[19686] in Kerberos_V5_Development
Re: Incompatibility between krb's AES256-CTS-HMAC-SHA1-96 and
daemon@ATHENA.MIT.EDU (Ido Shlomo)
Fri Nov 10 13:21:00 2017
MIME-Version: 1.0
In-Reply-To: <CAOWMy3kT6iWfhvFCSVnEO9p4FH9RrZP2AF-d38h3XeHMeHGGaA@mail.gmail.com>
From: Ido Shlomo <shloim@gmail.com>
Date: Fri, 10 Nov 2017 21:20:46 +0300
Message-ID: <CAK8_kVJ9LJ9Oh_o3Bc9Vv6q9o-mbn3AuS-LgCCTfjO57EQ=5rA@mail.gmail.com>
To: Idan Freiberg <speidy@gmail.com>
Cc: krbdev@mit.edu, Simo Sorce <simo@redhat.com>
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
The problem is that our product needs to generate SPNs on-the-fly, and it
runs on Linux.
On Nov 10, 2017 17:46, "Idan Freiberg" <speidy@gmail.com> wrote:
> On MS Active Directory Domain Controllers there’s a tool called ktpass.exe
> It will generate the correct key tabs for you.
>
> בתאריך יום ו׳, 10 בנוב׳ 2017 ב-12:57 מאת Simo Sorce <simo@redhat.com>:
>
>> You may want to look into a utility called mskutil.
>>
>> HTH,
>> Simo.
>>
>> On Fri, 2017-11-10 at 08:08 +0300, Ido Shlomo wrote:
>> > Thank you. I understand the options, but I am not familiar with tools
>> > that
>> > may do that automatically. (currently this entire process is
>> > automated
>> > using shell scripts).
>> >
>> > On Nov 10, 2017 01:47, "Simo Sorce" <simo@redhat.com> wrote:
>> >
>> > > Ido,
>> > > the problem is that you do not get the key out of AD but you use
>> > > kerberos utils to generate it. As mentioned before when you do that
>> > > the
>> > > "wrong" salt is used, so your keys cannot work.
>> > >
>> > > It works for "users" because it just so happen that both the AD KDC
>> > > and
>> > > your utilities use the same logic to derive keys for UPNs. But AD
>> > > uses
>> > > a different logic for SPNs.
>> > >
>> > > You need to either modify your utilities to deal with the salt
>> > > "properly" according to how the KDC generates hashes from a
>> > > password,
>> > > or you need to use utilities that let the KDC generate the keys and
>> > > give you back a keytab,
>> > > That's it, there is no other way around.
>> > >
>> > > Simo.
>> > >
>> > > On Thu, 2017-11-09 at 23:03 +0300, Ido Shlomo wrote:
>> > > > No. I am registering an SPN for a single account.
>> > > > The operation has 2 phases:
>> > > > Add an entry to the local keytab using ktuil.
>> > > > Add an entry to the User object in the Active Directory using
>> > > > openldap.
>> > > >
>> > > >
>> > > > On Nov 9, 2017 20:10, "Isaac Boukris" <iboukris@gmail.com> wrote:
>> > > >
>> > > > >
>> > > > >
>> > > > > On Thu, Nov 9, 2017 at 5:00 PM, Ido Shlomo <shloim@gmail.com>
>> > > > > wrote:
>> > > > > > The thing is that kinit works well for the user (not
>> > > > > > computer)
>> > > > > > The problem is that I register an SPN on the DC for that user
>> > > > > > (again, not
>> > > > > > computer) using ldap, and then I resgister the same SPN
>> > > > > > (MSSQL/mymachine.domain.com:1433@DOMAIN.COM). The problem
>> > > > > > occurs
>> > > > > > when an
>> > > > > > incoming connection gives me a token that I cannot accept.
>> > > > > > The
>> > > > > > error is
>> > > > >
>> > > > > that
>> > > > > > I cannot decrypt it.
>> > > > >
>> > > > > Wait, are you registering the same SPN twice to two different
>> > > > > accounts?
>> > > > > You aren't supposed to do that I think, as the KDC might
>> > > > > encrypt
>> > > > > the
>> > > > > ticket with the key of the other principal.
>> > > > >
>> > >
>> > > --
>> > > Simo Sorce
>> > > Sr. Principal Software Engineer
>> > > Red Hat, Inc
>> > >
>> > >
>>
>> --
>> Simo Sorce
>> Sr. Principal Software Engineer
>> Red Hat, Inc
>>
>> _______________________________________________
>> krbdev mailing list krbdev@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>
> --
> Idan Freiberg
>
> PGP FP: 8108 7EC9 806E 4980 75F2 72B3 8AD3 2D04 337B 1F18
>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev