Problem with auth via keytab w/ w2k3 KDC, works fine with w2k DC
Douglas E. Engert
deengert at anl.gov
Wed Apr 7 15:50:34 EDT 2004
Nathan Neulinger wrote:
>
> (Reposted from krbdev at mit.edu)
>
> I've got a problem with keytabs related to an upgrade from W2K to W2K3 when authenticating
> from a unix client w/ mit krb5.
>
> Principal: host/afsimap1.cc.umr.edu at UMR.EDU
> Password: (example) fred
>
> A) W2K DC
> create princ via ssl-ldap on w2k domain controller, set pw to fred
>
> kinit host/afsimap1.cc.umr.edu (against w2k dc), give password => works fine
> kinit host/afsimap1.cc.umr.edu (against w2k3 dc), give password => works fine
>
> ktutil, create keytab with that password, des-cbc-crc, kvno 1
> ktutil, create keytab with that password, des-cbc-crc, kvno 3
This might be the problem. Can you create the the keytab with des-cbc-md5,
as the W2003 may be only accepting des-cbc-md5 as the e-type, and when used with
kinit, kinit may be trying to what it found in the keytab, des-cbc-crc, and w2003
will only accept des-cbc-md5.
> (in our environment, it always winds up with kvno 3 on the w2k3 dc cause we delete princ first)
>
> kinit -k -t ... host/afsimap1.cc.umr.edu (against either dc) => works fine
>
> B) W2K3 DC
> create princ via ssl-ldap on w2k3 domain controller, set pw to fred
>
> kinit host/afsimap1.cc.umr.edu (against w2k dc), give password => works fine
> kinit host/afsimap1.cc.umr.edu (against w2k3 dc), give password => works fine
>
> ktutil, create keytab with that password, des-cbc-crc, kvno 1 and 3
>
> kinit -k -t ... host/afsimap1.cc.umr.edu (against either dc) => preauth fails
>
> when attempting to use the keytab - i.e. via telnetd or sshd w/ simon's patches - I get decrypt
> integ check failed errors (or ssh protocol error w/ pkt 34)
>
> The _ONLY_ change that I am making between functional and non-functional is which LDAPS server
> I point at for creating the princ and setting the password for it.
>
> I have the client-etypes hotfix applied, but not sure it's relevant to this problem since I _am_ able
> to authenticate, just not with a keytab.
>
> -- Nathan
>
> ------------------------------------------------------------
> Nathan Neulinger EMail: nneul at umr.edu
> University of Missouri - Rolla Phone: (573) 341-6679
> UMR Information Technology Fax: (573) 341-4216
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list