[28980] in Kerberos
Re: GSSAPI on Linux using Windows AD Servers as KDCs - Errors
daemon@ATHENA.MIT.EDU (Markus Moeller)
Mon Jan 7 16:22:07 2008
To: kerberos@mit.edu
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Mon, 7 Jan 2008 20:43:37 -0000
Message-ID: <flu2ue$v7s$1@ger.gmane.org>
Mime-Version: 1.0
X-Complaints-To: usenet@ger.gmane.org
In-Reply-To: <478274B5.3030700@devrandom.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Jason,
BTW I tested with my Linux MIT kdc and used an RC4-HMAC key for nfs/fqdn in
the keytab only and it seems to work too.
I see: Etype (skey, tkt): DES cbc mode with CRC-32, ArcFour with HMAC/md5
So I would expect to work with a Windows kdc and handling RC4 is easier as
you don't need to worry about the DES flag and salt.
Markus
root@Opensuse:# mount -t nfs4 -o rw,sec=krb5 opensuse.suse.home:/
/suse_work
markus@Opensuse:~> ls /suse_work/
ls: cannot access /suse_work/: Permission denied
markus@Opensuse:~> kinit
Password for markus@SUSE.HOME:
markus@Opensuse:~> ls /suse_work/
src
markus@Opensuse:~> klist -e
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: markus@SUSE.HOME
Valid starting Expires Service principal
01/07/08 20:37:05 01/08/08 06:37:05 krbtgt/SUSE.HOME@SUSE.HOME
renew until 01/08/08 20:37:05, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
01/07/08 20:37:11 01/08/08 06:37:05 nfs/opensuse.suse.home@SUSE.HOME
renew until 01/08/08 20:37:05, Etype (skey, tkt): DES cbc mode with
CRC-32, ArcFour with HMAC/md5
markus@Opensuse:~> sudo klist -ekt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 01/07/08 20:25:41 host/opensuse.suse.home@SUSE.HOME (ArcFour with
HMAC/md5)
6 01/07/08 20:25:41 nfs/opensuse.suse.home@SUSE.HOME (ArcFour with
HMAC/md5)
"Jason D. McCormick" <jason@devrandom.org> wrote in message
news:478274B5.3030700@devrandom.org...
> Douglas E. Engert wrote:
>> The problem might be that on the AD account the UserAccountControl flag
>> does not have the USE_DES_KEY_ONLY 0x200000 set, So AD is returning an
>> ArcFour ticket, which is not in the keytab. ktpass has a /DESOnly option
>> to set this.
>>
>> See kb 305144 too.
>
> This is EXACTLY what I needed. Everything works now. Thanks to
> everyone for the help.
>
> - Jason
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
