1) User WINDOWS2003\markus can connect with putty from Win XP to
    opensuse.suse.home
    2) User WINDOWS2003\markus can connect with IE from Win XP to
    http://w2k3.windows2003.home
    3) User WINDOWS2003\markus can connect with IE from Win XP to
    http://opensuse.suse.home

    => 1) User WINDOWS2003\markus-a CAN NOT connect with putty from Win XP to
    opensuse.suse.home (no port 88 traffic)
    2) User WINDOWS2003\markus-a can connect with IE from Win XP to
    http://w2k3.windows2003.home
    3) User WINDOWS2003\markus-a can connect with IE from Win XP to
    http://opensuse.suse.home

    4) User WINDOWS2003\markus can connect with putty from Windows 2003 kdc
    to opensuse.suse.home
    5) User WINDOWS2003\markus can connect with IE from Windows 2003 kdc to
    http://opensuse.suse.home
    => 6) User WINDOWS2003\markus CAN NOT connect with IE from Windows 2003 kdc
    to http://w2k3.windows2003.home (no port 88 traffic)

    7) User markus@SUSE.HOME can connect with Firefox from OpenSuse to
    http://opensuse.suse.home
    8) User markus@WINDOWS2003.HOME can connect with Firefox from OpenSuse
    to http://opensuse.suse.home
    9) User markus@WINDOWS2003.HOME can connect with Firefox from OpenSuse
    to http://w2k3.windows2003.home
    => 10) User markus@SUSE.HOME CAN NOT connect with Firefox from OpenSuse to
    http://w2k3.windows2003.home. I get a
    KRB5KDC_ERR_ETYPE_NOSUPP error (see below capture of AS-REQ, AS-REP,
    TGS-REQ, TGS-REP)



    No. Time Source Destination Protocol
    Info
    435 51218.688966 opensuse.suse.home opensuse.suse.home KRB5
    AS-REQ

    Frame 435 (203 bytes on wire, 203 bytes captured)
    Arrival Time: May 1, 2006 13:51:23.964058000
    Time delta from previous packet: 217.931451000 seconds
    Time since reference or first frame: 51218.688966000 seconds
    Frame Number: 435
    Packet Length: 203 bytes
    Capture Length: 203 bytes
    Protocols in frame: sll:ip:udp:kerberos
    Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 772
    Link-layer address length: 0
    Source:
    Protocol: IP (0x0800)
    Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
    opensuse.suse.home (192.168.1.7)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    0000 00.. = Differentiated Services Codepoint: Default (0x00)
    .... ..0. = ECN-Capable Transport (ECT): 0
    .... ...0 = ECN-CE: 0
    Total Length: 187
    Identification: 0x34ac (13484)
    Flags: 0x04 (Don't Fragment)
    0... = Reserved bit: Not set
    .1.. = Don't fragment: Set
    ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (0x11)
    Header checksum: 0x8227 [correct]
    Good: True
    Bad : False
    Source: opensuse.suse.home (192.168.1.7)
    Destination: opensuse.suse.home (192.168.1.7)
    User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88)
    Source port: 32885 (32885)
    Destination port: kerberos (88)
    Length: 167
    Checksum: 0x8417 [incorrect, should be 0x1303]
    Kerberos AS-REQ
    Pvno: 5
    MSG Type: AS-REQ (10)
    KDC_REQ_BODY
    Padding: 0
    KDCOptions: 00000010 (Renewable OK)
    .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT
    use forwardable tickets
    ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT
    a forwarded ticket
    ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT use
    proxiable tickets
    .... 0... .... .... .... .... .... .... = Proxy: This ticket has
    NOT been proxied
    .... .0.. .... .... .... .... .... .... = Allow Postdate: We do
    NOT allow the ticket to be postdated
    .... ..0. .... .... .... .... .... .... = Postdated: This ticket
    is NOT postdated
    .... .... 0... .... .... .... .... .... = Renewable: This ticket
    is NOT renewable
    .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
    .... .... .... ...0 .... .... .... .... = Canonicalize: This is
    NOT a canonicalized ticket request
    .... .... .... .... .... .... ..0. .... = Disable Transited
    Check: Transited checking is NOT disabled
    .... .... .... .... .... .... ...1 .... = Renewable OK: We
    accept RENEWED tickets
    .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do
    NOT encrypt the tkt inside the skey
    .... .... .... .... .... .... .... ..0. = Renew: This is NOT a
    request to renew a ticket
    .... .... .... .... .... .... .... ...0 = Validate: This is NOT
    a request to validate a postdated ticket
    Client Name (Principal): markus
    Name-type: Principal (1)
    Name: markus
    Realm: SUSE.HOME
    Server Name (Unknown): krbtgt/SUSE.HOME
    Name-type: Unknown (0)
    Name: krbtgt
    Name: SUSE.HOME
    from: 2006-05-01 12:51:23 (Z)
    till: 2006-05-02 12:51:23 (Z)
    Nonce: 1146487883
    Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    Encryption type: rc4-hmac (23)
    Encryption type: des3-cbc-sha1 (16)
    Encryption type: des-cbc-crc (1)
    Encryption type: des-cbc-md5 (3)

    No. Time Source Destination Protocol
    Info
    436 51218.693811 opensuse.suse.home opensuse.suse.home KRB5
    AS-REP

    Frame 436 (598 bytes on wire, 598 bytes captured)
    Arrival Time: May 1, 2006 13:51:23.968903000
    Time delta from previous packet: 0.004845000 seconds
    Time since reference or first frame: 51218.693811000 seconds
    Frame Number: 436
    Packet Length: 598 bytes
    Capture Length: 598 bytes
    Protocols in frame: sll:ip:udp:kerberos
    Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 772
    Link-layer address length: 0
    Source:
    Protocol: IP (0x0800)
    Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
    opensuse.suse.home (192.168.1.7)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    0000 00.. = Differentiated Services Codepoint: Default (0x00)
    .... ..0. = ECN-Capable Transport (ECT): 0
    .... ...0 = ECN-CE: 0
    Total Length: 582
    Identification: 0x001e (30)
    Flags: 0x04 (Don't Fragment)
    0... = Reserved bit: Not set
    .1.. = Don't fragment: Set
    ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (0x11)
    Header checksum: 0xb52a [correct]
    Good: True
    Bad : False
    Source: opensuse.suse.home (192.168.1.7)
    Destination: opensuse.suse.home (192.168.1.7)
    User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885)
    Source port: kerberos (88)
    Destination port: 32885 (32885)
    Length: 562
    Checksum: 0x85a2 [incorrect, should be 0x84dc]
    Kerberos AS-REP
    Pvno: 5
    MSG Type: AS-REP (11)
    padata: Unknown:19
    Type: Unknown (19)
    Value: 30073005A003020117
    Client Realm: SUSE.HOME
    Client Name (Principal): markus
    Name-type: Principal (1)
    Name: markus
    Ticket
    Tkt-vno: 5
    Realm: SUSE.HOME
    Server Name (Unknown): krbtgt/SUSE.HOME
    Name-type: Unknown (0)
    Name: krbtgt
    Name: SUSE.HOME
    enc-part rc4-hmac
    Encryption type: rc4-hmac (23)
    Kvno: 1
    enc-part: 4057A7166A1CC59F143F9B74A72F0B16CA629616DD0E96F1.. .
    enc-part rc4-hmac
    Encryption type: rc4-hmac (23)
    enc-part: E0E5CF0DBFEF8C3326CE6F3CB5CFFD73A355696BCD0E95CB.. .

    No. Time Source Destination Protocol
    Info
    443 51229.309113 opensuse.suse.home opensuse.suse.home KRB5
    TGS-REQ

    Frame 443 (652 bytes on wire, 652 bytes captured)
    Arrival Time: May 1, 2006 13:51:34.584205000
    Time delta from previous packet: 10.615302000 seconds
    Time since reference or first frame: 51229.309113000 seconds
    Frame Number: 443
    Packet Length: 652 bytes
    Capture Length: 652 bytes
    Protocols in frame: sll:ip:udp:kerberos
    Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 772
    Link-layer address length: 0
    Source:
    Protocol: IP (0x0800)
    Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
    opensuse.suse.home (192.168.1.7)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    0000 00.. = Differentiated Services Codepoint: Default (0x00)
    .... ..0. = ECN-Capable Transport (ECT): 0
    .... ...0 = ECN-CE: 0
    Total Length: 636
    Identification: 0x3f0b (16139)
    Flags: 0x04 (Don't Fragment)
    0... = Reserved bit: Not set
    .1.. = Don't fragment: Set
    ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (0x11)
    Header checksum: 0x7607 [correct]
    Good: True
    Bad : False
    Source: opensuse.suse.home (192.168.1.7)
    Destination: opensuse.suse.home (192.168.1.7)
    User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88)
    Source port: 32885 (32885)
    Destination port: kerberos (88)
    Length: 616
    Checksum: 0x85d8 [incorrect, should be 0x7d06]
    Kerberos TGS-REQ
    Pvno: 5
    MSG Type: TGS-REQ (12)
    padata: PA-TGS-REQ
    Type: PA-TGS-REQ (1)
    Value: 6E82019D30820199A003020105A10302010EA20703050000.. .
    AP-REQ
    Pvno: 5
    MSG Type: AP-REQ (14)
    Padding: 0
    APOptions: 00000000
    .0.. .... .... .... .... .... .... .... = Use Session
    Key: Do NOT use the session key to encrypt the ticket
    ..0. .... .... .... .... .... .... .... = Mutual
    required: Mutual authentication is NOT required
    Ticket
    Tkt-vno: 5
    Realm: SUSE.HOME
    Server Name (Unknown): krbtgt/SUSE.HOME
    Name-type: Unknown (0)
    Name: krbtgt
    Name: SUSE.HOME
    enc-part rc4-hmac
    Encryption type: rc4-hmac (23)
    Kvno: 1
    enc-part:
    4057A7166A1CC59F143F9B74A72F0B16CA629616DD0E96F1.. .
    Authenticator rc4-hmac
    Encryption type: rc4-hmac (23)
    Authenticator data:
    B7008BD37B307572105D0107E309A30F6E89F74B4663A474.. .
    KDC_REQ_BODY
    Padding: 0
    KDCOptions: 00800000 (Renewable)
    .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT
    use forwardable tickets
    ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT
    a forwarded ticket
    ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT use
    proxiable tickets
    .... 0... .... .... .... .... .... .... = Proxy: This ticket has
    NOT been proxied
    .... .0.. .... .... .... .... .... .... = Allow Postdate: We do
    NOT allow the ticket to be postdated
    .... ..0. .... .... .... .... .... .... = Postdated: This ticket
    is NOT postdated
    .... .... 1... .... .... .... .... .... = Renewable: This ticket
    is RENEWABLE
    .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
    .... .... .... ...0 .... .... .... .... = Canonicalize: This is
    NOT a canonicalized ticket request
    .... .... .... .... .... .... ..0. .... = Disable Transited
    Check: Transited checking is NOT disabled
    .... .... .... .... .... .... ...0 .... = Renewable OK: We do
    NOT accept renewed tickets
    .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do
    NOT encrypt the tkt inside the skey
    .... .... .... .... .... .... .... ..0. = Renew: This is NOT a
    request to renew a ticket
    .... .... .... .... .... .... .... ...0 = Validate: This is NOT
    a request to validate a postdated ticket
    Realm: SUSE.HOME
    Server Name (Unknown): krbtgt/WINDOWS2003.HOME
    Name-type: Unknown (0)
    Name: krbtgt
    Name: WINDOWS2003.HOME
    from: 2006-05-01 12:51:23 (Z)
    till: 2006-05-01 22:51:23 (Z)
    rtime: 2006-05-02 12:51:23 (Z)
    Nonce: 1146487891
    Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    Encryption type: rc4-hmac (23)
    Encryption type: des3-cbc-sha1 (16)
    Encryption type: des-cbc-crc (1)
    Encryption type: des-cbc-md5 (3)

    No. Time Source Destination Protocol
    Info
    444 51229.328348 opensuse.suse.home opensuse.suse.home KRB5
    TGS-REP

    Frame 444 (629 bytes on wire, 629 bytes captured)
    Arrival Time: May 1, 2006 13:51:34.603440000
    Time delta from previous packet: 0.019235000 seconds
    Time since reference or first frame: 51229.328348000 seconds
    Frame Number: 444
    Packet Length: 629 bytes
    Capture Length: 629 bytes
    Protocols in frame: sll:ip:udp:kerberos
    Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 772
    Link-layer address length: 0
    Source:
    Protocol: IP (0x0800)
    Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
    opensuse.suse.home (192.168.1.7)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    0000 00.. = Differentiated Services Codepoint: Default (0x00)
    .... ..0. = ECN-Capable Transport (ECT): 0
    .... ...0 = ECN-CE: 0
    Total Length: 613
    Identification: 0x001f (31)
    Flags: 0x04 (Don't Fragment)
    0... = Reserved bit: Not set
    .1.. = Don't fragment: Set
    ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (0x11)
    Header checksum: 0xb50a [correct]
    Good: True
    Bad : False
    Source: opensuse.suse.home (192.168.1.7)
    Destination: opensuse.suse.home (192.168.1.7)
    User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885)
    Source port: kerberos (88)
    Destination port: 32885 (32885)
    Length: 593
    Checksum: 0x85c1 [incorrect, should be 0x3f5c]
    Kerberos TGS-REP
    Pvno: 5
    MSG Type: TGS-REP (13)
    Client Realm: SUSE.HOME
    Client Name (Principal): markus
    Name-type: Principal (1)
    Name: markus
    Ticket
    Tkt-vno: 5
    Realm: SUSE.HOME
    Server Name (Unknown): krbtgt/WINDOWS2003.HOME
    Name-type: Unknown (0)
    Name: krbtgt
    Name: WINDOWS2003.HOME
    enc-part rc4-hmac
    Encryption type: rc4-hmac (23)
    Kvno: 1
    enc-part: 46B8A78EEFCA7160D04C0C723040660AF957F1C8AF3B4BDE.. .
    enc-part rc4-hmac
    Encryption type: rc4-hmac (23)
    enc-part: 981F6F1C48DBB164CDAB8E7C4439D8C29B9DD584929E8580.. .

