[19683] in Kerberos_V5_Development
Re: Incompatibility between krb's AES256-CTS-HMAC-SHA1-96 and
daemon@ATHENA.MIT.EDU (Andreas Schneider)
Fri Nov 10 05:28:28 2017
From: Andreas Schneider <asn@samba.org>
To: Ido Shlomo <shloim@gmail.com>
Date: Fri, 10 Nov 2017 11:28:11 +0100
Message-ID: <1658253.LcGbAGd7Qf@krikkit.cryptomilk.site>
In-Reply-To: <CAK8_kVK6o09ekXCSOJTGp1wFO37BKa74T7qqOHKFgoUqxkdpDQ@mail.gmail.com>
MIME-Version: 1.0
Cc: Simo Sorce <simo@redhat.com>, krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Thursday, 9 November 2017 16:00:37 CET Ido Shlomo wrote:
> The thing is that kinit works well for the user (not computer)
> The problem is that I register an SPN on the DC for that user (again, not
> computer) using ldap, and then I resgister the same SPN
> (MSSQL/mymachine.domain.com:1433@DOMAIN.COM). The problem occurs when an
> incoming connection gives me a token that I cannot accept. The error is
> that I cannot decrypt it.
Looking at the keysalt list of kdc.conf it looks like MIT Kerberos doesn't
support the salts used by Microsoft. You would need to extend it so you can
do:
kadmin -e aes256-cts:msft,aes128-cts:msft to generate correct keys
Andreas
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev