MIT client and AD KDC interoperability

peter huang peter_huang at hp.com
Fri Sep 6 15:32:47 EDT 2002 

Cesar,
    just as you stated, one need to add support for rc4-hmac support as enc
type.  It is outline in  draft-brezak-win2k-krb-rc4-hmac-03.txt.  I think
heimdal has support for that enc-type.


    -peter

"Cesar Garcia" <Cesar.Garcia at morganstanley.com> wrote in message
news:15736.62373.700195.271113 at imus.ms.com...
> Part of our migration from NT to active directory involves cloning
> NT user accounts to initialize the AD account (including the
> password). This allows a user to log in to XP (a member of an
> AD domain) using the cloned password, at least initially.
>
> It's not clear whether the cloning mechanism allows us to participate
> in K5 based authentication or if it's still NTLM.
>
> Nonetheless, from UNIX (MIT kerberos clients), when trying to obtain a
> TGT using the cloned account - the following error is produced:
>
> > $ kinit cesarg at MSQA.QA.MS.COM
> > Password for cesarg at MSQA.QA.MS.COM:
> > kinit(v5): KDC has no support for encryption type while getting initial
credentials
>
> However, once I change my AD password, the MIT kinit can obtain
> tickets from the AD KDC.
>
> This is presumably because the NTLM  hash of the user's password (now
> held in AD, cloned from the NT account) does not produce a DES key can
> be used with the MIT supported enctypes.
>
> Cloning accounts/passwords in bulk is potentially a challenge.
>
> My recommendation right now (to our PC engineering/deployment folks)
> would be to expire passwords as part of the cloning process, such that
> a password change is required on initial login to XP/AD. The password
> changes then enables users to obtain tickets from an AD KDC using
> UNIX/MIT clients. However, not everyone has a Windows based desktop,
> so the initial password change is becomes inpractical for some class
> of users.
>
> I'm wondering if anyone has or plans to implement an enc-type, on the
> [MIT] client side, that supports the NTLM hashed password/key, or
> whether there are any technical reasons that simply would not work.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list