    No. Time Source Destination Protocol
    Info
    445 51229.329735 opensuse.suse.home windows2003.windows2003.home KRB5
    TGS-REQ

    Frame 445 (651 bytes on wire, 651 bytes captured)
    Arrival Time: May 1, 2006 13:51:34.604827000
    Time delta from previous packet: 0.001387000 seconds
    Time since reference or first frame: 51229.329735000 seconds
    Frame Number: 445
    Packet Length: 651 bytes
    Capture Length: 651 bytes
    Protocols in frame: sll:ip:udp:kerberos
    Linux cooked capture
    Packet type: Sent by us (4)
    Link-layer address type: 1
    Link-layer address length: 6
    Source: Vmware_02:d5:f5 (00:0c:29:02:d5:f5)
    Protocol: IP (0x0800)
    Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
    windows2003.windows2003.home (192.168.1.5)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    0000 00.. = Differentiated Services Codepoint: Default (0x00)
    .... ..0. = ECN-Capable Transport (ECT): 0
    .... ...0 = ECN-CE: 0
    Total Length: 635
    Identification: 0x3f10 (16144)
    Flags: 0x04 (Don't Fragment)
    0... = Reserved bit: Not set
    .1.. = Don't fragment: Set
    ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (0x11)
    Header checksum: 0x7605 [correct]
    Good: True
    Bad : False
    Source: opensuse.suse.home (192.168.1.7)
    Destination: windows2003.windows2003.home (192.168.1.5)
    User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88)
    Source port: 32885 (32885)
    Destination port: kerberos (88)
    Length: 615
    Checksum: 0x9902 [correct]
    Kerberos TGS-REQ
    Pvno: 5
    MSG Type: TGS-REQ (12)
    padata: PA-TGS-REQ
    Type: PA-TGS-REQ (1)
    Value: 6E8201BA308201B6A003020105A10302010EA20703050000.. .
    AP-REQ
    Pvno: 5
    MSG Type: AP-REQ (14)
    Padding: 0
    APOptions: 00000000
    .0.. .... .... .... .... .... .... .... = Use Session
    Key: Do NOT use the session key to encrypt the ticket
    ..0. .... .... .... .... .... .... .... = Mutual
    required: Mutual authentication is NOT required
    Ticket
    Tkt-vno: 5
    Realm: SUSE.HOME
    Server Name (Unknown): krbtgt/WINDOWS2003.HOME
    Name-type: Unknown (0)
    Name: krbtgt
    Name: WINDOWS2003.HOME
    enc-part rc4-hmac
    Encryption type: rc4-hmac (23)
    Kvno: 1
    enc-part:
    46B8A78EEFCA7160D04C0C723040660AF957F1C8AF3B4BDE.. .
    Authenticator rc4-hmac
    Encryption type: rc4-hmac (23)
    Authenticator data:
    FE71BE32F2BFF609F021A368F6DAF66CC42C00C7508FB8E2.. .
    KDC_REQ_BODY
    Padding: 0
    KDCOptions: 00800000 (Renewable)
    .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT
    use forwardable tickets
    ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT
    a forwarded ticket
    ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT use
    proxiable tickets
    .... 0... .... .... .... .... .... .... = Proxy: This ticket has
    NOT been proxied
    .... .0.. .... .... .... .... .... .... = Allow Postdate: We do
    NOT allow the ticket to be postdated
    .... ..0. .... .... .... .... .... .... = Postdated: This ticket
    is NOT postdated
    .... .... 1... .... .... .... .... .... = Renewable: This ticket
    is RENEWABLE
    .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
    .... .... .... ...0 .... .... .... .... = Canonicalize: This is
    NOT a canonicalized ticket request
    .... .... .... .... .... .... ..0. .... = Disable Transited
    Check: Transited checking is NOT disabled
    .... .... .... .... .... .... ...0 .... = Renewable OK: We do
    NOT accept renewed tickets
    .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do
    NOT encrypt the tkt inside the skey
    .... .... .... .... .... .... .... ..0. = Renew: This is NOT a
    request to renew a ticket
    .... .... .... .... .... .... .... ...0 = Validate: This is NOT
    a request to validate a postdated ticket
    Realm: WINDOWS2003.HOME
    Server Name (Service and Host): HTTP/w2k3.windows2003.home
    Name-type: Service and Host (3)
    Name: HTTP
    Name: w2k3.windows2003.home
    till: 2006-05-01 22:51:23 (Z)
    Nonce: 1146487891
    Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    Encryption type: rc4-hmac (23)
    Encryption type: des3-cbc-sha1 (16)
    Encryption type: des-cbc-crc (1)
    Encryption type: des-cbc-md5 (3)

    No. Time Source Destination Protocol
    Info
    446 51229.334347 windows2003.windows2003.home opensuse.suse.home KRB5
    KRB Error: KRB5KDC_ERR_ETYPE_NOSUPP

    Frame 446 (151 bytes on wire, 151 bytes captured)
    Arrival Time: May 1, 2006 13:51:34.609439000
    Time delta from previous packet: 0.004612000 seconds
    Time since reference or first frame: 51229.334347000 seconds
    Frame Number: 446
    Packet Length: 151 bytes
    Capture Length: 151 bytes
    Protocols in frame: sll:ip:udp:kerberos
    Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 1
    Link-layer address length: 6
    Source: Vmware_71:05:9f (00:0c:29:71:05:9f)
    Protocol: IP (0x0800)
    Internet Protocol, Src: windows2003.windows2003.home (192.168.1.5), Dst:
    opensuse.suse.home (192.168.1.7)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    0000 00.. = Differentiated Services Codepoint: Default (0x00)
    .... ..0. = ECN-Capable Transport (ECT): 0
    .... ...0 = ECN-CE: 0
    Total Length: 135
    Identification: 0xdebe (57022)
    Flags: 0x00
    0... = Reserved bit: Not set
    .0.. = Don't fragment: Not set
    ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: UDP (0x11)
    Header checksum: 0xd84a [correct]
    Good: True
    Bad : False
    Source: windows2003.windows2003.home (192.168.1.5)
    Destination: opensuse.suse.home (192.168.1.7)
    User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885)
    Source port: kerberos (88)
    Destination port: 32885 (32885)
    Length: 115
    Checksum: 0xb7f8 [correct]
    Kerberos KRB-ERROR
    Pvno: 5
    MSG Type: KRB-ERROR (30)
    stime: 2006-05-01 12:51:33 (Z)
    susec: 907050
    error_code: KRB5KDC_ERR_ETYPE_NOSUPP (14)
    Realm: WINDOWS2003.HOME
    Server Name (Service and Host): HTTP/w2k3.windows2003.home
    Name-type: Service and Host (3)
    Name: HTTP
    Name: w2k3.windows2003.home
















    "Markus Moeller" wrote in message
    news:444bcbd2$0$23157$ed2e19e4@ptn-nntp-reader04.plus.net...
    > Is there anywhere a howto for setting up a oneway or even twoway trust
    > between a Windows 2003 SP1/R2 server and a MIT kdc with rc4-hmac
    > encryption ?
    >
    > Thank you
    > Markus
    >




  3. Re: How to setup trust between 2003 SP1/R2 and MIT 1.4.3 ?

    Three further observations

    => 1) User WINDOWS2003\markus-a CAN NOT connect with putty from Win XP to
    opensuse.suse.home (no port 88 traffic)
    I can connect as user WINDOWS2003\markus-a with putty 0.58 with
    GSSAPI (e.g. MIT libraries) from Win XP to
    opensuse.suse.home
    => 10) User markus@SUSE.HOME CAN NOT connect with Firefox from OpenSuse to
    http://w2k3.windows2003.home. I get a KRB5KDC_ERR_ETYPE_NOSUPP
    error (see below capture of AS-REQ,
    AS-REP, TGS-REQ, TGS-REP)
    It works when I change the encryption types in krb5.conf to only
    des on OpenSuse.

    and I CAN NOT login to the Win XP box as markus from domain SUSE.HOME. I
    tried ksetup /mapuser * * with no suceess.

    Any idea what I need to change ?

    Thank you
    Markus

    "Markus Moeller" wrote in message
    news:4456216c$0$2562$ed2619ec@ptn-nntp-reader02.plus.net...
    >I searched a bit more and found some hints how to set it up. But I still
    >have a couple of problems. Does anybody have an idea why I get a
    >KRB5KDC_ERR_ETYPE_NOSUPP error when I try to access a webserver in the
    >WINDOWS domain from a MIT domain ?
    >
    > Thank you
    > Markus
    >
    > My sample setup:
    >
    > 1. OpenSuse with kdc opensuse.suse.home for SUSE.HOME realm for all
    > systems in *.suse.home domain (which is based on MIT 1.4.1)
    > 2. Windows 2003 R2 kdc w2k3.windows2003.home for WINDOWS2003.HOME realm
    > for all systems in *.windows2003.home domain
    > 3. Run Apache2 with mod_spnego on opensuse.suse.home allows all valid
    > users (the same host as kdc for testing only)
    > 4. Run Apache2 with mod_spnego on w2k3.windows.home allows all valid users
    > (the same host as the kdc for testing with kfw 3.0 installed too to build
    > mod_spnego)
    > 5. Windows XP system winxp.windows2003.home in realm WINDOWS2003.HOME
    > 6. Run putty 0.57 fromVintela with SSPI support on Windows XP
    >
    > Both kdc's have a user markus. The Windows kdc has also a user markus-a
    > which does not exist in the OpenSuse kdc
    >
    > On OpenSuse markus had a .k5login file with:
    > markus@SUSE.HOME
    > markus@WINDOWS2003.HOME
    > markus-a@WINDOWS2003.HOME
    >
    > ================================================== =====================
    >
    > Setup of kdc on OpenSuse with Apache2 and mod_spnego
    >
    > #!/bin/ksh
    > DATE=`date +%Y%m%d.%H%M%S`
    > #
    > # OpenSuse binary locations
    > #
    > KDB5_UTIL=/usr/lib/mit/sbin/kdb5_util
    > KADMINLOCAL=/usr/lib/mit/sbin/kadmin.local
    > #
    > # Directories and Files
    > #
    > VARDIR=/var/lib/kerberos/krb5kdc
    > ETCDIR=/etc
    > APACHEDIR=/etc/apache2
    > KDC_CONF_DIR=${VARDIR}
    > KADM5ACL=${VARDIR}/kadm5.acl
    > #
    > # Realms
    > #
    > REALM=SUSE.HOME
    > REALM2=WINDOWS2003.HOME
    > KDC=opensuse.suse.home
    > KDC2=w2k3.windows2003.home
    > DOMAIN=suse.home
    > DOMAIN2=windows2003.home
    > #
    > PASS="UNIX000$"
    > #
    > # stop daemons
    > #
    > /etc/init.d/krb5kdc stop
    > /etc/init.d/kadmind stop
    > /etc/init.d/apache2 stop
    > #
    > # Save old configs
    > #
    > mkdir ${VARDIR}/version-${DATE}
    > mv ${KDC_CONF_DIR}/kdc.conf ${KDC_CONF_DIR}/kdc.conf-${DATE}
    > mv ${VARDIR}/principal* ${VARDIR}/version-${DATE}/
    > mv ${VARDIR}/kadm5* ${VARDIR}/version-${DATE}/
    > mv ${KADM5ACL} ${KADM5ACL}-${DATE}
    > mv ${VARDIR}/.k5.* ${VARDIR}/version-${DATE}/
    >
    > mv ${ETCDIR}/krb5.conf ${ETCDIR}/krb5.conf-${DATE}
    > mv ${ETCDIR}/krb5.keytab ${ETCDIR}/krb5.keytab-${DATE}
    >
    > mv ${APACHEDIR}/HTTP.keytab ${APACHEDIR}/HTTP.keytab-${DATE}
    > #
    > # Create kdc.conf
    > #
    > cat > ${KDC_CONF_DIR}/kdc.conf < > [kdcdefaults]
    > kdc_ports = 750,88
    > [realms]
    > ${REALM} = {
    > database_name = ${VARDIR}/principal
    > admin_keytab = FILE:${VARDIR}/kadm5.keytab
    > acl_file = ${KADM5ACL}
    > key_stash_file = ${VARDIR}/.k5.${REALM}
    > kdc_ports = 750,88
    > supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal
    > des-cb
    > c-crc:normal des-cbc-md5:normal
    > kdc_supported_enctypes = rc4-hmac:normal
    > des3-cbc-sha1:normal de
    > s-cbc-crc:normal des-cbc-md5:normal
    > max_life = 10h 0m 0s
    > max_renewable_life = 7d 0h 0m 0s
    > }
    > [logging]
    > kdc = FILE:/var/log/kdc.log
    > admin_server = FILE:/var/log/kadmin.log
    > !
    > #
    > # Create krb5.conf
    > #
    > cat > ${ETCDIR}/krb5.conf < > [libdefaults]
    > default_realm = ${REALM}
    > dns_lookup_kdc = no
    > dns_lookup_realm = no
    > default_keytab_name = ${ETCDIR}/krb5.keytab
    > default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
    > des-cbc-md5
    > default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
    > des-cbc-md5
    > permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    > [realms]
    > ${REALM} = {
    > kdc = ${KDC}
    > admin_server = ${KDC}
    > }
    > ${REALM2} = {
    > kdc = ${KDC2}
    > admin_server = ${KDC2}
    > }
    > [domain_realm]
    > .${DOMAIN} = ${REALM}
    > ${DOMAIN} = ${REALM}
    > .${DOMAIN2} = ${REALM2}
    > ${DOMAIN2} = ${REALM2}
    >
    > [logging]
    > kdc = FILE:/var/log/krb5kdc.log
    > admin_server = FILE:/var/log/kadmin.log
    > default = FILE:/var/log/krb5lib.log
    > !
    > #
    > # Create database
    > #
    > ${KDB5_UTIL} create -r ${REALM} -s < > ${REALM}00$
    > ${REALM}00$
    > !
    > #
    > # Create ACL file
    > #
    > cat > ${KADM5ACL} < > ################################################## #############################
    > #Kerberos_principal permissions [target_principal] [restrictions]
    > ################################################## #############################
    > #
    > #*/admin@EXAMPLE.COM *
    > */admin@${REALM} *
    > !
    > #
    > # Create some principals
    > #
    > ${KADMINLOCAL} < > addprinc -pw "${PASS}" krbtgt/${REALM}@${REALM2}
    > addprinc -pw "${PASS}" krbtgt/${REALM2}@${REALM}
    > addprinc -randkey host/${KDC}
    > addprinc -pw "Root" root/admin
    > addprinc -pw "Markus" markus/admin
    > addprinc -pw "markus" markus
    > addprinc -randkey HTTP/${KDC}
    > ktadd -k ${VARDIR}/kadm5.keytab kadmin/admin kadmin/changepw
    > ktadd -k ${ETCDIR}/krb5.keytab host/${KDC}
    > ktadd -k ${APACHEDIR}/HTTP.keytab HTTP/${KDC}
    > !
    > #
    > # Start daemons
    > #
    > /etc/init.d/krb5kdc start
    > /etc/init.d/kadmind start
    > chgrp www ${APACHEDIR}/HTTP.keytab
    > chmod g+r ${APACHEDIR}/HTTP.keytab
    > /etc/init.d/apache2 start
    >
    >
    > ================================================== ====================================
    >
    > Setup of Windows 2003 R2 KDC
    >
    > Raise AD to Windows 2003 server forest functional level from AD Directory
    > and Trust tool. Then run
    >
    > ksetup.exe /addkdc SUSE.HOME opensuse.suse.home
    > ksetup.exe /addrealmflags SUSE.HOME tcpsupported
    >
    >
    > netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /add /realm /twoway
    > /PasswordT:UNIX000$
    > netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /transitive:yes
    > netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /foresttransitive:yes
    > netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /addtln:suse.home
    >
    > create HTTP/w2k3.windows2003.home principal with msktutil.
    >
    > ================================================== =====================================
    >
    > Now what I got working and what not !!
    >
    > 1) User WINDOWS2003\markus can connect with putty from Win XP to
    > opensuse.suse.home
    > 2) User WINDOWS2003\markus can connect with IE from Win XP to
    > http://w2k3.windows2003.home
    > 3) User WINDOWS2003\markus can connect with IE from Win XP to
    > http://opensuse.suse.home
    >
    > => 1) User WINDOWS2003\markus-a CAN NOT connect with putty from Win XP to
    > opensuse.suse.home (no port 88 traffic)
    > 2) User WINDOWS2003\markus-a can connect with IE from Win XP to
    > http://w2k3.windows2003.home
    > 3) User WINDOWS2003\markus-a can connect with IE from Win XP to
    > http://opensuse.suse.home
    >
    > 4) User WINDOWS2003\markus can connect with putty from Windows 2003
    > kdc to opensuse.suse.home
    > 5) User WINDOWS2003\markus can connect with IE from Windows 2003 kdc
    > to http://opensuse.suse.home
    > => 6) User WINDOWS2003\markus CAN NOT connect with IE from Windows 2003
    > kdc to http://w2k3.windows2003.home (no port 88 traffic)
    >
    > 7) User markus@SUSE.HOME can connect with Firefox from OpenSuse to
    > http://opensuse.suse.home
    > 8) User markus@WINDOWS2003.HOME can connect with Firefox from OpenSuse
    > to http://opensuse.suse.home
    > 9) User markus@WINDOWS2003.HOME can connect with Firefox from OpenSuse
    > to http://w2k3.windows2003.home
    > => 10) User markus@SUSE.HOME CAN NOT connect with Firefox from OpenSuse to
    > http://w2k3.windows2003.home. I get a
    > KRB5KDC_ERR_ETYPE_NOSUPP error (see below capture of AS-REQ, AS-REP,
    > TGS-REQ, TGS-REP)
    >
    >
    >
    > No. Time Source Destination Protocol
    > Info
    > 435 51218.688966 opensuse.suse.home opensuse.suse.home KRB5
    > AS-REQ
    >
    > Frame 435 (203 bytes on wire, 203 bytes captured)
    > Arrival Time: May 1, 2006 13:51:23.964058000
    > Time delta from previous packet: 217.931451000 seconds
    > Time since reference or first frame: 51218.688966000 seconds
    > Frame Number: 435
    > Packet Length: 203 bytes
    > Capture Length: 203 bytes
    > Protocols in frame: sll:ip:udp:kerberos
    > Linux cooked capture
    > Packet type: Unicast to us (0)
    > Link-layer address type: 772
    > Link-layer address length: 0
    > Source:
    > Protocol: IP (0x0800)
    > Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
    > opensuse.suse.home (192.168.1.7)
    > Version: 4
    > Header length: 20 bytes
    > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    > 0000 00.. = Differentiated Services Codepoint: Default (0x00)
    > .... ..0. = ECN-Capable Transport (ECT): 0
    > .... ...0 = ECN-CE: 0
    > Total Length: 187
    > Identification: 0x34ac (13484)
    > Flags: 0x04 (Don't Fragment)
    > 0... = Reserved bit: Not set
    > .1.. = Don't fragment: Set
    > ..0. = More fragments: Not set
    > Fragment offset: 0
    > Time to live: 64
    > Protocol: UDP (0x11)
    > Header checksum: 0x8227 [correct]
    > Good: True
    > Bad : False
    > Source: opensuse.suse.home (192.168.1.7)
    > Destination: opensuse.suse.home (192.168.1.7)
    > User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88)
    > Source port: 32885 (32885)
    > Destination port: kerberos (88)
    > Length: 167
    > Checksum: 0x8417 [incorrect, should be 0x1303]
    > Kerberos AS-REQ
    > Pvno: 5
    > MSG Type: AS-REQ (10)
    > KDC_REQ_BODY
    > Padding: 0
    > KDCOptions: 00000010 (Renewable OK)
    > .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT
    > use forwardable tickets
    > ..0. .... .... .... .... .... .... .... = Forwarded: This is
    > NOT a forwarded ticket
    > ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT use
    > proxiable tickets
    > .... 0... .... .... .... .... .... .... = Proxy: This ticket
    > has NOT been proxied
    > .... .0.. .... .... .... .... .... .... = Allow Postdate: We do
    > NOT allow the ticket to be postdated
    > .... ..0. .... .... .... .... .... .... = Postdated: This
    > ticket is NOT postdated
    > .... .... 0... .... .... .... .... .... = Renewable: This
    > ticket is NOT renewable
    > .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
    > .... .... .... ...0 .... .... .... .... = Canonicalize: This is
    > NOT a canonicalized ticket request
    > .... .... .... .... .... .... ..0. .... = Disable Transited
    > Check: Transited checking is NOT disabled
    > .... .... .... .... .... .... ...1 .... = Renewable OK: We
    > accept RENEWED tickets
    > .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do
    > NOT encrypt the tkt inside the skey
    > .... .... .... .... .... .... .... ..0. = Renew: This is NOT a
    > request to renew a ticket
    > .... .... .... .... .... .... .... ...0 = Validate: This is NOT
    > a request to validate a postdated ticket
    > Client Name (Principal): markus
    > Name-type: Principal (1)
    > Name: markus
    > Realm: SUSE.HOME
    > Server Name (Unknown): krbtgt/SUSE.HOME
    > Name-type: Unknown (0)
    > Name: krbtgt
    > Name: SUSE.HOME
    > from: 2006-05-01 12:51:23 (Z)
    > till: 2006-05-02 12:51:23 (Z)
    > Nonce: 1146487883
    > Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    > Encryption type: rc4-hmac (23)
    > Encryption type: des3-cbc-sha1 (16)
    > Encryption type: des-cbc-crc (1)
    > Encryption type: des-cbc-md5 (3)
    >
    > No. Time Source Destination Protocol
    > Info
    > 436 51218.693811 opensuse.suse.home opensuse.suse.home KRB5
    > AS-REP
    >
    > Frame 436 (598 bytes on wire, 598 bytes captured)
    > Arrival Time: May 1, 2006 13:51:23.968903000
    > Time delta from previous packet: 0.004845000 seconds
    > Time since reference or first frame: 51218.693811000 seconds
    > Frame Number: 436
    > Packet Length: 598 bytes
    > Capture Length: 598 bytes
    > Protocols in frame: sll:ip:udp:kerberos
    > Linux cooked capture
    > Packet type: Unicast to us (0)
    > Link-layer address type: 772
    > Link-layer address length: 0
    > Source:
    > Protocol: IP (0x0800)
    > Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
    > opensuse.suse.home (192.168.1.7)
    > Version: 4
    > Header length: 20 bytes
    > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    > 0000 00.. = Differentiated Services Codepoint: Default (0x00)
    > .... ..0. = ECN-Capable Transport (ECT): 0
    > .... ...0 = ECN-CE: 0
    > Total Length: 582
    > Identification: 0x001e (30)
    > Flags: 0x04 (Don't Fragment)
    > 0... = Reserved bit: Not set
    > .1.. = Don't fragment: Set
    > ..0. = More fragments: Not set
    > Fragment offset: 0
    > Time to live: 64
    > Protocol: UDP (0x11)
    > Header checksum: 0xb52a [correct]
    > Good: True
    > Bad : False
    > Source: opensuse.suse.home (192.168.1.7)
    > Destination: opensuse.suse.home (192.168.1.7)
    > User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885)
    > Source port: kerberos (88)
    > Destination port: 32885 (32885)
    > Length: 562
    > Checksum: 0x85a2 [incorrect, should be 0x84dc]
    > Kerberos AS-REP
    > Pvno: 5
    > MSG Type: AS-REP (11)
    > padata: Unknown:19
    > Type: Unknown (19)
    > Value: 30073005A003020117
    > Client Realm: SUSE.HOME
    > Client Name (Principal): markus
    > Name-type: Principal (1)
    > Name: markus
    > Ticket
    > Tkt-vno: 5
    > Realm: SUSE.HOME
    > Server Name (Unknown): krbtgt/SUSE.HOME
    > Name-type: Unknown (0)
    > Name: krbtgt
    > Name: SUSE.HOME
    > enc-part rc4-hmac
    > Encryption type: rc4-hmac (23)
    > Kvno: 1
    > enc-part: 4057A7166A1CC59F143F9B74A72F0B16CA629616DD0E96F1.. .
    > enc-part rc4-hmac
    > Encryption type: rc4-hmac (23)
    > enc-part: E0E5CF0DBFEF8C3326CE6F3CB5CFFD73A355696BCD0E95CB.. .
    >
    > No. Time Source Destination Protocol
    > Info
    > 443 51229.309113 opensuse.suse.home opensuse.suse.home KRB5
    > TGS-REQ
    >
    > Frame 443 (652 bytes on wire, 652 bytes captured)
    > Arrival Time: May 1, 2006 13:51:34.584205000
    > Time delta from previous packet: 10.615302000 seconds
    > Time since reference or first frame: 51229.309113000 seconds
    > Frame Number: 443
    > Packet Length: 652 bytes
    > Capture Length: 652 bytes
    > Protocols in frame: sll:ip:udp:kerberos
    > Linux cooked capture
    > Packet type: Unicast to us (0)
    > Link-layer address type: 772
    > Link-layer address length: 0
    > Source:
    > Protocol: IP (0x0800)
    > Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
    > opensuse.suse.home (192.168.1.7)
    > Version: 4
    > Header length: 20 bytes
    > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    > 0000 00.. = Differentiated Services Codepoint: Default (0x00)
    > .... ..0. = ECN-Capable Transport (ECT): 0
    > .... ...0 = ECN-CE: 0
    > Total Length: 636
    > Identification: 0x3f0b (16139)
    > Flags: 0x04 (Don't Fragment)
    > 0... = Reserved bit: Not set
    > .1.. = Don't fragment: Set
    > ..0. = More fragments: Not set
    > Fragment offset: 0
    > Time to live: 64
    > Protocol: UDP (0x11)
    > Header checksum: 0x7607 [correct]
    > Good: True
    > Bad : False
    > Source: opensuse.suse.home (192.168.1.7)
    > Destination: opensuse.suse.home (192.168.1.7)
    > User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88)
    > Source port: 32885 (32885)
    > Destination port: kerberos (88)
    > Length: 616
    > Checksum: 0x85d8 [incorrect, should be 0x7d06]
    > Kerberos TGS-REQ
    > Pvno: 5
    > MSG Type: TGS-REQ (12)
    > padata: PA-TGS-REQ
    > Type: PA-TGS-REQ (1)
    > Value: 6E82019D30820199A003020105A10302010EA20703050000.. .
    > AP-REQ
    > Pvno: 5
    > MSG Type: AP-REQ (14)
    > Padding: 0
    > APOptions: 00000000
    > .0.. .... .... .... .... .... .... .... = Use Session
    > Key: Do NOT use the session key to encrypt the ticket
    > ..0. .... .... .... .... .... .... .... = Mutual
    > required: Mutual authentication is NOT required
    > Ticket
    > Tkt-vno: 5
    > Realm: SUSE.HOME
    > Server Name (Unknown): krbtgt/SUSE.HOME
    > Name-type: Unknown (0)
    > Name: krbtgt
    > Name: SUSE.HOME
    > enc-part rc4-hmac
    > Encryption type: rc4-hmac (23)
    > Kvno: 1
    > enc-part:
    > 4057A7166A1CC59F143F9B74A72F0B16CA629616DD0E96F1.. .
    > Authenticator rc4-hmac
    > Encryption type: rc4-hmac (23)
    > Authenticator data:
    > B7008BD37B307572105D0107E309A30F6E89F74B4663A474.. .
    > KDC_REQ_BODY
    > Padding: 0
    > KDCOptions: 00800000 (Renewable)
    > .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT
    > use forwardable tickets
    > ..0. .... .... .... .... .... .... .... = Forwarded: This is
    > NOT a forwarded ticket
    > ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT use
    > proxiable tickets
    > .... 0... .... .... .... .... .... .... = Proxy: This ticket
    > has NOT been proxied
    > .... .0.. .... .... .... .... .... .... = Allow Postdate: We do
    > NOT allow the ticket to be postdated
    > .... ..0. .... .... .... .... .... .... = Postdated: This
    > ticket is NOT postdated
    > .... .... 1... .... .... .... .... .... = Renewable: This
    > ticket is RENEWABLE
    > .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
    > .... .... .... ...0 .... .... .... .... = Canonicalize: This is
    > NOT a canonicalized ticket request
    > .... .... .... .... .... .... ..0. .... = Disable Transited
    > Check: Transited checking is NOT disabled
    > .... .... .... .... .... .... ...0 .... = Renewable OK: We do
    > NOT accept renewed tickets
    > .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do
    > NOT encrypt the tkt inside the skey
    > .... .... .... .... .... .... .... ..0. = Renew: This is NOT a
    > request to renew a ticket
    > .... .... .... .... .... .... .... ...0 = Validate: This is NOT
    > a request to validate a postdated ticket
    > Realm: SUSE.HOME
    > Server Name (Unknown): krbtgt/WINDOWS2003.HOME
    > Name-type: Unknown (0)
    > Name: krbtgt
    > Name: WINDOWS2003.HOME
    > from: 2006-05-01 12:51:23 (Z)
    > till: 2006-05-01 22:51:23 (Z)
    > rtime: 2006-05-02 12:51:23 (Z)
    > Nonce: 1146487891
    > Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    > Encryption type: rc4-hmac (23)
    > Encryption type: des3-cbc-sha1 (16)
    > Encryption type: des-cbc-crc (1)
    > Encryption type: des-cbc-md5 (3)
    >
    > No. Time Source Destination Protocol
    > Info
    > 444 51229.328348 opensuse.suse.home opensuse.suse.home KRB5
    > TGS-REP
    >
    > Frame 444 (629 bytes on wire, 629 bytes captured)
    > Arrival Time: May 1, 2006 13:51:34.603440000
    > Time delta from previous packet: 0.019235000 seconds
    > Time since reference or first frame: 51229.328348000 seconds
    > Frame Number: 444
    > Packet Length: 629 bytes
    > Capture Length: 629 bytes
    > Protocols in frame: sll:ip:udp:kerberos
    > Linux cooked capture
    > Packet type: Unicast to us (0)
    > Link-layer address type: 772
    > Link-layer address length: 0
    > Source:
    > Protocol: IP (0x0800)
    > Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
    > opensuse.suse.home (192.168.1.7)
    > Version: 4
    > Header length: 20 bytes
    > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    > 0000 00.. = Differentiated Services Codepoint: Default (0x00)
    > .... ..0. = ECN-Capable Transport (ECT): 0
    > .... ...0 = ECN-CE: 0
    > Total Length: 613
    > Identification: 0x001f (31)
    > Flags: 0x04 (Don't Fragment)
    > 0... = Reserved bit: Not set
    > .1.. = Don't fragment: Set
    > ..0. = More fragments: Not set
    > Fragment offset: 0
    > Time to live: 64
    > Protocol: UDP (0x11)
    > Header checksum: 0xb50a [correct]
    > Good: True
    > Bad : False
    > Source: opensuse.suse.home (192.168.1.7)
    > Destination: opensuse.suse.home (192.168.1.7)
    > User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885)
    > Source port: kerberos (88)
    > Destination port: 32885 (32885)
    > Length: 593
    > Checksum: 0x85c1 [incorrect, should be 0x3f5c]
    > Kerberos TGS-REP
    > Pvno: 5
    > MSG Type: TGS-REP (13)
    > Client Realm: SUSE.HOME
    > Client Name (Principal): markus
    > Name-type: Principal (1)
    > Name: markus
    > Ticket
    > Tkt-vno: 5
    > Realm: SUSE.HOME
    > Server Name (Unknown): krbtgt/WINDOWS2003.HOME
    > Name-type: Unknown (0)
    > Name: krbtgt
    > Name: WINDOWS2003.HOME
    > enc-part rc4-hmac
    > Encryption type: rc4-hmac (23)
    > Kvno: 1
    > enc-part: 46B8A78EEFCA7160D04C0C723040660AF957F1C8AF3B4BDE.. .
    > enc-part rc4-hmac
    > Encryption type: rc4-hmac (23)
    > enc-part: 981F6F1C48DBB164CDAB8E7C4439D8C29B9DD584929E8580.. .
    >
    > No. Time Source Destination Protocol
    > Info
    > 445 51229.329735 opensuse.suse.home windows2003.windows2003.home
    > KRB5 TGS-REQ
    >
    > Frame 445 (651 bytes on wire, 651 bytes captured)
    > Arrival Time: May 1, 2006 13:51:34.604827000
    > Time delta from previous packet: 0.001387000 seconds
    > Time since reference or first frame: 51229.329735000 seconds
    > Frame Number: 445
    > Packet Length: 651 bytes
    > Capture Length: 651 bytes
    > Protocols in frame: sll:ip:udp:kerberos
    > Linux cooked capture
    > Packet type: Sent by us (4)
    > Link-layer address type: 1
    > Link-layer address length: 6
    > Source: Vmware_02:d5:f5 (00:0c:29:02:d5:f5)
    > Protocol: IP (0x0800)
    > Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
    > windows2003.windows2003.home (192.168.1.5)
    > Version: 4
    > Header length: 20 bytes
    > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    > 0000 00.. = Differentiated Services Codepoint: Default (0x00)
    > .... ..0. = ECN-Capable Transport (ECT): 0
    > .... ...0 = ECN-CE: 0
    > Total Length: 635
    > Identification: 0x3f10 (16144)
    > Flags: 0x04 (Don't Fragment)
    > 0... = Reserved bit: Not set
    > .1.. = Don't fragment: Set
    > ..0. = More fragments: Not set
    > Fragment offset: 0
    > Time to live: 64
    > Protocol: UDP (0x11)
    > Header checksum: 0x7605 [correct]
    > Good: True
    > Bad : False
    > Source: opensuse.suse.home (192.168.1.7)
    > Destination: windows2003.windows2003.home (192.168.1.5)
    > User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88)
    > Source port: 32885 (32885)
    > Destination port: kerberos (88)
    > Length: 615
    > Checksum: 0x9902 [correct]
    > Kerberos TGS-REQ
    > Pvno: 5
    > MSG Type: TGS-REQ (12)
    > padata: PA-TGS-REQ
    > Type: PA-TGS-REQ (1)
    > Value: 6E8201BA308201B6A003020105A10302010EA20703050000.. .
    > AP-REQ
    > Pvno: 5
    > MSG Type: AP-REQ (14)
    > Padding: 0
    > APOptions: 00000000
    > .0.. .... .... .... .... .... .... .... = Use Session
    > Key: Do NOT use the session key to encrypt the ticket
    > ..0. .... .... .... .... .... .... .... = Mutual
    > required: Mutual authentication is NOT required
    > Ticket
    > Tkt-vno: 5
    > Realm: SUSE.HOME
    > Server Name (Unknown): krbtgt/WINDOWS2003.HOME
    > Name-type: Unknown (0)
    > Name: krbtgt
    > Name: WINDOWS2003.HOME
    > enc-part rc4-hmac
    > Encryption type: rc4-hmac (23)
    > Kvno: 1
    > enc-part:
    > 46B8A78EEFCA7160D04C0C723040660AF957F1C8AF3B4BDE.. .
    > Authenticator rc4-hmac
    > Encryption type: rc4-hmac (23)
    > Authenticator data:
    > FE71BE32F2BFF609F021A368F6DAF66CC42C00C7508FB8E2.. .
    > KDC_REQ_BODY
    > Padding: 0
    > KDCOptions: 00800000 (Renewable)
    > .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT
    > use forwardable tickets
    > ..0. .... .... .... .... .... .... .... = Forwarded: This is
    > NOT a forwarded ticket
    > ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT use
    > proxiable tickets
    > .... 0... .... .... .... .... .... .... = Proxy: This ticket
    > has NOT been proxied
    > .... .0.. .... .... .... .... .... .... = Allow Postdate: We do
    > NOT allow the ticket to be postdated
    > .... ..0. .... .... .... .... .... .... = Postdated: This
    > ticket is NOT postdated
    > .... .... 1... .... .... .... .... .... = Renewable: This
    > ticket is RENEWABLE
    > .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
    > .... .... .... ...0 .... .... .... .... = Canonicalize: This is
    > NOT a canonicalized ticket request
    > .... .... .... .... .... .... ..0. .... = Disable Transited
    > Check: Transited checking is NOT disabled
    > .... .... .... .... .... .... ...0 .... = Renewable OK: We do
    > NOT accept renewed tickets
    > .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do
    > NOT encrypt the tkt inside the skey
    > .... .... .... .... .... .... .... ..0. = Renew: This is NOT a
    > request to renew a ticket
    > .... .... .... .... .... .... .... ...0 = Validate: This is NOT
    > a request to validate a postdated ticket
    > Realm: WINDOWS2003.HOME
    > Server Name (Service and Host): HTTP/w2k3.windows2003.home
    > Name-type: Service and Host (3)
    > Name: HTTP
    > Name: w2k3.windows2003.home
    > till: 2006-05-01 22:51:23 (Z)
    > Nonce: 1146487891
    > Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    > Encryption type: rc4-hmac (23)
    > Encryption type: des3-cbc-sha1 (16)
    > Encryption type: des-cbc-crc (1)
    > Encryption type: des-cbc-md5 (3)
    >
    > No. Time Source Destination Protocol
    > Info
    > 446 51229.334347 windows2003.windows2003.home opensuse.suse.home
    > KRB5 KRB Error: KRB5KDC_ERR_ETYPE_NOSUPP
    >
    > Frame 446 (151 bytes on wire, 151 bytes captured)
    > Arrival Time: May 1, 2006 13:51:34.609439000
    > Time delta from previous packet: 0.004612000 seconds
    > Time since reference or first frame: 51229.334347000 seconds
    > Frame Number: 446
    > Packet Length: 151 bytes
    > Capture Length: 151 bytes
    > Protocols in frame: sll:ip:udp:kerberos
    > Linux cooked capture
    > Packet type: Unicast to us (0)
    > Link-layer address type: 1
    > Link-layer address length: 6
    > Source: Vmware_71:05:9f (00:0c:29:71:05:9f)
    > Protocol: IP (0x0800)
    > Internet Protocol, Src: windows2003.windows2003.home (192.168.1.5), Dst:
    > opensuse.suse.home (192.168.1.7)
    > Version: 4
    > Header length: 20 bytes
    > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    > 0000 00.. = Differentiated Services Codepoint: Default (0x00)
    > .... ..0. = ECN-Capable Transport (ECT): 0
    > .... ...0 = ECN-CE: 0
    > Total Length: 135
    > Identification: 0xdebe (57022)
    > Flags: 0x00
    > 0... = Reserved bit: Not set
    > .0.. = Don't fragment: Not set
    > ..0. = More fragments: Not set
    > Fragment offset: 0
    > Time to live: 128
    > Protocol: UDP (0x11)
    > Header checksum: 0xd84a [correct]
    > Good: True
    > Bad : False
    > Source: windows2003.windows2003.home (192.168.1.5)
    > Destination: opensuse.suse.home (192.168.1.7)
    > User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885)
    > Source port: kerberos (88)
    > Destination port: 32885 (32885)
    > Length: 115
    > Checksum: 0xb7f8 [correct]
    > Kerberos KRB-ERROR
    > Pvno: 5
    > MSG Type: KRB-ERROR (30)
    > stime: 2006-05-01 12:51:33 (Z)
    > susec: 907050
    > error_code: KRB5KDC_ERR_ETYPE_NOSUPP (14)
    > Realm: WINDOWS2003.HOME
    > Server Name (Service and Host): HTTP/w2k3.windows2003.home
    > Name-type: Service and Host (3)
    > Name: HTTP
    > Name: w2k3.windows2003.home
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    > "Markus Moeller" wrote in message
    > news:444bcbd2$0$23157$ed2e19e4@ptn-nntp-reader04.plus.net...
    >> Is there anywhere a howto for setting up a oneway or even twoway trust
    >> between a Windows 2003 SP1/R2 server and a MIT kdc with rc4-hmac
    >> encryption ?
    >>
    >> Thank you
    >> Markus
    >>

