service principals in AD fro unix kerberos clients

Doug Lamoureux douglamoureux at yahoo.com
Thu Jan 29 15:11:43 EST 2004 

Doug Lamoureux wrote:

Looks like MS is aware of the issue (mine anyway). MS modified the behavior 
causing Windows 2003 AD to use the des-cbc-md5 encryption type to encrypt the 
ticket (I needed to set the 'Use DES Encryption' flag on the user, but that 
changed the encryption type from rc4-hmac to des-cbc-md5, still not supported by 
HP-UX Kerberos libraries), rather then the e-type requested by the client.
MS is currently working on a fix to this. They plan to allow changes to this
behavior via the registry and hotfix distribution is scheduled for SP1.

> Jeffrey Altman wrote:
> 
>> First off, the Windows Telnet service does not support Kerberos 
>> authentication therefore you cannot except to use Telnet as a test
>> protocol from the HP system to the Windows AD.
> 
> 
> True, I was assuming that the telnet session was using pam_kerberos for
> authentication on the hp-ux side (non Kerborized telnet)
> 
>>
>> As for Doug's problem with no support for RC4-HMAC in his version of
>> MIT Kerberos I suggest that he upgrade his MIT Kerberos to 1.3.1
> 
> 
> Ah..., if it was only that simple... :)  I'm using the HP supplied Kerberos
> client s/w (PAM_Kerberos and SIS) which is based on an older version of
> the MIT Kerberos.
> 
>> in order to gain support for RC4-HMAC.  What the "use DES ..." setting
>> via the UI does is instruct Windows to use a DES session key not a DES 
>> ticket key.
> 
> 
> Good to know..
> 
>>
>> I believe that if you want to set an account to only use DES for the
>> ticket encryption that you must do so using the /DesOnly switch when
>> mapping a Service Principal Name to an account and producing a keytab
>> file with ktpass.exe (from the W2K3 Support Tools found on the CD.)
> 
> 
> According to the ktpass commandline help the default is "do" which I 
> read as
> DesOnly.  I tried with the -DesOnly switch (along with -crypto DES-CBC-CRC
> since the HP-UX Kerberos client does not support des-cbc-md5).  The bevaior
> changed, ticket is now encrytped with des-cbc-md5 but this doesn't help
> since it's not supported with the hp-ux kerberos s/w.
> 
>>
>> If you are installing Kerberos for Windows on the Win2003 server
>> you must set the registry key
> 
> 
> Just using the standard Windows 2003/AD Enteprise Server.
> 
>>
>>    HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
>>    AllowTGTSessionKey = 0x1 (DWORD)
>>
>> if you want to allow KfW to import Windows LSA credentials into the
>> MIT ccache via either ms2mit or Leash.
>>
>> Jeffrey Altman
>>
>>
>>
>> Ryan Odgers wrote:
>>
>>> Hi Doug,
>>>
>>> still on win2000
>>> I can authenticate and get tgt ticket with kinit
>>> I can get service ticket with kinit -S
>>> pamkrbval returns all PASSED
>>> nsquery search against ldap returns values in AD
>>> (I still seem to need a dummy entry in /etc/passwd for kerberos to 
>>> create
>>> credential cache)??
>>> Well, don't know what else to do
>>>
>>> Thanks
>>> "Doug Lamoureux" <douglamoureux at yahoo.com> wrote in message
>>> news:2lXPb.12843$Js5.9860 at news.cpqcorp.net...
>>>
>>>> Ryan,
>>>>    Are you running Windows 2003?  I've just run into a problem with
>>>
>>>
>>>
>>> Win2k3
>>>
>>>> encrypting the client tickets with rc4-hmac:
>>>>
>>>> # kinit -S host/myhost.acme.com dougl
>>>> Password for dougl at ATC-W2K3.ACME.COM:
>>>> # klist -e
>>>> Ticket cache: /tmp/krb5cc_0
>>>> Default principal: host/myhost.acme.com at ATC-W2K3.ACME.COM
>>>> Valid starting     Expires            Service principal
>>>> 01/22/04 09:54:57  01/22/04 19:54:57
>>>
>>>
>>>
>>> host/myhost.acme.com at ATC-W2K3.ACME.COM
>>>
>>>>         Etype (skey, tkt): DES cbc mode with CRC-32, etype 23
