etype 23 on klist -e output when using Windows 2003 KDC to unix
Derek Yarnell
derek at cs.umd.edu
Wed Oct 22 16:41:55 EDT 2003
On Wed, 22 Oct 2003 17:08:18 +0000, Sam Hartman wrote:
Alright I have found this same problem. Kerberos 5 v1.3.1 from MIT.
I am trying to get SAMBA 3.0.x running with a Windows 2003 Active
Directory but it is running in Native 2003 Mode. I am getting decrypt
integrity failed errors when I run from the the samba stuff but I can
kinit correctly.
-------------------------------------------
[root at atlantis ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: derek at PC.CS.UMD.EDU
Valid starting Expires Service principal
10/22/03 16:39:31 10/23/03 02:39:34 krbtgt/PC.CS.UMD.EDU at PC.CS.UMD.EDU
renew until 10/22/03 17:39:31, Etype (skey, tkt): DES cbc mode with CRC-32, ArcFour with HMAC/md5
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
-----------------------------------------
Anyone know what is going on here? The samba people seem to be clueless
and seem to think that it works with 2003 in native 2003 mode.
aarghhhh.
>>>>>> "Tim" == Tim Clarke <tim.clarke at oracle.com> writes:
>
> Tim> How do I change the tkt etype to be DES-CBC-CRC
>
> You don't. Or at least a reasonable Kerberos implementation does not
> allow the client to influence the tkt enctype. If it does, then the
> client may force the KDC to use a ticket key that is weaker or easier
> to attack.
>
> Microsoft's implementation may expose this, but if it does it is only
> for interoperability with broken Kerberosenvironments.
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list