Hi,
DES is disabled by default in windows 2008 r2. So if you do not need
DES, then just create the keytab for stronger enryption types. If you
really need DES, you have to configure your windows KDC to issue DES
tickets. You should not disable preauthentication
Regards,
Mark Pröhl
On 04/28/2011 11:08 PM, Gomes, Charles wrote:
> Hello Kerberos List,
>
> I'm trying to set a Kerberos ticket between a Unix and a Windows 2008 R2
> server.
> I've created a user on windows and used the ktpass to generate the Kerberos
> keytab:
> C:\Windows\System32\ktpass princ
> host/jc1lqaldap.testdomain....@testdomain.com mapuser
> TESTDOMAIN\host_jc1lqaldap -crypto DES-CBC-MD5 -pass * -ptype
> KRB5_NT_PRINCIPAL out c:\nis_data\host_jc1lqaldap.keytab
>
> I did make sure that "User Kerberos DES encryption types for this account"
> was checked.
> First I was getting:
> root@jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0
> host/jc1lqaldap.testdomain.com
> kinit: KDC has no support for encryption type while getting initial
> credentials
>
> So I've checked "Do not require Kerberos preauthentication" and I get:
> root@jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0
> host/jc1lqaldap.testdomain.com
> kinit: Key table entry not found while getting initial credentials
>
> Where should that key table entry be located ?
> I cannot go forward with this. Is there a way to get more verbose logging so
> I can troubleshoot this.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Klist
> root@jc1lqaldap:/etc# klist -ke -t /etc/krb5.keytab
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Timestamp Principal
> ---- -----------------
> --------------------------------------------------------
> 12 12/31/69 19:00:00 host/jc1lqaldap.testdomain....@testdomain.com (DES
> cbc mode with RSA-MD5)
>
>
>
>
>
> Cat /etc/krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = TESTDOMAIN.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
>
> default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>
> [realms]
> TESTDOMAIN.COM = {
> kdc = server.testdomain.com:88
> admin_server = server.testdomain.com:749
> default_domain = testdomain.com
> }
>
> [domain_realm]
> .testdomain.com = TESTDOMAIN.COM
> testdomain.com = TESTDOMAIN.COM
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> validate = true
> }
>
>
>
>
>
> DISCLAIMER:
> This e-mail, and any attachments thereto, is intended only for use by the
> addressee(s)named herein and
> may contain legally privileged and/or confidential information. If you are
> not the intended recipient of this
> e-mail, you are hereby notified that any dissemination, distribution or
> copying of this e-mail and any attachments
> thereto, is strictly prohibited. If you have received this in error, please
> immediately notify me and permanently
> delete the original and any printout thereof. E-mail transmission cannot be
> guaranteed to be secure or error-free.
> The sender therefore does not accept liability for any errors or omissions in
> the contents of this message which
> arise as a result of e-mail transmission.
> NOTICE REGARDING PRIVACY AND CONFIDENTIALITY
> Knight Capital Group may, at its discretion, monitor and review the content
> of all e-mail communications.
>
> http://www.knight.com<http://www.knight.com/>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
