Re: GSSAPI on Linux using Windows AD Servers as KDCs - Errors aboutKeytab Entries

Mon, 07 Jan 2008 13:24:26 -0800 

Jason,

BTW I tested with my Linux MIT kdc and used an RC4-HMAC key for nfs/fqdn in 
the keytab only and it seems to work too.

I see: Etype (skey, tkt): DES cbc mode with CRC-32, ArcFour with HMAC/md5

So I would expect to work with a Windows kdc and handling RC4 is easier as 
you don't need to worry about the DES flag and salt.

Markus

[EMAIL PROTECTED]:# mount -t nfs4 -o rw,sec=krb5 opensuse.suse.home:/ 
/suse_work

[EMAIL PROTECTED]:~> ls /suse_work/
ls: cannot access /suse_work/: Permission denied
[EMAIL PROTECTED]:~> kinit
Password for [EMAIL PROTECTED]:
[EMAIL PROTECTED]:~> ls /suse_work/
src
[EMAIL PROTECTED]:~> klist -e
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [EMAIL PROTECTED]

Valid starting     Expires            Service principal
01/07/08 20:37:05  01/08/08 06:37:05  krbtgt/[EMAIL PROTECTED]
        renew until 01/08/08 20:37:05, Etype (skey, tkt): ArcFour with 
HMAC/md5, ArcFour with HMAC/md5
01/07/08 20:37:11  01/08/08 06:37:05  nfs/[EMAIL PROTECTED]
        renew until 01/08/08 20:37:05, Etype (skey, tkt): DES cbc mode with 
CRC-32, ArcFour with HMAC/md5


[EMAIL PROTECTED]:~> sudo klist -ekt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   3 01/07/08 20:25:41 host/[EMAIL PROTECTED] (ArcFour with 
HMAC/md5)
   6 01/07/08 20:25:41 nfs/[EMAIL PROTECTED] (ArcFour with 
HMAC/md5)



"Jason D. McCormick" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]
> Douglas E. Engert wrote:
>> The problem might be that on the AD account the UserAccountControl flag
>> does not have the USE_DES_KEY_ONLY 0x200000 set, So AD is returning an
>> ArcFour ticket, which is not in the keytab. ktpass has a /DESOnly option
>> to set this.
>>
>> See kb 305144 too.
>
> This is EXACTLY what I needed.  Everything works now.  Thanks to
> everyone for the help.
>
> - Jason
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 


________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to