[28970] in Kerberos
Re: GSSAPI on Linux using Windows AD Servers as KDCs - Errors about
daemon@ATHENA.MIT.EDU (Jason D. McCormick)
Sun Jan 6 23:01:40 2008
Message-ID: <4781A401.1050509@devrandom.org>
Date: Sun, 06 Jan 2008 23:01:05 -0500
From: "Jason D. McCormick" <jason@devrandom.org>
MIME-Version: 1.0
To: "Richard E. Silverman" <res@qoxp.net>
In-Reply-To: <m2odc3swr8.fsf@darwin.oankali.net>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Richard E. Silverman wrote:
> A couple of questions:
>
> 1) What are the tkt and skey types on the tickets the client gets? The
> etype of the service credentials?
klist -e reports:
Etype (skey, tkt): DES cbc mode with RSA-MD5, ArcFour with HMAC/md5
for the TGT. The keytab lists the key tytpe as "DES cbc mode with CRC-32".
> 2) I assume you generated the service keytabs from AD using ktpass.exe?
> If so, exactly what command did you use?
Yes, I did. I don't have the exact command handy because getting this
working has been an iterative process. I definitely set the key type to
be des-cbc-crc with ktpass. It would have been something like:
ktpass -princ nfs/nfs1.loc1.example.com@AD.EXAMPLE.COM -mapuser
AD\nfs-nfs1 +rndPass -crypto DES-CBC-CRC -out nfs1.keytab
I've also tried it with and without -ptype KRB5_NT_SRV_HST.
- Jason
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
