UNIX GSS-API / Windows SSPI :

Markus Moeller huaraz at moeller.plus.com
Thu Oct 21 19:11:33 EDT 2004


Norbert Klasen wrote:
> 
> 
> --On Freitag, 17. September 2004 20:35 +0000 Jeffrey Altman 
> <jaltman2 at nyc.rr.com> wrote:
> 
>> Jacques Lebastard wrote:
>>
>>> How can I check this and, second question, how can I generate a keytab
>>> with RC4-HMAC encryption ? The ktpass tool does not accept the RC4-HMAC
>>> crypto type:
>>>
>>> [- /]       crypto : Cryptosystem to use
>>> [- /]       crypto :  is one of:
>>> [- /]       crypto : DES-CBC-CRC : for compatibility
>>> [- /]       crypto : DES-CBC-MD5 : default
>>>
>>> Trying '-crypto RC4-HMAC' indicates that the SPN is marked for DES only
>>> ! How can I modify this ?
>>>
>>> Thanks for your help,
>>
>>
>> You need to use the KTPASS.EXE from the SUPPORT folder of Windows 2003
>> SP1 pre-release in order to generate a keytab with RC4-HMAC.
> 
> 
> If you don't need a separate service account you can use Samba >= 3.0.6. 
> and join the host into your AD domain. With "use kerberos keytab = yes" 
> in smb.conf, Samba will populate your keytab with all known enc-types:
>  2  des3-cbc-sha1     host/brittany.ad.local at AD.LOCAL
>  2  des3-cbc-md5      host/linux.ad.local at AD.LOCAL
>  2  arcfour-hmac-md5  host/linux.ad.local at AD.LOCAL
>  2  des-cbc-md5       host/linux.ad.local at AD.LOCAL
>  2  des-cbc-md4       host/linux.ad.local at AD.LOCAL
>  2  des-cbc-crc       host/linux.ad.local at AD.LOCAL
>  2  des3-cbc-sha1     cifs/linux.ad.local at AD.LOCAL
> [..]
> 
> The keytab can be managed (e.g. add another principal) with "net ads 
> keytab".
> 
> Norbert
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 

Have a look at http://sourceforge.net/projects/netjoin

Markus



More information about the Kerberos mailing list