    >
    >




  4. Re: How to setup trust between 2003 SP1/R2 and MIT 1.4.3 ?

    If I change the encryption type on my OpenSuse kdc to DES only and do the
    mapping on the use in AD and not via ksetup I can login with markus from
    domain SUSE.HOME.

    Does this mean there is still no trust with rc4-hmac possible ??

    Thanks
    Markus

    "Markus Moeller" wrote in message
    news:44566da3$0$2565$ed2619ec@ptn-nntp-reader02.plus.net...
    > Three further observations
    >
    > => 1) User WINDOWS2003\markus-a CAN NOT connect with putty from Win XP to
    > opensuse.suse.home (no port 88 traffic)
    > I can connect as user WINDOWS2003\markus-a with putty 0.58 with
    > GSSAPI (e.g. MIT libraries) from Win XP to
    > opensuse.suse.home
    > => 10) User markus@SUSE.HOME CAN NOT connect with Firefox from OpenSuse to
    > http://w2k3.windows2003.home. I get a KRB5KDC_ERR_ETYPE_NOSUPP
    > error (see below capture of AS-REQ,
    > AS-REP, TGS-REQ, TGS-REP)
    > It works when I change the encryption types in krb5.conf to only
    > des on OpenSuse.
    >
    > and I CAN NOT login to the Win XP box as markus from domain SUSE.HOME. I
    > tried ksetup /mapuser * * with no suceess.
    >
    > Any idea what I need to change ?
    >
    > Thank you
    > Markus
    >
    > "Markus Moeller" wrote in message
    > news:4456216c$0$2562$ed2619ec@ptn-nntp-reader02.plus.net...
    >>I searched a bit more and found some hints how to set it up. But I still
    >>have a couple of problems. Does anybody have an idea why I get a
    >>KRB5KDC_ERR_ETYPE_NOSUPP error when I try to access a webserver in the
    >>WINDOWS domain from a MIT domain ?
    >>
    >> Thank you
    >> Markus
    >>
    >> My sample setup:
    >>
    >> 1. OpenSuse with kdc opensuse.suse.home for SUSE.HOME realm for all
    >> systems in *.suse.home domain (which is based on MIT 1.4.1)
    >> 2. Windows 2003 R2 kdc w2k3.windows2003.home for WINDOWS2003.HOME realm
    >> for all systems in *.windows2003.home domain
    >> 3. Run Apache2 with mod_spnego on opensuse.suse.home allows all valid
    >> users (the same host as kdc for testing only)
    >> 4. Run Apache2 with mod_spnego on w2k3.windows.home allows all valid
    >> users (the same host as the kdc for testing with kfw 3.0 installed too to
    >> build mod_spnego)
    >> 5. Windows XP system winxp.windows2003.home in realm WINDOWS2003.HOME
    >> 6. Run putty 0.57 fromVintela with SSPI support on Windows XP
    >>
    >> Both kdc's have a user markus. The Windows kdc has also a user markus-a
    >> which does not exist in the OpenSuse kdc
    >>
    >> On OpenSuse markus had a .k5login file with:
    >> markus@SUSE.HOME
    >> markus@WINDOWS2003.HOME
    >> markus-a@WINDOWS2003.HOME
    >>
    >> ================================================== =====================
    >>
    >> Setup of kdc on OpenSuse with Apache2 and mod_spnego
    >>
    >> #!/bin/ksh
    >> DATE=`date +%Y%m%d.%H%M%S`
    >> #
    >> # OpenSuse binary locations
    >> #
    >> KDB5_UTIL=/usr/lib/mit/sbin/kdb5_util
    >> KADMINLOCAL=/usr/lib/mit/sbin/kadmin.local
    >> #
    >> # Directories and Files
    >> #
    >> VARDIR=/var/lib/kerberos/krb5kdc
    >> ETCDIR=/etc
    >> APACHEDIR=/etc/apache2
    >> KDC_CONF_DIR=${VARDIR}
    >> KADM5ACL=${VARDIR}/kadm5.acl
    >> #
    >> # Realms
    >> #
    >> REALM=SUSE.HOME
    >> REALM2=WINDOWS2003.HOME
    >> KDC=opensuse.suse.home
    >> KDC2=w2k3.windows2003.home
    >> DOMAIN=suse.home
    >> DOMAIN2=windows2003.home
    >> #
    >> PASS="UNIX000$"
    >> #
    >> # stop daemons
    >> #
    >> /etc/init.d/krb5kdc stop
    >> /etc/init.d/kadmind stop
    >> /etc/init.d/apache2 stop
    >> #
    >> # Save old configs
    >> #
    >> mkdir ${VARDIR}/version-${DATE}
    >> mv ${KDC_CONF_DIR}/kdc.conf ${KDC_CONF_DIR}/kdc.conf-${DATE}
    >> mv ${VARDIR}/principal* ${VARDIR}/version-${DATE}/
    >> mv ${VARDIR}/kadm5* ${VARDIR}/version-${DATE}/
    >> mv ${KADM5ACL} ${KADM5ACL}-${DATE}
    >> mv ${VARDIR}/.k5.* ${VARDIR}/version-${DATE}/
    >>
    >> mv ${ETCDIR}/krb5.conf ${ETCDIR}/krb5.conf-${DATE}
    >> mv ${ETCDIR}/krb5.keytab ${ETCDIR}/krb5.keytab-${DATE}
    >>
    >> mv ${APACHEDIR}/HTTP.keytab ${APACHEDIR}/HTTP.keytab-${DATE}
    >> #
    >> # Create kdc.conf
    >> #
    >> cat > ${KDC_CONF_DIR}/kdc.conf < >> [kdcdefaults]
    >> kdc_ports = 750,88
    >> [realms]
    >> ${REALM} = {
    >> database_name = ${VARDIR}/principal
    >> admin_keytab = FILE:${VARDIR}/kadm5.keytab
    >> acl_file = ${KADM5ACL}
    >> key_stash_file = ${VARDIR}/.k5.${REALM}
    >> kdc_ports = 750,88
    >> supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal
    >> des-cb
    >> c-crc:normal des-cbc-md5:normal
    >> kdc_supported_enctypes = rc4-hmac:normal
    >> des3-cbc-sha1:normal de
    >> s-cbc-crc:normal des-cbc-md5:normal
    >> max_life = 10h 0m 0s
    >> max_renewable_life = 7d 0h 0m 0s
    >> }
    >> [logging]
    >> kdc = FILE:/var/log/kdc.log
    >> admin_server = FILE:/var/log/kadmin.log
    >> !
    >> #
    >> # Create krb5.conf
    >> #
    >> cat > ${ETCDIR}/krb5.conf < >> [libdefaults]
    >> default_realm = ${REALM}
    >> dns_lookup_kdc = no
    >> dns_lookup_realm = no
    >> default_keytab_name = ${ETCDIR}/krb5.keytab
    >> default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
    >> des-cbc-md5
    >> default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
    >> des-cbc-md5
    >> permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
    >> des-cbc-md5
    >> [realms]
    >> ${REALM} = {
    >> kdc = ${KDC}
    >> admin_server = ${KDC}
    >> }
    >> ${REALM2} = {
    >> kdc = ${KDC2}
    >> admin_server = ${KDC2}
    >> }
    >> [domain_realm]
    >> .${DOMAIN} = ${REALM}
    >> ${DOMAIN} = ${REALM}
    >> .${DOMAIN2} = ${REALM2}
    >> ${DOMAIN2} = ${REALM2}
    >>
    >> [logging]
    >> kdc = FILE:/var/log/krb5kdc.log
    >> admin_server = FILE:/var/log/kadmin.log
    >> default = FILE:/var/log/krb5lib.log
    >> !
    >> #
    >> # Create database
    >> #
    >> ${KDB5_UTIL} create -r ${REALM} -s < >> ${REALM}00$
    >> ${REALM}00$
    >> !
    >> #
    >> # Create ACL file
    >> #
    >> cat > ${KADM5ACL} < >> ################################################## #############################
    >> #Kerberos_principal permissions [target_principal]
    >> [restrictions]
    >> ################################################## #############################
    >> #
    >> #*/admin@EXAMPLE.COM *
    >> */admin@${REALM} *
    >> !
    >> #
    >> # Create some principals
    >> #
    >> ${KADMINLOCAL} < >> addprinc -pw "${PASS}" krbtgt/${REALM}@${REALM2}
    >> addprinc -pw "${PASS}" krbtgt/${REALM2}@${REALM}
    >> addprinc -randkey host/${KDC}
    >> addprinc -pw "Root" root/admin
    >> addprinc -pw "Markus" markus/admin
    >> addprinc -pw "markus" markus
    >> addprinc -randkey HTTP/${KDC}
    >> ktadd -k ${VARDIR}/kadm5.keytab kadmin/admin kadmin/changepw
    >> ktadd -k ${ETCDIR}/krb5.keytab host/${KDC}
    >> ktadd -k ${APACHEDIR}/HTTP.keytab HTTP/${KDC}
    >> !
    >> #
    >> # Start daemons
    >> #
    >> /etc/init.d/krb5kdc start
    >> /etc/init.d/kadmind start
    >> chgrp www ${APACHEDIR}/HTTP.keytab
    >> chmod g+r ${APACHEDIR}/HTTP.keytab
    >> /etc/init.d/apache2 start
    >>
    >>
    >> ================================================== ====================================
    >>
    >> Setup of Windows 2003 R2 KDC
    >>
    >> Raise AD to Windows 2003 server forest functional level from AD Directory
    >> and Trust tool. Then run
    >>
    >> ksetup.exe /addkdc SUSE.HOME opensuse.suse.home
    >> ksetup.exe /addrealmflags SUSE.HOME tcpsupported
    >>
    >>
    >> netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /add /realm /twoway
    >> /PasswordT:UNIX000$
    >> netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /transitive:yes
    >> netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /foresttransitive:yes
    >> netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /addtln:suse.home
    >>
    >> create HTTP/w2k3.windows2003.home principal with msktutil.
    >>
    >> ================================================== =====================================
    >>
    >> Now what I got working and what not !!
    >>
    >> 1) User WINDOWS2003\markus can connect with putty from Win XP to
    >> opensuse.suse.home
    >> 2) User WINDOWS2003\markus can connect with IE from Win XP to
    >> http://w2k3.windows2003.home
    >> 3) User WINDOWS2003\markus can connect with IE from Win XP to
    >> http://opensuse.suse.home
    >>
    >> => 1) User WINDOWS2003\markus-a CAN NOT connect with putty from Win XP to
    >> opensuse.suse.home (no port 88 traffic)
    >> 2) User WINDOWS2003\markus-a can connect with IE from Win XP to
    >> http://w2k3.windows2003.home
    >> 3) User WINDOWS2003\markus-a can connect with IE from Win XP to
    >> http://opensuse.suse.home
    >>
    >> 4) User WINDOWS2003\markus can connect with putty from Windows 2003
    >> kdc to opensuse.suse.home
    >> 5) User WINDOWS2003\markus can connect with IE from Windows 2003 kdc
    >> to http://opensuse.suse.home
    >> => 6) User WINDOWS2003\markus CAN NOT connect with IE from Windows 2003
    >> kdc to http://w2k3.windows2003.home (no port 88 traffic)
    >>
    >> 7) User markus@SUSE.HOME can connect with Firefox from OpenSuse to
    >> http://opensuse.suse.home
    >> 8) User markus@WINDOWS2003.HOME can connect with Firefox from
    >> OpenSuse to http://opensuse.suse.home
    >> 9) User markus@WINDOWS2003.HOME can connect with Firefox from
    >> OpenSuse to http://w2k3.windows2003.home
    >> => 10) User markus@SUSE.HOME CAN NOT connect with Firefox from OpenSuse
    >> to http://w2k3.windows2003.home. I get a
    >> KRB5KDC_ERR_ETYPE_NOSUPP error (see below capture of AS-REQ, AS-REP,
    >> TGS-REQ, TGS-REP)
    >>
    >>
    >>
    >> No. Time Source Destination Protocol
    >> Info
    >> 435 51218.688966 opensuse.suse.home opensuse.suse.home KRB5
    >> AS-REQ
    >>
    >> Frame 435 (203 bytes on wire, 203 bytes captured)
    >> Arrival Time: May 1, 2006 13:51:23.964058000
    >> Time delta from previous packet: 217.931451000 seconds
    >> Time since reference or first frame: 51218.688966000 seconds
    >> Frame Number: 435
    >> Packet Length: 203 bytes
    >> Capture Length: 203 bytes
    >> Protocols in frame: sll:ip:udp:kerberos
    >> Linux cooked capture
    >> Packet type: Unicast to us (0)
    >> Link-layer address type: 772
    >> Link-layer address length: 0
    >> Source:
    >> Protocol: IP (0x0800)
    >> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
    >> opensuse.suse.home (192.168.1.7)
    >> Version: 4
    >> Header length: 20 bytes
    >> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    >> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
    >> .... ..0. = ECN-Capable Transport (ECT): 0
    >> .... ...0 = ECN-CE: 0
    >> Total Length: 187
    >> Identification: 0x34ac (13484)
    >> Flags: 0x04 (Don't Fragment)
    >> 0... = Reserved bit: Not set
    >> .1.. = Don't fragment: Set
    >> ..0. = More fragments: Not set
    >> Fragment offset: 0
    >> Time to live: 64
    >> Protocol: UDP (0x11)
    >> Header checksum: 0x8227 [correct]
    >> Good: True
    >> Bad : False
    >> Source: opensuse.suse.home (192.168.1.7)
    >> Destination: opensuse.suse.home (192.168.1.7)
    >> User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88)
    >> Source port: 32885 (32885)
    >> Destination port: kerberos (88)
    >> Length: 167
    >> Checksum: 0x8417 [incorrect, should be 0x1303]
    >> Kerberos AS-REQ
    >> Pvno: 5
    >> MSG Type: AS-REQ (10)
    >> KDC_REQ_BODY
    >> Padding: 0
    >> KDCOptions: 00000010 (Renewable OK)
    >> .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT
    >> use forwardable tickets
    >> ..0. .... .... .... .... .... .... .... = Forwarded: This is
    >> NOT a forwarded ticket
    >> ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT
    >> use proxiable tickets
    >> .... 0... .... .... .... .... .... .... = Proxy: This ticket
    >> has NOT been proxied
    >> .... .0.. .... .... .... .... .... .... = Allow Postdate: We
    >> do NOT allow the ticket to be postdated
    >> .... ..0. .... .... .... .... .... .... = Postdated: This
    >> ticket is NOT postdated
    >> .... .... 0... .... .... .... .... .... = Renewable: This
    >> ticket is NOT renewable
    >> .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
    >> .... .... .... ...0 .... .... .... .... = Canonicalize: This
    >> is NOT a canonicalized ticket request
    >> .... .... .... .... .... .... ..0. .... = Disable Transited
    >> Check: Transited checking is NOT disabled
    >> .... .... .... .... .... .... ...1 .... = Renewable OK: We
    >> accept RENEWED tickets
    >> .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do
    >> NOT encrypt the tkt inside the skey
    >> .... .... .... .... .... .... .... ..0. = Renew: This is NOT a
    >> request to renew a ticket
    >> .... .... .... .... .... .... .... ...0 = Validate: This is
    >> NOT a request to validate a postdated ticket
    >> Client Name (Principal): markus
    >> Name-type: Principal (1)
    >> Name: markus
    >> Realm: SUSE.HOME
    >> Server Name (Unknown): krbtgt/SUSE.HOME
    >> Name-type: Unknown (0)
    >> Name: krbtgt
    >> Name: SUSE.HOME
    >> from: 2006-05-01 12:51:23 (Z)
    >> till: 2006-05-02 12:51:23 (Z)
    >> Nonce: 1146487883
    >> Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    >> Encryption type: rc4-hmac (23)
    >> Encryption type: des3-cbc-sha1 (16)
    >> Encryption type: des-cbc-crc (1)
    >> Encryption type: des-cbc-md5 (3)
    >>
    >> No. Time Source Destination Protocol
    >> Info
    >> 436 51218.693811 opensuse.suse.home opensuse.suse.home KRB5
    >> AS-REP
    >>
    >> Frame 436 (598 bytes on wire, 598 bytes captured)
    >> Arrival Time: May 1, 2006 13:51:23.968903000
    >> Time delta from previous packet: 0.004845000 seconds
    >> Time since reference or first frame: 51218.693811000 seconds
    >> Frame Number: 436
    >> Packet Length: 598 bytes
    >> Capture Length: 598 bytes
    >> Protocols in frame: sll:ip:udp:kerberos
    >> Linux cooked capture
    >> Packet type: Unicast to us (0)
    >> Link-layer address type: 772
    >> Link-layer address length: 0
    >> Source:
    >> Protocol: IP (0x0800)
    >> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
    >> opensuse.suse.home (192.168.1.7)
    >> Version: 4
    >> Header length: 20 bytes
    >> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    >> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
    >> .... ..0. = ECN-Capable Transport (ECT): 0
    >> .... ...0 = ECN-CE: 0
    >> Total Length: 582
    >> Identification: 0x001e (30)
    >> Flags: 0x04 (Don't Fragment)
    >> 0... = Reserved bit: Not set
    >> .1.. = Don't fragment: Set
    >> ..0. = More fragments: Not set
    >> Fragment offset: 0
    >> Time to live: 64
    >> Protocol: UDP (0x11)
    >> Header checksum: 0xb52a [correct]
    >> Good: True
    >> Bad : False
    >> Source: opensuse.suse.home (192.168.1.7)
    >> Destination: opensuse.suse.home (192.168.1.7)
    >> User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885)
    >> Source port: kerberos (88)
    >> Destination port: 32885 (32885)
    >> Length: 562
    >> Checksum: 0x85a2 [incorrect, should be 0x84dc]
    >> Kerberos AS-REP
    >> Pvno: 5
    >> MSG Type: AS-REP (11)
    >> padata: Unknown:19
    >> Type: Unknown (19)
    >> Value: 30073005A003020117
    >> Client Realm: SUSE.HOME
    >> Client Name (Principal): markus
    >> Name-type: Principal (1)
    >> Name: markus
    >> Ticket
    >> Tkt-vno: 5
    >> Realm: SUSE.HOME
    >> Server Name (Unknown): krbtgt/SUSE.HOME
    >> Name-type: Unknown (0)
    >> Name: krbtgt
    >> Name: SUSE.HOME
    >> enc-part rc4-hmac
    >> Encryption type: rc4-hmac (23)
    >> Kvno: 1
    >> enc-part: 4057A7166A1CC59F143F9B74A72F0B16CA629616DD0E96F1.. .
    >> enc-part rc4-hmac
    >> Encryption type: rc4-hmac (23)
    >> enc-part: E0E5CF0DBFEF8C3326CE6F3CB5CFFD73A355696BCD0E95CB.. .
    >>
    >> No. Time Source Destination Protocol
    >> Info
    >> 443 51229.309113 opensuse.suse.home opensuse.suse.home KRB5
    >> TGS-REQ
    >>
    >> Frame 443 (652 bytes on wire, 652 bytes captured)
    >> Arrival Time: May 1, 2006 13:51:34.584205000
    >> Time delta from previous packet: 10.615302000 seconds
    >> Time since reference or first frame: 51229.309113000 seconds
    >> Frame Number: 443
    >> Packet Length: 652 bytes
    >> Capture Length: 652 bytes
    >> Protocols in frame: sll:ip:udp:kerberos
    >> Linux cooked capture
    >> Packet type: Unicast to us (0)
    >> Link-layer address type: 772
    >> Link-layer address length: 0
    >> Source:
    >> Protocol: IP (0x0800)
    >> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
    >> opensuse.suse.home (192.168.1.7)
    >> Version: 4
    >> Header length: 20 bytes
    >> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    >> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
    >> .... ..0. = ECN-Capable Transport (ECT): 0
    >> .... ...0 = ECN-CE: 0
    >> Total Length: 636
    >> Identification: 0x3f0b (16139)
    >> Flags: 0x04 (Don't Fragment)
    >> 0... = Reserved bit: Not set
    >> .1.. = Don't fragment: Set
    >> ..0. = More fragments: Not set
    >> Fragment offset: 0
    >> Time to live: 64
    >> Protocol: UDP (0x11)
    >> Header checksum: 0x7607 [correct]
    >> Good: True
    >> Bad : False
    >> Source: opensuse.suse.home (192.168.1.7)
    >> Destination: opensuse.suse.home (192.168.1.7)
    >> User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88)
    >> Source port: 32885 (32885)
    >> Destination port: kerberos (88)
    >> Length: 616
    >> Checksum: 0x85d8 [incorrect, should be 0x7d06]
    >> Kerberos TGS-REQ
    >> Pvno: 5
    >> MSG Type: TGS-REQ (12)
    >> padata: PA-TGS-REQ
    >> Type: PA-TGS-REQ (1)
    >> Value: 6E82019D30820199A003020105A10302010EA20703050000.. .
    >> AP-REQ
    >> Pvno: 5
    >> MSG Type: AP-REQ (14)
    >> Padding: 0
    >> APOptions: 00000000
    >> .0.. .... .... .... .... .... .... .... = Use Session
    >> Key: Do NOT use the session key to encrypt the ticket
    >> ..0. .... .... .... .... .... .... .... = Mutual
    >> required: Mutual authentication is NOT required
    >> Ticket
    >> Tkt-vno: 5
    >> Realm: SUSE.HOME
    >> Server Name (Unknown): krbtgt/SUSE.HOME
    >> Name-type: Unknown (0)
    >> Name: krbtgt
    >> Name: SUSE.HOME
    >> enc-part rc4-hmac
    >> Encryption type: rc4-hmac (23)
    >> Kvno: 1
    >> enc-part:
    >> 4057A7166A1CC59F143F9B74A72F0B16CA629616DD0E96F1.. .
    >> Authenticator rc4-hmac
    >> Encryption type: rc4-hmac (23)
    >> Authenticator data:
    >> B7008BD37B307572105D0107E309A30F6E89F74B4663A474.. .
    >> KDC_REQ_BODY
    >> Padding: 0
    >> KDCOptions: 00800000 (Renewable)
    >> .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT
    >> use forwardable tickets
    >> ..0. .... .... .... .... .... .... .... = Forwarded: This is
    >> NOT a forwarded ticket
    >> ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT
    >> use proxiable tickets
    >> .... 0... .... .... .... .... .... .... = Proxy: This ticket
    >> has NOT been proxied
    >> .... .0.. .... .... .... .... .... .... = Allow Postdate: We
    >> do NOT allow the ticket to be postdated
    >> .... ..0. .... .... .... .... .... .... = Postdated: This
    >> ticket is NOT postdated
    >> .... .... 1... .... .... .... .... .... = Renewable: This
    >> ticket is RENEWABLE
    >> .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
    >> .... .... .... ...0 .... .... .... .... = Canonicalize: This
    >> is NOT a canonicalized ticket request
    >> .... .... .... .... .... .... ..0. .... = Disable Transited
    >> Check: Transited checking is NOT disabled
    >> .... .... .... .... .... .... ...0 .... = Renewable OK: We do
    >> NOT accept renewed tickets
    >> .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do
    >> NOT encrypt the tkt inside the skey
    >> .... .... .... .... .... .... .... ..0. = Renew: This is NOT a
    >> request to renew a ticket
    >> .... .... .... .... .... .... .... ...0 = Validate: This is
    >> NOT a request to validate a postdated ticket
    >> Realm: SUSE.HOME
    >> Server Name (Unknown): krbtgt/WINDOWS2003.HOME
    >> Name-type: Unknown (0)
    >> Name: krbtgt
    >> Name: WINDOWS2003.HOME
    >> from: 2006-05-01 12:51:23 (Z)
    >> till: 2006-05-01 22:51:23 (Z)
    >> rtime: 2006-05-02 12:51:23 (Z)
    >> Nonce: 1146487891
    >> Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    >> Encryption type: rc4-hmac (23)
    >> Encryption type: des3-cbc-sha1 (16)
    >> Encryption type: des-cbc-crc (1)
    >> Encryption type: des-cbc-md5 (3)
    >>
    >> No. Time Source Destination Protocol
    >> Info
    >> 444 51229.328348 opensuse.suse.home opensuse.suse.home KRB5
    >> TGS-REP
    >>
    >> Frame 444 (629 bytes on wire, 629 bytes captured)
    >> Arrival Time: May 1, 2006 13:51:34.603440000
    >> Time delta from previous packet: 0.019235000 seconds
    >> Time since reference or first frame: 51229.328348000 seconds
    >> Frame Number: 444
    >> Packet Length: 629 bytes
    >> Capture Length: 629 bytes
    >> Protocols in frame: sll:ip:udp:kerberos
    >> Linux cooked capture
    >> Packet type: Unicast to us (0)
    >> Link-layer address type: 772
    >> Link-layer address length: 0
    >> Source:
    >> Protocol: IP (0x0800)
    >> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
    >> opensuse.suse.home (192.168.1.7)
    >> Version: 4
    >> Header length: 20 bytes
    >> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    >> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
    >> .... ..0. = ECN-Capable Transport (ECT): 0
    >> .... ...0 = ECN-CE: 0
    >> Total Length: 613
    >> Identification: 0x001f (31)
    >> Flags: 0x04 (Don't Fragment)
    >> 0... = Reserved bit: Not set
    >> .1.. = Don't fragment: Set
    >> ..0. = More fragments: Not set
    >> Fragment offset: 0
    >> Time to live: 64
    >> Protocol: UDP (0x11)
    >> Header checksum: 0xb50a [correct]
    >> Good: True
    >> Bad : False
    >> Source: opensuse.suse.home (192.168.1.7)
    >> Destination: opensuse.suse.home (192.168.1.7)
    >> User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885)
    >> Source port: kerberos (88)
    >> Destination port: 32885 (32885)
    >> Length: 593
    >> Checksum: 0x85c1 [incorrect, should be 0x3f5c]
    >> Kerberos TGS-REP
    >> Pvno: 5
    >> MSG Type: TGS-REP (13)
    >> Client Realm: SUSE.HOME
    >> Client Name (Principal): markus
    >> Name-type: Principal (1)
    >> Name: markus
    >> Ticket
    >> Tkt-vno: 5
    >> Realm: SUSE.HOME
    >> Server Name (Unknown): krbtgt/WINDOWS2003.HOME
    >> Name-type: Unknown (0)
    >> Name: krbtgt
    >> Name: WINDOWS2003.HOME
    >> enc-part rc4-hmac
    >> Encryption type: rc4-hmac (23)
    >> Kvno: 1
    >> enc-part: 46B8A78EEFCA7160D04C0C723040660AF957F1C8AF3B4BDE.. .
    >> enc-part rc4-hmac
    >> Encryption type: rc4-hmac (23)
    >> enc-part: 981F6F1C48DBB164CDAB8E7C4439D8C29B9DD584929E8580.. .
    >>
    >> No. Time Source Destination Protocol
    >> Info
    >> 445 51229.329735 opensuse.suse.home windows2003.windows2003.home
    >> KRB5 TGS-REQ
    >>
    >> Frame 445 (651 bytes on wire, 651 bytes captured)
    >> Arrival Time: May 1, 2006 13:51:34.604827000
    >> Time delta from previous packet: 0.001387000 seconds
    >> Time since reference or first frame: 51229.329735000 seconds
    >> Frame Number: 445
    >> Packet Length: 651 bytes
    >> Capture Length: 651 bytes
    >> Protocols in frame: sll:ip:udp:kerberos
    >> Linux cooked capture
    >> Packet type: Sent by us (4)
    >> Link-layer address type: 1
    >> Link-layer address length: 6
    >> Source: Vmware_02:d5:f5 (00:0c:29:02:d5:f5)
    >> Protocol: IP (0x0800)
    >> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
    >> windows2003.windows2003.home (192.168.1.5)
    >> Version: 4
    >> Header length: 20 bytes
    >> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    >> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
    >> .... ..0. = ECN-Capable Transport (ECT): 0
    >> .... ...0 = ECN-CE: 0
    >> Total Length: 635
    >> Identification: 0x3f10 (16144)
    >> Flags: 0x04 (Don't Fragment)
    >> 0... = Reserved bit: Not set
    >> .1.. = Don't fragment: Set
    >> ..0. = More fragments: Not set
    >> Fragment offset: 0
    >> Time to live: 64
    >> Protocol: UDP (0x11)
    >> Header checksum: 0x7605 [correct]
    >> Good: True
    >> Bad : False
    >> Source: opensuse.suse.home (192.168.1.7)
    >> Destination: windows2003.windows2003.home (192.168.1.5)
    >> User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88)
    >> Source port: 32885 (32885)
    >> Destination port: kerberos (88)
    >> Length: 615
    >> Checksum: 0x9902 [correct]
    >> Kerberos TGS-REQ
    >> Pvno: 5
    >> MSG Type: TGS-REQ (12)
    >> padata: PA-TGS-REQ
    >> Type: PA-TGS-REQ (1)
    >> Value: 6E8201BA308201B6A003020105A10302010EA20703050000.. .
    >> AP-REQ
    >> Pvno: 5
    >> MSG Type: AP-REQ (14)
    >> Padding: 0
    >> APOptions: 00000000
    >> .0.. .... .... .... .... .... .... .... = Use Session
    >> Key: Do NOT use the session key to encrypt the ticket
    >> ..0. .... .... .... .... .... .... .... = Mutual
    >> required: Mutual authentication is NOT required
    >> Ticket
    >> Tkt-vno: 5
    >> Realm: SUSE.HOME
    >> Server Name (Unknown): krbtgt/WINDOWS2003.HOME
    >> Name-type: Unknown (0)
    >> Name: krbtgt
    >> Name: WINDOWS2003.HOME
    >> enc-part rc4-hmac
    >> Encryption type: rc4-hmac (23)
    >> Kvno: 1
    >> enc-part:
    >> 46B8A78EEFCA7160D04C0C723040660AF957F1C8AF3B4BDE.. .
    >> Authenticator rc4-hmac
    >> Encryption type: rc4-hmac (23)
    >> Authenticator data:
    >> FE71BE32F2BFF609F021A368F6DAF66CC42C00C7508FB8E2.. .
    >> KDC_REQ_BODY
    >> Padding: 0
    >> KDCOptions: 00800000 (Renewable)
    >> .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT
    >> use forwardable tickets
    >> ..0. .... .... .... .... .... .... .... = Forwarded: This is
    >> NOT a forwarded ticket
    >> ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT
    >> use proxiable tickets
    >> .... 0... .... .... .... .... .... .... = Proxy: This ticket
    >> has NOT been proxied
    >> .... .0.. .... .... .... .... .... .... = Allow Postdate: We
    >> do NOT allow the ticket to be postdated
    >> .... ..0. .... .... .... .... .... .... = Postdated: This
    >> ticket is NOT postdated
    >> .... .... 1... .... .... .... .... .... = Renewable: This
    >> ticket is RENEWABLE
    >> .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
    >> .... .... .... ...0 .... .... .... .... = Canonicalize: This
    >> is NOT a canonicalized ticket request
    >> .... .... .... .... .... .... ..0. .... = Disable Transited
    >> Check: Transited checking is NOT disabled
    >> .... .... .... .... .... .... ...0 .... = Renewable OK: We do
    >> NOT accept renewed tickets
    >> .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do
    >> NOT encrypt the tkt inside the skey
    >> .... .... .... .... .... .... .... ..0. = Renew: This is NOT a
    >> request to renew a ticket
    >> .... .... .... .... .... .... .... ...0 = Validate: This is
    >> NOT a request to validate a postdated ticket
    >> Realm: WINDOWS2003.HOME
    >> Server Name (Service and Host): HTTP/w2k3.windows2003.home
    >> Name-type: Service and Host (3)
    >> Name: HTTP
    >> Name: w2k3.windows2003.home
    >> till: 2006-05-01 22:51:23 (Z)
    >> Nonce: 1146487891
    >> Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    >> Encryption type: rc4-hmac (23)
    >> Encryption type: des3-cbc-sha1 (16)
    >> Encryption type: des-cbc-crc (1)
    >> Encryption type: des-cbc-md5 (3)
    >>
    >> No. Time Source Destination Protocol
    >> Info
    >> 446 51229.334347 windows2003.windows2003.home opensuse.suse.home KRB5
    >> KRB Error: KRB5KDC_ERR_ETYPE_NOSUPP
    >>
    >> Frame 446 (151 bytes on wire, 151 bytes captured)
    >> Arrival Time: May 1, 2006 13:51:34.609439000
    >> Time delta from previous packet: 0.004612000 seconds
    >> Time since reference or first frame: 51229.334347000 seconds
    >> Frame Number: 446
    >> Packet Length: 151 bytes
    >> Capture Length: 151 bytes
    >> Protocols in frame: sll:ip:udp:kerberos
    >> Linux cooked capture
    >> Packet type: Unicast to us (0)
    >> Link-layer address type: 1
    >> Link-layer address length: 6
    >> Source: Vmware_71:05:9f (00:0c:29:71:05:9f)
    >> Protocol: IP (0x0800)
    >> Internet Protocol, Src: windows2003.windows2003.home (192.168.1.5), Dst:
    >> opensuse.suse.home (192.168.1.7)
    >> Version: 4
    >> Header length: 20 bytes
    >> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    >> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
    >> .... ..0. = ECN-Capable Transport (ECT): 0
    >> .... ...0 = ECN-CE: 0
    >> Total Length: 135
    >> Identification: 0xdebe (57022)
    >> Flags: 0x00
    >> 0... = Reserved bit: Not set
    >> .0.. = Don't fragment: Not set
    >> ..0. = More fragments: Not set
    >> Fragment offset: 0
    >> Time to live: 128
    >> Protocol: UDP (0x11)
    >> Header checksum: 0xd84a [correct]
    >> Good: True
    >> Bad : False
    >> Source: windows2003.windows2003.home (192.168.1.5)
    >> Destination: opensuse.suse.home (192.168.1.7)
    >> User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885)
    >> Source port: kerberos (88)
    >> Destination port: 32885 (32885)
    >> Length: 115
    >> Checksum: 0xb7f8 [correct]
    >> Kerberos KRB-ERROR
    >> Pvno: 5
    >> MSG Type: KRB-ERROR (30)
    >> stime: 2006-05-01 12:51:33 (Z)
    >> susec: 907050
    >> error_code: KRB5KDC_ERR_ETYPE_NOSUPP (14)
    >> Realm: WINDOWS2003.HOME
    >> Server Name (Service and Host): HTTP/w2k3.windows2003.home
    >> Name-type: Service and Host (3)
    >> Name: HTTP
    >> Name: w2k3.windows2003.home
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >> "Markus Moeller" wrote in message
    >> news:444bcbd2$0$23157$ed2e19e4@ptn-nntp-reader04.plus.net...
    >>> Is there anywhere a howto for setting up a oneway or even twoway trust
    >>> between a Windows 2003 SP1/R2 server and a MIT kdc with rc4-hmac
    >>> encryption ?
    >>>
    >>> Thank you
    >>> Markus
    >>>

    >>
    >>

    >
    >




  5. Re: How to setup trust between 2003 SP1/R2 and MIT 1.4.3 ?

    I should have research better in the old archives. With ktpass
    /MITRealmName SUSE.HOME /trustencryp rc4 run on the Windows kdc I get now a
    trust with RC4 encryption.

    Markus


    "Markus Moeller" wrote in message
    news:44567655$0$23156$ed2e19e4@ptn-nntp-reader04.plus.net...
    > If I change the encryption type on my OpenSuse kdc to DES only and do the
    > mapping on the use in AD and not via ksetup I can login with markus from
    > domain SUSE.HOME.
    >
    > Does this mean there is still no trust with rc4-hmac possible ??
    >
    > Thanks
    > Markus
    >
    > "Markus Moeller" wrote in message
    > news:44566da3$0$2565$ed2619ec@ptn-nntp-reader02.plus.net...
    >> Three further observations
    >>
    >> => 1) User WINDOWS2003\markus-a CAN NOT connect with putty from Win XP to
    >> opensuse.suse.home (no port 88 traffic)
    >> I can connect as user WINDOWS2003\markus-a with putty 0.58 with
    >> GSSAPI (e.g. MIT libraries) from Win XP to
    >> opensuse.suse.home
    >> => 10) User markus@SUSE.HOME CAN NOT connect with Firefox from OpenSuse
    >> to
    >> http://w2k3.windows2003.home. I get a KRB5KDC_ERR_ETYPE_NOSUPP
    >> error (see below capture of AS-REQ,
    >> AS-REP, TGS-REQ, TGS-REP)
    >> It works when I change the encryption types in krb5.conf to only
    >> des on OpenSuse.
    >>
    >> and I CAN NOT login to the Win XP box as markus from domain SUSE.HOME. I
    >> tried ksetup /mapuser * * with no suceess.
    >>
    >> Any idea what I need to change ?
    >>
    >> Thank you
    >> Markus
    >>
    >> "Markus Moeller" wrote in message
    >> news:4456216c$0$2562$ed2619ec@ptn-nntp-reader02.plus.net...
    >>>I searched a bit more and found some hints how to set it up. But I still
    >>>have a couple of problems. Does anybody have an idea why I get a
    >>>KRB5KDC_ERR_ETYPE_NOSUPP error when I try to access a webserver in the
    >>>WINDOWS domain from a MIT domain ?
    >>>
    >>> Thank you
    >>> Markus
    >>>
    >>> My sample setup:
    >>>
    >>> 1. OpenSuse with kdc opensuse.suse.home for SUSE.HOME realm for all
    >>> systems in *.suse.home domain (which is based on MIT 1.4.1)
    >>> 2. Windows 2003 R2 kdc w2k3.windows2003.home for WINDOWS2003.HOME realm
    >>> for all systems in *.windows2003.home domain
    >>> 3. Run Apache2 with mod_spnego on opensuse.suse.home allows all valid
    >>> users (the same host as kdc for testing only)
    >>> 4. Run Apache2 with mod_spnego on w2k3.windows.home allows all valid
    >>> users (the same host as the kdc for testing with kfw 3.0 installed too
    >>> to build mod_spnego)
    >>> 5. Windows XP system winxp.windows2003.home in realm WINDOWS2003.HOME
    >>> 6. Run putty 0.57 fromVintela with SSPI support on Windows XP
    >>>
    >>> Both kdc's have a user markus. The Windows kdc has also a user markus-a
    >>> which does not exist in the OpenSuse kdc
    >>>
    >>> On OpenSuse markus had a .k5login file with:
    >>> markus@SUSE.HOME
    >>> markus@WINDOWS2003.HOME
    >>> markus-a@WINDOWS2003.HOME
    >>>
    >>> ================================================== =====================
    >>>
    >>> Setup of kdc on OpenSuse with Apache2 and mod_spnego
    >>>
    >>> #!/bin/ksh
    >>> DATE=`date +%Y%m%d.%H%M%S`
    >>> #
    >>> # OpenSuse binary locations
    >>> #
    >>> KDB5_UTIL=/usr/lib/mit/sbin/kdb5_util
    >>> KADMINLOCAL=/usr/lib/mit/sbin/kadmin.local
    >>> #
    >>> # Directories and Files
    >>> #
    >>> VARDIR=/var/lib/kerberos/krb5kdc
    >>> ETCDIR=/etc
    >>> APACHEDIR=/etc/apache2
    >>> KDC_CONF_DIR=${VARDIR}
    >>> KADM5ACL=${VARDIR}/kadm5.acl
    >>> #
    >>> # Realms
    >>> #
    >>> REALM=SUSE.HOME
    >>> REALM2=WINDOWS2003.HOME
    >>> KDC=opensuse.suse.home
    >>> KDC2=w2k3.windows2003.home
    >>> DOMAIN=suse.home
    >>> DOMAIN2=windows2003.home
    >>> #
    >>> PASS="UNIX000$"
    >>> #
    >>> # stop daemons
    >>> #
    >>> /etc/init.d/krb5kdc stop
    >>> /etc/init.d/kadmind stop
    >>> /etc/init.d/apache2 stop
    >>> #
    >>> # Save old configs
    >>> #
    >>> mkdir ${VARDIR}/version-${DATE}
    >>> mv ${KDC_CONF_DIR}/kdc.conf ${KDC_CONF_DIR}/kdc.conf-${DATE}
    >>> mv ${VARDIR}/principal* ${VARDIR}/version-${DATE}/
    >>> mv ${VARDIR}/kadm5* ${VARDIR}/version-${DATE}/
    >>> mv ${KADM5ACL} ${KADM5ACL}-${DATE}
    >>> mv ${VARDIR}/.k5.* ${VARDIR}/version-${DATE}/
    >>>
    >>> mv ${ETCDIR}/krb5.conf ${ETCDIR}/krb5.conf-${DATE}
    >>> mv ${ETCDIR}/krb5.keytab ${ETCDIR}/krb5.keytab-${DATE}
    >>>
    >>> mv ${APACHEDIR}/HTTP.keytab ${APACHEDIR}/HTTP.keytab-${DATE}
    >>> #
    >>> # Create kdc.conf
    >>> #
    >>> cat > ${KDC_CONF_DIR}/kdc.conf < >>> [kdcdefaults]
    >>> kdc_ports = 750,88
    >>> [realms]
    >>> ${REALM} = {
    >>> database_name = ${VARDIR}/principal
    >>> admin_keytab = FILE:${VARDIR}/kadm5.keytab
    >>> acl_file = ${KADM5ACL}
    >>> key_stash_file = ${VARDIR}/.k5.${REALM}
    >>> kdc_ports = 750,88
    >>> supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal
    >>> des-cb
    >>> c-crc:normal des-cbc-md5:normal
    >>> kdc_supported_enctypes = rc4-hmac:normal
    >>> des3-cbc-sha1:normal de
    >>> s-cbc-crc:normal des-cbc-md5:normal
    >>> max_life = 10h 0m 0s
    >>> max_renewable_life = 7d 0h 0m 0s
    >>> }
    >>> [logging]
    >>> kdc = FILE:/var/log/kdc.log
    >>> admin_server = FILE:/var/log/kadmin.log
    >>> !
    >>> #
    >>> # Create krb5.conf
    >>> #
    >>> cat > ${ETCDIR}/krb5.conf < >>> [libdefaults]
    >>> default_realm = ${REALM}
    >>> dns_lookup_kdc = no
    >>> dns_lookup_realm = no
    >>> default_keytab_name = ${ETCDIR}/krb5.keytab
    >>> default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
    >>> des-cbc-md5
    >>> default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
    >>> des-cbc-md5
    >>> permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
    >>> des-cbc-md5
    >>> [realms]
    >>> ${REALM} = {
    >>> kdc = ${KDC}
    >>> admin_server = ${KDC}
    >>> }
    >>> ${REALM2} = {
    >>> kdc = ${KDC2}
    >>> admin_server = ${KDC2}
    >>> }
    >>> [domain_realm]
    >>> .${DOMAIN} = ${REALM}
    >>> ${DOMAIN} = ${REALM}
    >>> .${DOMAIN2} = ${REALM2}
    >>> ${DOMAIN2} = ${REALM2}
    >>>
    >>> [logging]
    >>> kdc = FILE:/var/log/krb5kdc.log
    >>> admin_server = FILE:/var/log/kadmin.log
    >>> default = FILE:/var/log/krb5lib.log
    >>> !
    >>> #
    >>> # Create database
    >>> #
    >>> ${KDB5_UTIL} create -r ${REALM} -s < >>> ${REALM}00$
    >>> ${REALM}00$
    >>> !
    >>> #
    >>> # Create ACL file
    >>> #
    >>> cat > ${KADM5ACL} < >>> ################################################## #############################
    >>> #Kerberos_principal permissions [target_principal]
    >>> [restrictions]
    >>> ################################################## #############################
    >>> #
    >>> #*/admin@EXAMPLE.COM *
    >>> */admin@${REALM} *
    >>> !
    >>> #
    >>> # Create some principals
    >>> #
    >>> ${KADMINLOCAL} < >>> addprinc -pw "${PASS}" krbtgt/${REALM}@${REALM2}
    >>> addprinc -pw "${PASS}" krbtgt/${REALM2}@${REALM}
    >>> addprinc -randkey host/${KDC}
    >>> addprinc -pw "Root" root/admin
    >>> addprinc -pw "Markus" markus/admin
    >>> addprinc -pw "markus" markus
    >>> addprinc -randkey HTTP/${KDC}
    >>> ktadd -k ${VARDIR}/kadm5.keytab kadmin/admin kadmin/changepw
    >>> ktadd -k ${ETCDIR}/krb5.keytab host/${KDC}
    >>> ktadd -k ${APACHEDIR}/HTTP.keytab HTTP/${KDC}
    >>> !
    >>> #
    >>> # Start daemons
    >>> #
    >>> /etc/init.d/krb5kdc start
    >>> /etc/init.d/kadmind start
    >>> chgrp www ${APACHEDIR}/HTTP.keytab
    >>> chmod g+r ${APACHEDIR}/HTTP.keytab
    >>> /etc/init.d/apache2 start
    >>>
    >>>
    >>> ================================================== ====================================
    >>>
    >>> Setup of Windows 2003 R2 KDC
    >>>
    >>> Raise AD to Windows 2003 server forest functional level from AD
    >>> Directory and Trust tool. Then run
    >>>
    >>> ksetup.exe /addkdc SUSE.HOME opensuse.suse.home
    >>> ksetup.exe /addrealmflags SUSE.HOME tcpsupported
    >>>
    >>>
    >>> netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /add /realm /twoway
    >>> /PasswordT:UNIX000$
    >>> netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /transitive:yes
    >>> netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /foresttransitive:yes
    >>> netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /addtln:suse.home
    >>>
    >>> create HTTP/w2k3.windows2003.home principal with msktutil.
    >>>
    >>> ================================================== =====================================
    >>>
    >>> Now what I got working and what not !!
    >>>
    >>> 1) User WINDOWS2003\markus can connect with putty from Win XP to
    >>> opensuse.suse.home
    >>> 2) User WINDOWS2003\markus can connect with IE from Win XP to
    >>> http://w2k3.windows2003.home
    >>> 3) User WINDOWS2003\markus can connect with IE from Win XP to
    >>> http://opensuse.suse.home
    >>>
    >>> => 1) User WINDOWS2003\markus-a CAN NOT connect with putty from Win XP
    >>> to opensuse.suse.home (no port 88 traffic)
    >>> 2) User WINDOWS2003\markus-a can connect with IE from Win XP to
    >>> http://w2k3.windows2003.home
    >>> 3) User WINDOWS2003\markus-a can connect with IE from Win XP to
    >>> http://opensuse.suse.home
    >>>
    >>> 4) User WINDOWS2003\markus can connect with putty from Windows 2003
    >>> kdc to opensuse.suse.home
    >>> 5) User WINDOWS2003\markus can connect with IE from Windows 2003 kdc
    >>> to http://opensuse.suse.home
    >>> => 6) User WINDOWS2003\markus CAN NOT connect with IE from Windows 2003
    >>> kdc to http://w2k3.windows2003.home (no port 88 traffic)
    >>>
    >>> 7) User markus@SUSE.HOME can connect with Firefox from OpenSuse to
    >>> http://opensuse.suse.home
    >>> 8) User markus@WINDOWS2003.HOME can connect with Firefox from
    >>> OpenSuse to http://opensuse.suse.home
    >>> 9) User markus@WINDOWS2003.HOME can connect with Firefox from
    >>> OpenSuse to http://w2k3.windows2003.home
    >>> => 10) User markus@SUSE.HOME CAN NOT connect with Firefox from OpenSuse
    >>> to http://w2k3.windows2003.home. I get a
    >>> KRB5KDC_ERR_ETYPE_NOSUPP error (see below capture of AS-REQ, AS-REP,
    >>> TGS-REQ, TGS-REP)
    >>>
    >>>
    >>>
    >>> No. Time Source Destination Protocol
    >>> Info
    >>> 435 51218.688966 opensuse.suse.home opensuse.suse.home KRB5
    >>> AS-REQ
    >>>
    >>> Frame 435 (203 bytes on wire, 203 bytes captured)
    >>> Arrival Time: May 1, 2006 13:51:23.964058000
    >>> Time delta from previous packet: 217.931451000 seconds
    >>> Time since reference or first frame: 51218.688966000 seconds
    >>> Frame Number: 435
    >>> Packet Length: 203 bytes
    >>> Capture Length: 203 bytes
    >>> Protocols in frame: sll:ip:udp:kerberos
    >>> Linux cooked capture
    >>> Packet type: Unicast to us (0)
    >>> Link-layer address type: 772
    >>> Link-layer address length: 0
    >>> Source:
    >>> Protocol: IP (0x0800)
    >>> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
    >>> opensuse.suse.home (192.168.1.7)
    >>> Version: 4
    >>> Header length: 20 bytes
    >>> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    >>> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
    >>> .... ..0. = ECN-Capable Transport (ECT): 0
    >>> .... ...0 = ECN-CE: 0
    >>> Total Length: 187
    >>> Identification: 0x34ac (13484)
    >>> Flags: 0x04 (Don't Fragment)
    >>> 0... = Reserved bit: Not set
    >>> .1.. = Don't fragment: Set
    >>> ..0. = More fragments: Not set
    >>> Fragment offset: 0
    >>> Time to live: 64
    >>> Protocol: UDP (0x11)
    >>> Header checksum: 0x8227 [correct]
    >>> Good: True
    >>> Bad : False
    >>> Source: opensuse.suse.home (192.168.1.7)
    >>> Destination: opensuse.suse.home (192.168.1.7)
    >>> User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88)
    >>> Source port: 32885 (32885)
    >>> Destination port: kerberos (88)
    >>> Length: 167
    >>> Checksum: 0x8417 [incorrect, should be 0x1303]
    >>> Kerberos AS-REQ
    >>> Pvno: 5
    >>> MSG Type: AS-REQ (10)
    >>> KDC_REQ_BODY
    >>> Padding: 0
    >>> KDCOptions: 00000010 (Renewable OK)
    >>> .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT
    >>> use forwardable tickets
    >>> ..0. .... .... .... .... .... .... .... = Forwarded: This is
    >>> NOT a forwarded ticket
    >>> ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT
    >>> use proxiable tickets
    >>> .... 0... .... .... .... .... .... .... = Proxy: This ticket
    >>> has NOT been proxied
    >>> .... .0.. .... .... .... .... .... .... = Allow Postdate: We
    >>> do NOT allow the ticket to be postdated
    >>> .... ..0. .... .... .... .... .... .... = Postdated: This
    >>> ticket is NOT postdated
    >>> .... .... 0... .... .... .... .... .... = Renewable: This
    >>> ticket is NOT renewable
    >>> .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
    >>> .... .... .... ...0 .... .... .... .... = Canonicalize: This
    >>> is NOT a canonicalized ticket request
    >>> .... .... .... .... .... .... ..0. .... = Disable Transited
    >>> Check: Transited checking is NOT disabled
    >>> .... .... .... .... .... .... ...1 .... = Renewable OK: We
    >>> accept RENEWED tickets
    >>> .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do
    >>> NOT encrypt the tkt inside the skey
    >>> .... .... .... .... .... .... .... ..0. = Renew: This is NOT
    >>> a request to renew a ticket
    >>> .... .... .... .... .... .... .... ...0 = Validate: This is
    >>> NOT a request to validate a postdated ticket
    >>> Client Name (Principal): markus
    >>> Name-type: Principal (1)
    >>> Name: markus
    >>> Realm: SUSE.HOME
    >>> Server Name (Unknown): krbtgt/SUSE.HOME
    >>> Name-type: Unknown (0)
    >>> Name: krbtgt
    >>> Name: SUSE.HOME
    >>> from: 2006-05-01 12:51:23 (Z)
    >>> till: 2006-05-02 12:51:23 (Z)
    >>> Nonce: 1146487883
    >>> Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    >>> Encryption type: rc4-hmac (23)
    >>> Encryption type: des3-cbc-sha1 (16)
    >>> Encryption type: des-cbc-crc (1)
    >>> Encryption type: des-cbc-md5 (3)
    >>>
    >>> No. Time Source Destination Protocol
    >>> Info
    >>> 436 51218.693811 opensuse.suse.home opensuse.suse.home KRB5
    >>> AS-REP
    >>>
    >>> Frame 436 (598 bytes on wire, 598 bytes captured)
    >>> Arrival Time: May 1, 2006 13:51:23.968903000
    >>> Time delta from previous packet: 0.004845000 seconds
    >>> Time since reference or first frame: 51218.693811000 seconds
    >>> Frame Number: 436
    >>> Packet Length: 598 bytes
    >>> Capture Length: 598 bytes
    >>> Protocols in frame: sll:ip:udp:kerberos
    >>> Linux cooked capture
    >>> Packet type: Unicast to us (0)
    >>> Link-layer address type: 772
    >>> Link-layer address length: 0
    >>> Source:
    >>> Protocol: IP (0x0800)
    >>> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
    >>> opensuse.suse.home (192.168.1.7)
    >>> Version: 4
    >>> Header length: 20 bytes
    >>> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    >>> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
    >>> .... ..0. = ECN-Capable Transport (ECT): 0
    >>> .... ...0 = ECN-CE: 0
    >>> Total Length: 582
    >>> Identification: 0x001e (30)
    >>> Flags: 0x04 (Don't Fragment)
    >>> 0... = Reserved bit: Not set
    >>> .1.. = Don't fragment: Set
    >>> ..0. = More fragments: Not set
    >>> Fragment offset: 0
    >>> Time to live: 64
    >>> Protocol: UDP (0x11)
    >>> Header checksum: 0xb52a [correct]
    >>> Good: True
    >>> Bad : False
    >>> Source: opensuse.suse.home (192.168.1.7)
