etype 23 on klist -e output when using Windows 2003 KDC to unix

Derek Yarnell derek at cs.umd.edu
Wed Oct 22 16:41:55 EDT 2003


On Wed, 22 Oct 2003 17:08:18 +0000, Sam Hartman wrote:

Alright I have found this same problem. Kerberos 5 v1.3.1 from MIT.
I am trying to get SAMBA 3.0.x running with a Windows 2003 Active
Directory but it is running in Native 2003 Mode. I am getting decrypt
integrity failed errors when I run from the the samba stuff but I can
kinit correctly.

-------------------------------------------
[root at atlantis ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: derek at PC.CS.UMD.EDU

Valid starting     Expires            Service principal
10/22/03 16:39:31  10/23/03 02:39:34  krbtgt/PC.CS.UMD.EDU at PC.CS.UMD.EDU
        renew until 10/22/03 17:39:31, Etype (skey, tkt): DES cbc mode with CRC-32, ArcFour with HMAC/md5 


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
-----------------------------------------

Anyone know what is going on here? The samba people seem to be clueless
and seem to think that it works with 2003 in native 2003 mode.

aarghhhh.

>>>>>> "Tim" == Tim Clarke <tim.clarke at oracle.com> writes:
> 
>     Tim> How do I change the tkt etype to be DES-CBC-CRC
> 
> You don't.  Or at least a reasonable Kerberos implementation does not
> allow the client to influence the tkt enctype.  If it does, then the
> client may force the KDC to use a ticket key that is weaker or easier
> to attack.
> 
> Microsoft's implementation may expose this, but if it does it is only
> for interoperability with broken Kerberosenvironments.
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list