Problem with auth via keytab w/ w2k3 KDC, works fine with w2k DC

Douglas E. Engert deengert at anl.gov
Wed Apr 7 15:50:34 EDT 2004



Nathan Neulinger wrote:
> 
> (Reposted from krbdev at mit.edu)
> 
> I've got a problem with keytabs related to an upgrade from W2K to W2K3 when authenticating
> from a unix client w/ mit krb5.
> 
> Principal: host/afsimap1.cc.umr.edu at UMR.EDU
> Password: (example)  fred
> 
> A) W2K DC
>    create princ via ssl-ldap on w2k domain controller, set pw to fred
> 
>    kinit host/afsimap1.cc.umr.edu (against w2k dc), give password => works fine
>    kinit host/afsimap1.cc.umr.edu (against w2k3 dc), give password => works fine
> 
>    ktutil, create keytab with that password, des-cbc-crc, kvno 1
>    ktutil, create keytab with that password, des-cbc-crc, kvno 3

This might be the problem. Can you create the the keytab with des-cbc-md5, 
as the W2003 may be only accepting des-cbc-md5 as the e-type, and when used with 
kinit, kinit may be trying to what it found in the keytab, des-cbc-crc, and w2003
will only accept des-cbc-md5.



>         (in our environment, it always winds up with kvno 3 on the w2k3 dc cause we delete princ first)
> 
>    kinit -k -t ... host/afsimap1.cc.umr.edu (against either dc) => works fine
> 
> B) W2K3 DC
>    create princ via ssl-ldap on w2k3 domain controller, set pw to fred
> 
>    kinit host/afsimap1.cc.umr.edu (against w2k dc), give password => works fine
>    kinit host/afsimap1.cc.umr.edu (against w2k3 dc), give password => works fine
> 
>    ktutil, create keytab with that password, des-cbc-crc, kvno 1 and 3
> 
>    kinit -k -t ... host/afsimap1.cc.umr.edu (against either dc) => preauth fails
> 
>    when attempting to use the keytab - i.e. via telnetd or sshd w/ simon's patches - I get decrypt
>         integ check failed errors (or ssh protocol error w/ pkt 34)
> 
> The _ONLY_ change that I am making between functional and non-functional is which LDAPS server
> I point at for creating the princ and setting the password for it.
> 
> I have the client-etypes hotfix applied, but not sure it's relevant to this problem since I _am_ able
> to authenticate, just not with a keytab.
> 
> -- Nathan
> 
> ------------------------------------------------------------
> Nathan Neulinger                       EMail:  nneul at umr.edu
> University of Missouri - Rolla         Phone: (573) 341-6679
> UMR Information Technology             Fax: (573) 341-4216
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444


More information about the Kerberos mailing list