>>>>
>>>> etype 23 is RC4-HMAC
>>>>
>>>> (ethereal trace shows rc4-hmac)
>>>>
>>>> I've seen a number of suggestions to set the "Use DES encryption" 
>>>> flag on
>>>
>>>
>>>
>>> the
>>>
>>>> users account and reset the password, but that has not resolved the
>>>
>>>
>>>
>>> problem.
>>>
>>>> Checkout your syslog.log file for potential errors.  You don't have to
>>>
>>>
>>>
>>> setup
>>>
>>>> cross-realm authentication for ldap-ux/kerberos to work with AD on 
>>>> hp-ux
>>>
>>>
>>>
>>> (you
>>>
>>>> will if you want to have multi-domain support).  Make sure you can 
>>>> see the
>>>
>>>
>>>
>>> user
>>>
>>>> defined in AD:
>>>>
>>>> # pwget -n dougl
>>>> dougl:*:10001:20::/home/dougl:/usr/bin/ksh
>>>> # /usr/contrib/bin/nsquery passwd dougl ldap
>>>>
>>>> Using "ldap" for the passwd policy.
>>>>
>>>> Searching ldap for dougl
>>>> User name: dougl
>>>> User Id: 10001
>>>> Group Id: 20
>>>> Gecos:
>>>> Home Directory: /home/dougl
>>>> Shell: /usr/bin/ksh
>>>>
>>>> Switch configuration: Terminates Search
>>>>
>>>> Then make sure you can use kinit to authenticate:
>>>>
>>>> # kinit dougl
>>>> Password for dougl at ATC-W2K3.ACME.COM:
>>>>
>>>> You can also validate the Kerberos client configuration using 
>>>> pamkrbval:
>>>>
>>>> # /usr/sbin/pamkrbval
>>>>
>>>>  Validating the pam configuration files
>>>>  ---------- --- --- ------------- -----
>>>>
>>>>  Validating the /etc/pam.conf file
>>>> [PASS] : The validation of config file: /etc/pam.conf passed
>>>>
>>>> [NOTICE] : The validation of config file: /etc/pam_user.conf is not 
>>>> done
>>>>            as libpam_updbe library is not configured
>>>>
>>>>  Validating the kerberos config file
>>>>  ---------- --- -------- ------ -----
>>>> [PASS] : Initialization of kerberos passed
>>>>
>>>>  Connecting to default Realm
>>>>  ---------- -- ------- -----
>>>> [PASS] : Default Realm is issuing tickets
>>>>
>>>>  Validating the keytab entry for the host service principal
>>>>  ---------- --- ------ ----- --- --- ---- ------- ---------
>>>> /usr/sbin/pamkrbval: Program lacks support for encryption type for this
>>>
>>>
>>>
>>> entry
>>>
>>>> [FAIL] : The keytab validation Failed
>>>>
>>>> Cheers,
>>>> Doug
>>>>
>>>>
>>>> Ryan Odgers wrote:
>>>>
>>>>
>>>>> (I apologize if this has already been posted, I am new to this list)
>>>>>
>>>>> Hi,
>>>>>
>>>>> What is the trick to getting services to work via kerberos?
>>>>>
>>>>> I have been playing around with trying to use kerberos as a SSO for 
>>>>> our
>>>>> environment, but am a bit confused.
>>>>>
>>>>> To date:
>>>>> I have installed and configured MS SFU 3.5 (services for Unix) on our
>>>
>>>
>>>
>>> AD,
>>>
>>>>> extended the schema.
>>>>> I have an HP-UX 11.11 machine in which I have setup the LDAP client to
>>>
>>>
>>>
>>> talk
>>>
>>>>> to the AD via kerberos. I can successfully search the AD and can login
>>>
>>>
>>>
>>> with
>>>
>>>>> windows credentials via a keytab created for the host.
>>>>>
>>>>> The telnet service in HP-UX is kerberos aware, but after creating a
>>>
>>>
>>>
>>> service
>>>
>>>>> instance and keytab file for the telnet service in AD, and importing
>>>
>>>
>>>
>>> into
>>>
>>>>> the unix keytab file, I cannot telnet into unix via kerberos. I have
>>>>> followed Microsoft's doc on inter-operability, but cannot get the
>>>
>>>
>>>
>>> services
>>>
>>>>> side of kerberos to work.
>>>>>
>>>>> If the KDC is win2000 and the kerberos client is UNIX or MIT, does
>>>>> cross-realm authentication still need to be set up?
>>>>> It is the same kerberos realm, the unix machine points to the 2000 KDC
>>>
>>>
>>>
>>> as
>>>
>>>>> its server.
>>>>>
>>>>> Any help is VERY appreciated
>>>>> Ryan
>>>>>
>>>>>
>>>>
>>>
>>>
>

More information about the Kerberos mailing list