MIT client and AD KDC interoperability

Cesar Garcia Cesar.Garcia at
Fri Sep 6 14:27:49 EDT 2002

Part of our migration from NT to active directory involves cloning
NT user accounts to initialize the AD account (including the
password). This allows a user to log in to XP (a member of an 
AD domain) using the cloned password, at least initially.

It's not clear whether the cloning mechanism allows us to participate
in K5 based authentication or if it's still NTLM.

Nonetheless, from UNIX (MIT kerberos clients), when trying to obtain a
TGT using the cloned account - the following error is produced:

> $ kinit cesarg at MSQA.QA.MS.COM
> Password for cesarg at MSQA.QA.MS.COM: 
> kinit(v5): KDC has no support for encryption type while getting initial credentials

However, once I change my AD password, the MIT kinit can obtain
tickets from the AD KDC.

This is presumably because the NTLM  hash of the user's password (now
held in AD, cloned from the NT account) does not produce a DES key can
be used with the MIT supported enctypes.

Cloning accounts/passwords in bulk is potentially a challenge.

My recommendation right now (to our PC engineering/deployment folks)
would be to expire passwords as part of the cloning process, such that
a password change is required on initial login to XP/AD. The password
changes then enables users to obtain tickets from an AD KDC using
UNIX/MIT clients. However, not everyone has a Windows based desktop,
so the initial password change is becomes inpractical for some class
of users.

I'm wondering if anyone has or plans to implement an enc-type, on the
[MIT] client side, that supports the NTLM hashed password/key, or
whether there are any technical reasons that simply would not work.

More information about the Kerberos mailing list