[33000] in Kerberos

home help back first fref pref prev next nref lref last post

RE: some cross-realm trust questions

daemon@ATHENA.MIT.EDU (Wilper, Ross A)
Tue Dec 28 16:34:33 2010

From: "Wilper, Ross A" <rwilper@stanford.edu>
To: Nicolas Williams <Nicolas.Williams@oracle.com>,
   Victor Sudakov
	<vas@mpeks.no-spam-here.tomsk.su>
Date: Tue, 28 Dec 2010 13:34:17 -0800
Message-ID: <C6BF43271ABC924B9A7057FAD2B4953F08BD85E9BF@ITS-ExchMB02.stanford.edu>
In-Reply-To: <20101228195742.GX1091@oracle.com>
Content-Language: en-US
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Nicolas Williams
Sent: Tuesday, December 28, 2010 11:58 AM
To: Victor Sudakov
Cc: kerberos@mit.edu
Subject: Re: some cross-realm trust questions


Our adjoin[0] script (which was referenced in a BigAdmin paper by Baban
Kenkre[1]) implements a heuristic to detect what enctypes are available
based on, IIRC, trying to add an LDAP attribute named
"msDS-SupportedEncryptionTypes" to the machine account object.  Failure
denotes older AD supporting 1DES and RC4 only; success denotes support
for AES-128 and AES-256.  

This is actually a bit dangerous. If an Active Directory has the schema upgraded to Windows 2008 or later, but not all domain controllers have been upgraded to Windows 2008 or later, then this will give the wrong response. 

The rough list of trust enctypes supported by Windows:

AES256	Windows 2008 and later
AES128	Windows 2008 and later
RC4-HMAC	Windows 2003 and later
DES-MD4	Windows 2000 and later, off by default in 2008+
DES-CBC	Windows 2000 and later, off by default in 2008+

Windows 2000 uses DES-CBC by default for cross-realm trusts
Windows 2003 and later use only RC4-HMAC by default.

Windows 2008 and later support setting multiple enctypes using msDS-SupportedEncryptionTypes on the trust object in LDAP.

There is a much longer discussion about this on the ActiveDir mailing list.

-Ross

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post