[19684] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: Incompatibility between krb's AES256-CTS-HMAC-SHA1-96 and

daemon@ATHENA.MIT.EDU (Simo Sorce)
Fri Nov 10 05:57:10 2017

Message-ID: <1510311410.7682.236.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Ido Shlomo <shloim@gmail.com>
Date: Fri, 10 Nov 2017 05:56:50 -0500
In-Reply-To: <CAK8_kVJZWpE2=2rbzDY7X9EM7r0Hy_qyE4w6wamURb6Dkxq4LQ@mail.gmail.com>
Mime-Version: 1.0
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

You may want to look into a utility called mskutil.

HTH,
Simo.

On Fri, 2017-11-10 at 08:08 +0300, Ido Shlomo wrote:
> Thank you. I understand the options, but I am not familiar with tools
> that
> may do that automatically. (currently this entire process is
> automated
> using shell scripts).
> 
> On Nov 10, 2017 01:47, "Simo Sorce" <simo@redhat.com> wrote:
> 
> > Ido,
> > the problem is that you do not get the key out of AD but you use
> > kerberos utils to generate it. As mentioned before when you do that
> > the
> > "wrong" salt is used, so your keys cannot work.
> > 
> > It works for "users" because it just so happen that both the AD KDC
> > and
> > your utilities use the same logic to derive keys for UPNs. But AD
> > uses
> > a different logic for SPNs.
> > 
> > You need to either modify your utilities to deal with the salt
> > "properly" according to how the KDC generates hashes from a
> > password,
> > or you need to use utilities that let the KDC generate the keys and
> > give you back a keytab,
> > That's it, there is no other way around.
> > 
> > Simo.
> > 
> > On Thu, 2017-11-09 at 23:03 +0300, Ido Shlomo wrote:
> > > No. I am registering an SPN for a single account.
> > > The operation has 2 phases:
> > > Add an entry to the local keytab using ktuil.
> > > Add an entry to the User object in the Active Directory using
> > > openldap.
> > > 
> > > 
> > > On Nov 9, 2017 20:10, "Isaac Boukris" <iboukris@gmail.com> wrote:
> > > 
> > > > 
> > > > 
> > > > On Thu, Nov 9, 2017 at 5:00 PM, Ido Shlomo <shloim@gmail.com>
> > > > wrote:
> > > > > The thing is that kinit works well for the user (not
> > > > > computer)
> > > > > The problem is that I register an SPN on the DC for that user
> > > > > (again, not
> > > > > computer) using ldap, and then I resgister the same SPN
> > > > > (MSSQL/mymachine.domain.com:1433@DOMAIN.COM). The problem
> > > > > occurs
> > > > > when an
> > > > > incoming connection gives me a token that I cannot accept.
> > > > > The
> > > > > error is
> > > > 
> > > > that
> > > > > I cannot decrypt it.
> > > > 
> > > > Wait, are you registering the same SPN twice to two different
> > > > accounts?
> > > > You aren't supposed to do that I think, as the KDC might
> > > > encrypt
> > > > the
> > > > ticket with the key of the other principal.
> > > > 
> > 
> > --
> > Simo Sorce
> > Sr. Principal Software Engineer
> > Red Hat, Inc
> > 
> > 

-- 
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc

_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post