On 4/28/2011 4:08 PM, Gomes, Charles wrote: > Hello Kerberos List, > > I'm trying to set a Kerberos ticket between a Unix and a Windows 2008 R2 > server. > I've created a user on windows and used the ktpass to generate the Kerberos > keytab: > C:\Windows\System32\ktpass princ > host/jc1lqaldap.testdomain....@testdomain.com mapuser > TESTDOMAIN\host_jc1lqaldap -crypto DES-CBC-MD5 -pass * -ptype > KRB5_NT_PRINCIPAL out c:\nis_data\host_jc1lqaldap.keytab > > I did make sure that "User Kerberos DES encryption types for this account" > was checked.
Do you really need DES? Your krb5.conf says you can use RC4, and 2008 supports AES-128 and AES-256. 2008 and newer versions of Kerberos turn it off be default too. http://support.microsoft.com/kb/977321 explains how to check the logs and turn DES back on, if you really really need DES. Also consider using a better tool then ktpass, like msktutil http://fuhm.net/software/msktutil/ or the Samba windbind. > First I was getting: > root@jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0 > host/jc1lqaldap.testdomain.com > kinit: KDC has no support for encryption type while getting initial > credentials > > So I've checked "Do not require Kerberos preauthentication" and I get: > root@jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0 > host/jc1lqaldap.testdomain.com > kinit: Key table entry not found while getting initial credentials There is a kerberos client issue as well. The client will send a list of enctypes to the KDC. This is based on what is supported by hte libraries and krb5.conf not on what keys are in the keytab file. The KDC will pick one based on the keys it has for that principal. But with Windows AD the password is stored and used to generate a key on the fly, so AD can generate a key for any enctype the client says it can accept. So the KDC can return a ticket the client can not use. If you still have problems, Google for the msDS-SupportedEncryptionTypes attribute for a AD account. > > Where should that key table entry be located ? to see what is the default, try klist -k > I cannot go forward with this. Is there a way to get more verbose logging so > I can troubleshoot this. Wireshark, it can format the krb5 packets. > > > > > > > > > > > > > > > > Klist > root@jc1lqaldap:/etc# klist -ke -t /etc/krb5.keytab > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 12 12/31/69 19:00:00 host/jc1lqaldap.testdomain....@testdomain.com (DES > cbc mode with RSA-MD5) > > > > > > Cat /etc/krb5.conf > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = TESTDOMAIN.COM > dns_lookup_realm = false > dns_lookup_kdc = false > > default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 > default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 > > [realms] > TESTDOMAIN.COM = { > kdc = server.testdomain.com:88 > admin_server = server.testdomain.com:749 > default_domain = testdomain.com > } > > [domain_realm] > .testdomain.com = TESTDOMAIN.COM > testdomain.com = TESTDOMAIN.COM > > [kdc] > profile = /var/kerberos/krb5kdc/kdc.conf > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > validate = true > } > > > > > > DISCLAIMER: > This e-mail, and any attachments thereto, is intended only for use by the > addressee(s)named herein and > may contain legally privileged and/or confidential information. If you are > not the intended recipient of this > e-mail, you are hereby notified that any dissemination, distribution or > copying of this e-mail and any attachments > thereto, is strictly prohibited. If you have received this in error, please > immediately notify me and permanently > delete the original and any printout thereof. E-mail transmission cannot be > guaranteed to be secure or error-free. > The sender therefore does not accept liability for any errors or omissions in > the contents of this message which > arise as a result of e-mail transmission. > NOTICE REGARDING PRIVACY AND CONFIDENTIALITY > Knight Capital Group may, at its discretion, monitor and review the content > of all e-mail communications. > > http://www.knight.com<http://www.knight.com/> > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
