[28974] in Kerberos
Re: GSSAPI on Linux using Windows AD Servers as KDCs - Errors about
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Mon Jan 7 10:55:40 2008
Message-ID: <47824B4A.9050102@anl.gov>
Date: Mon, 07 Jan 2008 09:54:50 -0600
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: "Jason D. McCormick" <jason@devrandom.org>
In-Reply-To: <4781A401.1050509@devrandom.org>
Cc: "Richard E. Silverman" <res@qoxp.net>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Jason D. McCormick wrote:
> Richard E. Silverman wrote:
>
>> A couple of questions:
>>
>> 1) What are the tkt and skey types on the tickets the client gets? The
>> etype of the service credentials?
>
> klist -e reports:
(Normally Kerberos does not save a ticket in tha cache if it does not work
so you may not see the ticket for the service. Wireshark can show a lot more.)
>
> Etype (skey, tkt): DES cbc mode with RSA-MD5, ArcFour with HMAC/md5
>
> for the TGT. The keytab lists the key tytpe as "DES cbc mode with CRC-32".
>
>> 2) I assume you generated the service keytabs from AD using ktpass.exe?
>> If so, exactly what command did you use?
>
> Yes, I did. I don't have the exact command handy because getting this
> working has been an iterative process. I definitely set the key type to
> be des-cbc-crc with ktpass. It would have been something like:
>
> ktpass -princ nfs/nfs1.loc1.example.com@AD.EXAMPLE.COM -mapuser
> AD\nfs-nfs1 +rndPass -crypto DES-CBC-CRC -out nfs1.keytab
The problem might be that on the AD account the UserAccountControl flag
does not have the USE_DES_KEY_ONLY 0x200000 set, So AD is returning an
ArcFour ticket, which is not in the keytab. ktpass has a /DESOnly option
to set this.
See kb 305144 too.
Why are you using DES? All the newer Kerberos can use ArcFour. So try
ktpass witout the crypto option.
>
> I've also tried it with and without -ptype KRB5_NT_SRV_HST.
>
> - Jason
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