    >>> Destination: opensuse.suse.home (192.168.1.7)
    >>> User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885)
    >>> Source port: kerberos (88)
    >>> Destination port: 32885 (32885)
    >>> Length: 562
    >>> Checksum: 0x85a2 [incorrect, should be 0x84dc]
    >>> Kerberos AS-REP
    >>> Pvno: 5
    >>> MSG Type: AS-REP (11)
    >>> padata: Unknown:19
    >>> Type: Unknown (19)
    >>> Value: 30073005A003020117
    >>> Client Realm: SUSE.HOME
    >>> Client Name (Principal): markus
    >>> Name-type: Principal (1)
    >>> Name: markus
    >>> Ticket
    >>> Tkt-vno: 5
    >>> Realm: SUSE.HOME
    >>> Server Name (Unknown): krbtgt/SUSE.HOME
    >>> Name-type: Unknown (0)
    >>> Name: krbtgt
    >>> Name: SUSE.HOME
    >>> enc-part rc4-hmac
    >>> Encryption type: rc4-hmac (23)
    >>> Kvno: 1
    >>> enc-part: 4057A7166A1CC59F143F9B74A72F0B16CA629616DD0E96F1.. .
    >>> enc-part rc4-hmac
    >>> Encryption type: rc4-hmac (23)
    >>> enc-part: E0E5CF0DBFEF8C3326CE6F3CB5CFFD73A355696BCD0E95CB.. .
    >>>
    >>> No. Time Source Destination Protocol
    >>> Info
    >>> 443 51229.309113 opensuse.suse.home opensuse.suse.home KRB5
    >>> TGS-REQ
    >>>
    >>> Frame 443 (652 bytes on wire, 652 bytes captured)
    >>> Arrival Time: May 1, 2006 13:51:34.584205000
    >>> Time delta from previous packet: 10.615302000 seconds
    >>> Time since reference or first frame: 51229.309113000 seconds
    >>> Frame Number: 443
    >>> Packet Length: 652 bytes
    >>> Capture Length: 652 bytes
    >>> Protocols in frame: sll:ip:udp:kerberos
    >>> Linux cooked capture
    >>> Packet type: Unicast to us (0)
    >>> Link-layer address type: 772
    >>> Link-layer address length: 0
    >>> Source:
    >>> Protocol: IP (0x0800)
    >>> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
    >>> opensuse.suse.home (192.168.1.7)
    >>> Version: 4
    >>> Header length: 20 bytes
    >>> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    >>> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
    >>> .... ..0. = ECN-Capable Transport (ECT): 0
    >>> .... ...0 = ECN-CE: 0
    >>> Total Length: 636
    >>> Identification: 0x3f0b (16139)
    >>> Flags: 0x04 (Don't Fragment)
    >>> 0... = Reserved bit: Not set
    >>> .1.. = Don't fragment: Set
    >>> ..0. = More fragments: Not set
    >>> Fragment offset: 0
    >>> Time to live: 64
    >>> Protocol: UDP (0x11)
    >>> Header checksum: 0x7607 [correct]
    >>> Good: True
    >>> Bad : False
    >>> Source: opensuse.suse.home (192.168.1.7)
    >>> Destination: opensuse.suse.home (192.168.1.7)
    >>> User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88)
    >>> Source port: 32885 (32885)
    >>> Destination port: kerberos (88)
    >>> Length: 616
    >>> Checksum: 0x85d8 [incorrect, should be 0x7d06]
    >>> Kerberos TGS-REQ
    >>> Pvno: 5
    >>> MSG Type: TGS-REQ (12)
    >>> padata: PA-TGS-REQ
    >>> Type: PA-TGS-REQ (1)
    >>> Value: 6E82019D30820199A003020105A10302010EA20703050000.. .
    >>> AP-REQ
    >>> Pvno: 5
    >>> MSG Type: AP-REQ (14)
    >>> Padding: 0
    >>> APOptions: 00000000
    >>> .0.. .... .... .... .... .... .... .... = Use Session
    >>> Key: Do NOT use the session key to encrypt the ticket
    >>> ..0. .... .... .... .... .... .... .... = Mutual
    >>> required: Mutual authentication is NOT required
    >>> Ticket
    >>> Tkt-vno: 5
    >>> Realm: SUSE.HOME
    >>> Server Name (Unknown): krbtgt/SUSE.HOME
    >>> Name-type: Unknown (0)
    >>> Name: krbtgt
    >>> Name: SUSE.HOME
    >>> enc-part rc4-hmac
    >>> Encryption type: rc4-hmac (23)
    >>> Kvno: 1
    >>> enc-part:
    >>> 4057A7166A1CC59F143F9B74A72F0B16CA629616DD0E96F1.. .
    >>> Authenticator rc4-hmac
    >>> Encryption type: rc4-hmac (23)
    >>> Authenticator data:
    >>> B7008BD37B307572105D0107E309A30F6E89F74B4663A474.. .
    >>> KDC_REQ_BODY
    >>> Padding: 0
    >>> KDCOptions: 00800000 (Renewable)
    >>> .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT
    >>> use forwardable tickets
    >>> ..0. .... .... .... .... .... .... .... = Forwarded: This is
    >>> NOT a forwarded ticket
    >>> ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT
    >>> use proxiable tickets
    >>> .... 0... .... .... .... .... .... .... = Proxy: This ticket
    >>> has NOT been proxied
    >>> .... .0.. .... .... .... .... .... .... = Allow Postdate: We
    >>> do NOT allow the ticket to be postdated
    >>> .... ..0. .... .... .... .... .... .... = Postdated: This
    >>> ticket is NOT postdated
    >>> .... .... 1... .... .... .... .... .... = Renewable: This
    >>> ticket is RENEWABLE
    >>> .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
    >>> .... .... .... ...0 .... .... .... .... = Canonicalize: This
    >>> is NOT a canonicalized ticket request
    >>> .... .... .... .... .... .... ..0. .... = Disable Transited
    >>> Check: Transited checking is NOT disabled
    >>> .... .... .... .... .... .... ...0 .... = Renewable OK: We do
    >>> NOT accept renewed tickets
    >>> .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do
    >>> NOT encrypt the tkt inside the skey
    >>> .... .... .... .... .... .... .... ..0. = Renew: This is NOT
    >>> a request to renew a ticket
    >>> .... .... .... .... .... .... .... ...0 = Validate: This is
    >>> NOT a request to validate a postdated ticket
    >>> Realm: SUSE.HOME
    >>> Server Name (Unknown): krbtgt/WINDOWS2003.HOME
    >>> Name-type: Unknown (0)
    >>> Name: krbtgt
    >>> Name: WINDOWS2003.HOME
    >>> from: 2006-05-01 12:51:23 (Z)
    >>> till: 2006-05-01 22:51:23 (Z)
    >>> rtime: 2006-05-02 12:51:23 (Z)
    >>> Nonce: 1146487891
    >>> Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    >>> Encryption type: rc4-hmac (23)
    >>> Encryption type: des3-cbc-sha1 (16)
    >>> Encryption type: des-cbc-crc (1)
    >>> Encryption type: des-cbc-md5 (3)
    >>>
    >>> No. Time Source Destination Protocol
    >>> Info
    >>> 444 51229.328348 opensuse.suse.home opensuse.suse.home KRB5
    >>> TGS-REP
    >>>
    >>> Frame 444 (629 bytes on wire, 629 bytes captured)
    >>> Arrival Time: May 1, 2006 13:51:34.603440000
    >>> Time delta from previous packet: 0.019235000 seconds
    >>> Time since reference or first frame: 51229.328348000 seconds
    >>> Frame Number: 444
    >>> Packet Length: 629 bytes
    >>> Capture Length: 629 bytes
    >>> Protocols in frame: sll:ip:udp:kerberos
    >>> Linux cooked capture
    >>> Packet type: Unicast to us (0)
    >>> Link-layer address type: 772
    >>> Link-layer address length: 0
    >>> Source:
    >>> Protocol: IP (0x0800)
    >>> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
    >>> opensuse.suse.home (192.168.1.7)
    >>> Version: 4
    >>> Header length: 20 bytes
    >>> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    >>> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
    >>> .... ..0. = ECN-Capable Transport (ECT): 0
    >>> .... ...0 = ECN-CE: 0
    >>> Total Length: 613
    >>> Identification: 0x001f (31)
    >>> Flags: 0x04 (Don't Fragment)
    >>> 0... = Reserved bit: Not set
    >>> .1.. = Don't fragment: Set
    >>> ..0. = More fragments: Not set
    >>> Fragment offset: 0
    >>> Time to live: 64
    >>> Protocol: UDP (0x11)
    >>> Header checksum: 0xb50a [correct]
    >>> Good: True
    >>> Bad : False
    >>> Source: opensuse.suse.home (192.168.1.7)
    >>> Destination: opensuse.suse.home (192.168.1.7)
    >>> User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885)
    >>> Source port: kerberos (88)
    >>> Destination port: 32885 (32885)
    >>> Length: 593
    >>> Checksum: 0x85c1 [incorrect, should be 0x3f5c]
    >>> Kerberos TGS-REP
    >>> Pvno: 5
    >>> MSG Type: TGS-REP (13)
    >>> Client Realm: SUSE.HOME
    >>> Client Name (Principal): markus
    >>> Name-type: Principal (1)
    >>> Name: markus
    >>> Ticket
    >>> Tkt-vno: 5
    >>> Realm: SUSE.HOME
    >>> Server Name (Unknown): krbtgt/WINDOWS2003.HOME
    >>> Name-type: Unknown (0)
    >>> Name: krbtgt
    >>> Name: WINDOWS2003.HOME
    >>> enc-part rc4-hmac
    >>> Encryption type: rc4-hmac (23)
    >>> Kvno: 1
    >>> enc-part: 46B8A78EEFCA7160D04C0C723040660AF957F1C8AF3B4BDE.. .
    >>> enc-part rc4-hmac
    >>> Encryption type: rc4-hmac (23)
    >>> enc-part: 981F6F1C48DBB164CDAB8E7C4439D8C29B9DD584929E8580.. .
    >>>
    >>> No. Time Source Destination Protocol
    >>> Info
    >>> 445 51229.329735 opensuse.suse.home windows2003.windows2003.home
    >>> KRB5 TGS-REQ
    >>>
    >>> Frame 445 (651 bytes on wire, 651 bytes captured)
    >>> Arrival Time: May 1, 2006 13:51:34.604827000
    >>> Time delta from previous packet: 0.001387000 seconds
    >>> Time since reference or first frame: 51229.329735000 seconds
    >>> Frame Number: 445
    >>> Packet Length: 651 bytes
    >>> Capture Length: 651 bytes
    >>> Protocols in frame: sll:ip:udp:kerberos
    >>> Linux cooked capture
    >>> Packet type: Sent by us (4)
    >>> Link-layer address type: 1
    >>> Link-layer address length: 6
    >>> Source: Vmware_02:d5:f5 (00:0c:29:02:d5:f5)
    >>> Protocol: IP (0x0800)
    >>> Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
    >>> windows2003.windows2003.home (192.168.1.5)
    >>> Version: 4
    >>> Header length: 20 bytes
    >>> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    >>> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
    >>> .... ..0. = ECN-Capable Transport (ECT): 0
    >>> .... ...0 = ECN-CE: 0
    >>> Total Length: 635
    >>> Identification: 0x3f10 (16144)
    >>> Flags: 0x04 (Don't Fragment)
    >>> 0... = Reserved bit: Not set
    >>> .1.. = Don't fragment: Set
    >>> ..0. = More fragments: Not set
    >>> Fragment offset: 0
    >>> Time to live: 64
    >>> Protocol: UDP (0x11)
    >>> Header checksum: 0x7605 [correct]
    >>> Good: True
    >>> Bad : False
    >>> Source: opensuse.suse.home (192.168.1.7)
    >>> Destination: windows2003.windows2003.home (192.168.1.5)
    >>> User Datagram Protocol, Src Port: 32885 (32885), Dst Port: kerberos (88)
    >>> Source port: 32885 (32885)
    >>> Destination port: kerberos (88)
    >>> Length: 615
    >>> Checksum: 0x9902 [correct]
    >>> Kerberos TGS-REQ
    >>> Pvno: 5
    >>> MSG Type: TGS-REQ (12)
    >>> padata: PA-TGS-REQ
    >>> Type: PA-TGS-REQ (1)
    >>> Value: 6E8201BA308201B6A003020105A10302010EA20703050000.. .
    >>> AP-REQ
    >>> Pvno: 5
    >>> MSG Type: AP-REQ (14)
    >>> Padding: 0
    >>> APOptions: 00000000
    >>> .0.. .... .... .... .... .... .... .... = Use Session
    >>> Key: Do NOT use the session key to encrypt the ticket
    >>> ..0. .... .... .... .... .... .... .... = Mutual
    >>> required: Mutual authentication is NOT required
    >>> Ticket
    >>> Tkt-vno: 5
    >>> Realm: SUSE.HOME
    >>> Server Name (Unknown): krbtgt/WINDOWS2003.HOME
    >>> Name-type: Unknown (0)
    >>> Name: krbtgt
    >>> Name: WINDOWS2003.HOME
    >>> enc-part rc4-hmac
    >>> Encryption type: rc4-hmac (23)
    >>> Kvno: 1
    >>> enc-part:
    >>> 46B8A78EEFCA7160D04C0C723040660AF957F1C8AF3B4BDE.. .
    >>> Authenticator rc4-hmac
    >>> Encryption type: rc4-hmac (23)
    >>> Authenticator data:
    >>> FE71BE32F2BFF609F021A368F6DAF66CC42C00C7508FB8E2.. .
    >>> KDC_REQ_BODY
    >>> Padding: 0
    >>> KDCOptions: 00800000 (Renewable)
    >>> .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT
    >>> use forwardable tickets
    >>> ..0. .... .... .... .... .... .... .... = Forwarded: This is
    >>> NOT a forwarded ticket
    >>> ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT
    >>> use proxiable tickets
    >>> .... 0... .... .... .... .... .... .... = Proxy: This ticket
    >>> has NOT been proxied
    >>> .... .0.. .... .... .... .... .... .... = Allow Postdate: We
    >>> do NOT allow the ticket to be postdated
    >>> .... ..0. .... .... .... .... .... .... = Postdated: This
    >>> ticket is NOT postdated
    >>> .... .... 1... .... .... .... .... .... = Renewable: This
    >>> ticket is RENEWABLE
    >>> .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
    >>> .... .... .... ...0 .... .... .... .... = Canonicalize: This
    >>> is NOT a canonicalized ticket request
    >>> .... .... .... .... .... .... ..0. .... = Disable Transited
    >>> Check: Transited checking is NOT disabled
    >>> .... .... .... .... .... .... ...0 .... = Renewable OK: We do
    >>> NOT accept renewed tickets
    >>> .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do
    >>> NOT encrypt the tkt inside the skey
    >>> .... .... .... .... .... .... .... ..0. = Renew: This is NOT
    >>> a request to renew a ticket
    >>> .... .... .... .... .... .... .... ...0 = Validate: This is
    >>> NOT a request to validate a postdated ticket
    >>> Realm: WINDOWS2003.HOME
    >>> Server Name (Service and Host): HTTP/w2k3.windows2003.home
    >>> Name-type: Service and Host (3)
    >>> Name: HTTP
    >>> Name: w2k3.windows2003.home
    >>> till: 2006-05-01 22:51:23 (Z)
    >>> Nonce: 1146487891
    >>> Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    >>> Encryption type: rc4-hmac (23)
    >>> Encryption type: des3-cbc-sha1 (16)
    >>> Encryption type: des-cbc-crc (1)
    >>> Encryption type: des-cbc-md5 (3)
    >>>
    >>> No. Time Source Destination Protocol
    >>> Info
    >>> 446 51229.334347 windows2003.windows2003.home opensuse.suse.home KRB5
    >>> KRB Error: KRB5KDC_ERR_ETYPE_NOSUPP
    >>>
    >>> Frame 446 (151 bytes on wire, 151 bytes captured)
    >>> Arrival Time: May 1, 2006 13:51:34.609439000
    >>> Time delta from previous packet: 0.004612000 seconds
    >>> Time since reference or first frame: 51229.334347000 seconds
    >>> Frame Number: 446
    >>> Packet Length: 151 bytes
    >>> Capture Length: 151 bytes
    >>> Protocols in frame: sll:ip:udp:kerberos
    >>> Linux cooked capture
    >>> Packet type: Unicast to us (0)
    >>> Link-layer address type: 1
    >>> Link-layer address length: 6
    >>> Source: Vmware_71:05:9f (00:0c:29:71:05:9f)
    >>> Protocol: IP (0x0800)
    >>> Internet Protocol, Src: windows2003.windows2003.home (192.168.1.5), Dst:
    >>> opensuse.suse.home (192.168.1.7)
    >>> Version: 4
    >>> Header length: 20 bytes
    >>> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    >>> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
    >>> .... ..0. = ECN-Capable Transport (ECT): 0
    >>> .... ...0 = ECN-CE: 0
    >>> Total Length: 135
    >>> Identification: 0xdebe (57022)
    >>> Flags: 0x00
    >>> 0... = Reserved bit: Not set
    >>> .0.. = Don't fragment: Not set
    >>> ..0. = More fragments: Not set
    >>> Fragment offset: 0
    >>> Time to live: 128
    >>> Protocol: UDP (0x11)
    >>> Header checksum: 0xd84a [correct]
    >>> Good: True
    >>> Bad : False
    >>> Source: windows2003.windows2003.home (192.168.1.5)
    >>> Destination: opensuse.suse.home (192.168.1.7)
    >>> User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32885 (32885)
    >>> Source port: kerberos (88)
    >>> Destination port: 32885 (32885)
    >>> Length: 115
    >>> Checksum: 0xb7f8 [correct]
    >>> Kerberos KRB-ERROR
    >>> Pvno: 5
    >>> MSG Type: KRB-ERROR (30)
    >>> stime: 2006-05-01 12:51:33 (Z)
    >>> susec: 907050
    >>> error_code: KRB5KDC_ERR_ETYPE_NOSUPP (14)
    >>> Realm: WINDOWS2003.HOME
    >>> Server Name (Service and Host): HTTP/w2k3.windows2003.home
    >>> Name-type: Service and Host (3)
    >>> Name: HTTP
    >>> Name: w2k3.windows2003.home
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> "Markus Moeller" wrote in message
    >>> news:444bcbd2$0$23157$ed2e19e4@ptn-nntp-reader04.plus.net...
    >>>> Is there anywhere a howto for setting up a oneway or even twoway trust
    >>>> between a Windows 2003 SP1/R2 server and a MIT kdc with rc4-hmac
    >>>> encryption ?
    >>>>
    >>>> Thank you
    >>>> Markus
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >




+ Reply to Thread