service principals in AD fro unix kerberos clients

Doug Lamoureux douglamoureux at yahoo.com
Fri Jan 23 13:01:14 EST 2004


Jeffrey Altman wrote:

> First off, the Windows Telnet service does not support Kerberos 
> authentication therefore you cannot except to use Telnet as a test
> protocol from the HP system to the Windows AD.

True, I was assuming that the telnet session was using pam_kerberos for
authentication on the hp-ux side (non Kerborized telnet)

> 
> As for Doug's problem with no support for RC4-HMAC in his version of
> MIT Kerberos I suggest that he upgrade his MIT Kerberos to 1.3.1

Ah..., if it was only that simple... :)  I'm using the HP supplied Kerberos
client s/w (PAM_Kerberos and SIS) which is based on an older version of
the MIT Kerberos.

> in order to gain support for RC4-HMAC.  What the "use DES ..." setting
> via the UI does is instruct Windows to use a DES session key not a DES 
> ticket key.

Good to know..

> 
> I believe that if you want to set an account to only use DES for the
> ticket encryption that you must do so using the /DesOnly switch when
> mapping a Service Principal Name to an account and producing a keytab
> file with ktpass.exe (from the W2K3 Support Tools found on the CD.)

According to the ktpass commandline help the default is "do" which I read as
DesOnly.  I tried with the -DesOnly switch (along with -crypto DES-CBC-CRC
since the HP-UX Kerberos client does not support des-cbc-md5).  The bevaior
changed, ticket is now encrytped with des-cbc-md5 but this doesn't help
since it's not supported with the hp-ux kerberos s/w.

> 
> If you are installing Kerberos for Windows on the Win2003 server
> you must set the registry key

Just using the standard Windows 2003/AD Enteprise Server.

> 
>    HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
>    AllowTGTSessionKey = 0x1 (DWORD)
> 
> if you want to allow KfW to import Windows LSA credentials into the
> MIT ccache via either ms2mit or Leash.
> 
> Jeffrey Altman
> 
> 
> 
> Ryan Odgers wrote:
> 
>> Hi Doug,
>>
>> still on win2000
>> I can authenticate and get tgt ticket with kinit
>> I can get service ticket with kinit -S
>> pamkrbval returns all PASSED
>> nsquery search against ldap returns values in AD
>> (I still seem to need a dummy entry in /etc/passwd for kerberos to create
>> credential cache)??
>> Well, don't know what else to do
>>
>> Thanks
>> "Doug Lamoureux" <douglamoureux at yahoo.com> wrote in message
>> news:2lXPb.12843$Js5.9860 at news.cpqcorp.net...
>>
>>> Ryan,
>>>    Are you running Windows 2003?  I've just run into a problem with
>>
>>
>> Win2k3
>>
>>> encrypting the client tickets with rc4-hmac:
>>>
>>> # kinit -S host/myhost.acme.com dougl
>>> Password for dougl at ATC-W2K3.ACME.COM:
>>> # klist -e
>>> Ticket cache: /tmp/krb5cc_0
>>> Default principal: host/myhost.acme.com at ATC-W2K3.ACME.COM
>>> Valid starting     Expires            Service principal
>>> 01/22/04 09:54:57  01/22/04 19:54:57
>>
>>
>> host/myhost.acme.com at ATC-W2K3.ACME.COM
>>
>>>         Etype (skey, tkt): DES cbc mode with CRC-32, etype 23
>>>
>>> etype 23 is RC4-HMAC
>>>
>>> (ethereal trace shows rc4-hmac)
>>>
>>> I've seen a number of suggestions to set the "Use DES encryption" 
>>> flag on
>>
>>
>> the
>>
>>> users account and reset the password, but that has not resolved the
>>
>>
>> problem.
>>
>>> Checkout your syslog.log file for potential errors.  You don't have to
>>
>>
>> setup
>>
>>> cross-realm authentication for ldap-ux/kerberos to work with AD on hp-ux
>>
>>
>> (you
>>
>>> will if you want to have multi-domain support).  Make sure you can 
>>> see the
>>
>>
>> user
>>
>>> defined in AD:
>>>
>>> # pwget -n dougl
>>> dougl:*:10001:20::/home/dougl:/usr/bin/ksh
>>> # /usr/contrib/bin/nsquery passwd dougl ldap
>>>
>>> Using "ldap" for the passwd policy.
>>>
>>> Searching ldap for dougl
>>> User name: dougl
>>> User Id: 10001
>>> Group Id: 20
>>> Gecos:
>>> Home Directory: /home/dougl
>>> Shell: /usr/bin/ksh
>>>
>>> Switch configuration: Terminates Search
>>>
>>> Then make sure you can use kinit to authenticate:
>>>
>>> # kinit dougl
>>> Password for dougl at ATC-W2K3.ACME.COM:
>>>
>>> You can also validate the Kerberos client configuration using pamkrbval:
>>>
>>> # /usr/sbin/pamkrbval
>>>
>>>  Validating the pam configuration files
>>>  ---------- --- --- ------------- -----
>>>
>>>  Validating the /etc/pam.conf file
>>> [PASS] : The validation of config file: /etc/pam.conf passed
>>>
>>> [NOTICE] : The validation of config file: /etc/pam_user.conf is not done
>>>            as libpam_updbe library is not configured
>>>
>>>  Validating the kerberos config file
>>>  ---------- --- -------- ------ -----
>>> [PASS] : Initialization of kerberos passed
>>>
>>>  Connecting to default Realm
>>>  ---------- -- ------- -----
>>> [PASS] : Default Realm is issuing tickets
>>>
>>>  Validating the keytab entry for the host service principal
>>>  ---------- --- ------ ----- --- --- ---- ------- ---------
>>> /usr/sbin/pamkrbval: Program lacks support for encryption type for this
>>
>>
>> entry
>>
>>> [FAIL] : The keytab validation Failed
>>>
>>> Cheers,
>>> Doug
>>>
>>>
>>> Ryan Odgers wrote:
>>>
>>>
>>>> (I apologize if this has already been posted, I am new to this list)
>>>>
>>>> Hi,
>>>>
>>>> What is the trick to getting services to work via kerberos?
>>>>
>>>> I have been playing around with trying to use kerberos as a SSO for our
>>>> environment, but am a bit confused.
>>>>
>>>> To date:
>>>> I have installed and configured MS SFU 3.5 (services for Unix) on our
>>
>>
>> AD,
>>
>>>> extended the schema.
>>>> I have an HP-UX 11.11 machine in which I have setup the LDAP client to
>>
>>
>> talk
>>
>>>> to the AD via kerberos. I can successfully search the AD and can login
>>
>>
>> with
>>
>>>> windows credentials via a keytab created for the host.
>>>>
>>>> The telnet service in HP-UX is kerberos aware, but after creating a
>>
>>
>> service
>>
>>>> instance and keytab file for the telnet service in AD, and importing
>>
>>
>> into
>>
>>>> the unix keytab file, I cannot telnet into unix via kerberos. I have
>>>> followed Microsoft's doc on inter-operability, but cannot get the
>>
>>
>> services
>>
>>>> side of kerberos to work.
>>>>
>>>> If the KDC is win2000 and the kerberos client is UNIX or MIT, does
>>>> cross-realm authentication still need to be set up?
>>>> It is the same kerberos realm, the unix machine points to the 2000 KDC
>>
>>
>> as
>>
>>>> its server.
>>>>
>>>> Any help is VERY appreciated
>>>> Ryan
>>>>
>>>>
>>>
>>
>>



More information about the Kerberos mailing list