service principals in AD fro unix kerberos clients

Jeffrey Altman jaltman2 at nyc.rr.com
Fri Jan 23 09:19:57 EST 2004


First off, the Windows Telnet service does not support Kerberos 
authentication therefore you cannot except to use Telnet as a test
protocol from the HP system to the Windows AD.

As for Doug's problem with no support for RC4-HMAC in his version of
MIT Kerberos I suggest that he upgrade his MIT Kerberos to 1.3.1
in order to gain support for RC4-HMAC.  What the "use DES ..." setting
via the UI does is instruct Windows to use a DES session key not a DES 
ticket key.

I believe that if you want to set an account to only use DES for the
ticket encryption that you must do so using the /DesOnly switch when
mapping a Service Principal Name to an account and producing a keytab
file with ktpass.exe (from the W2K3 Support Tools found on the CD.)

If you are installing Kerberos for Windows on the Win2003 server
you must set the registry key

    HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
    AllowTGTSessionKey = 0x1 (DWORD)

if you want to allow KfW to import Windows LSA credentials into the
MIT ccache via either ms2mit or Leash.

Jeffrey Altman



Ryan Odgers wrote:

> Hi Doug,
> 
> still on win2000
> I can authenticate and get tgt ticket with kinit
> I can get service ticket with kinit -S
> pamkrbval returns all PASSED
> nsquery search against ldap returns values in AD
> (I still seem to need a dummy entry in /etc/passwd for kerberos to create
> credential cache)??
> Well, don't know what else to do
> 
> Thanks
> "Doug Lamoureux" <douglamoureux at yahoo.com> wrote in message
> news:2lXPb.12843$Js5.9860 at news.cpqcorp.net...
> 
>>Ryan,
>>    Are you running Windows 2003?  I've just run into a problem with
> 
> Win2k3
> 
>>encrypting the client tickets with rc4-hmac:
>>
>># kinit -S host/myhost.acme.com dougl
>>Password for dougl at ATC-W2K3.ACME.COM:
>># klist -e
>>Ticket cache: /tmp/krb5cc_0
>>Default principal: host/myhost.acme.com at ATC-W2K3.ACME.COM
>>Valid starting     Expires            Service principal
>>01/22/04 09:54:57  01/22/04 19:54:57
> 
> host/myhost.acme.com at ATC-W2K3.ACME.COM
> 
>>         Etype (skey, tkt): DES cbc mode with CRC-32, etype 23
>>
>>etype 23 is RC4-HMAC
>>
>>(ethereal trace shows rc4-hmac)
>>
>>I've seen a number of suggestions to set the "Use DES encryption" flag on
> 
> the
> 
>>users account and reset the password, but that has not resolved the
> 
> problem.
> 
>>Checkout your syslog.log file for potential errors.  You don't have to
> 
> setup
> 
>>cross-realm authentication for ldap-ux/kerberos to work with AD on hp-ux
> 
> (you
> 
>>will if you want to have multi-domain support).  Make sure you can see the
> 
> user
> 
>>defined in AD:
>>
>># pwget -n dougl
>>dougl:*:10001:20::/home/dougl:/usr/bin/ksh
>># /usr/contrib/bin/nsquery passwd dougl ldap
>>
>>Using "ldap" for the passwd policy.
>>
>>Searching ldap for dougl
>>User name: dougl
>>User Id: 10001
>>Group Id: 20
>>Gecos:
>>Home Directory: /home/dougl
>>Shell: /usr/bin/ksh
>>
>>Switch configuration: Terminates Search
>>
>>Then make sure you can use kinit to authenticate:
>>
>># kinit dougl
>>Password for dougl at ATC-W2K3.ACME.COM:
>>
>>You can also validate the Kerberos client configuration using pamkrbval:
>>
>># /usr/sbin/pamkrbval
>>
>>  Validating the pam configuration files
>>  ---------- --- --- ------------- -----
>>
>>  Validating the /etc/pam.conf file
>>[PASS] : The validation of config file: /etc/pam.conf passed
>>
>>[NOTICE] : The validation of config file: /etc/pam_user.conf is not done
>>            as libpam_updbe library is not configured
>>
>>  Validating the kerberos config file
>>  ---------- --- -------- ------ -----
>>[PASS] : Initialization of kerberos passed
>>
>>  Connecting to default Realm
>>  ---------- -- ------- -----
>>[PASS] : Default Realm is issuing tickets
>>
>>  Validating the keytab entry for the host service principal
>>  ---------- --- ------ ----- --- --- ---- ------- ---------
>>/usr/sbin/pamkrbval: Program lacks support for encryption type for this
> 
> entry
> 
>>[FAIL] : The keytab validation Failed
>>
>>Cheers,
>>Doug
>>
>>
>>Ryan Odgers wrote:
>>
>>
>>>(I apologize if this has already been posted, I am new to this list)
>>>
>>>Hi,
>>>
>>>What is the trick to getting services to work via kerberos?
>>>
>>>I have been playing around with trying to use kerberos as a SSO for our
>>>environment, but am a bit confused.
>>>
>>>To date:
>>>I have installed and configured MS SFU 3.5 (services for Unix) on our
> 
> AD,
> 
>>>extended the schema.
>>>I have an HP-UX 11.11 machine in which I have setup the LDAP client to
> 
> talk
> 
>>>to the AD via kerberos. I can successfully search the AD and can login
> 
> with
> 
>>>windows credentials via a keytab created for the host.
>>>
>>>The telnet service in HP-UX is kerberos aware, but after creating a
> 
> service
> 
>>>instance and keytab file for the telnet service in AD, and importing
> 
> into
> 
>>>the unix keytab file, I cannot telnet into unix via kerberos. I have
>>>followed Microsoft's doc on inter-operability, but cannot get the
> 
> services
> 
>>>side of kerberos to work.
>>>
>>>If the KDC is win2000 and the kerberos client is UNIX or MIT, does
>>>cross-realm authentication still need to be set up?
>>>It is the same kerberos realm, the unix machine points to the 2000 KDC
> 
> as
> 
>>>its server.
>>>
>>>Any help is VERY appreciated
>>>Ryan
>>>
>>>
>>
> 
> 


More information about the Kerberos mailing list