UNIX GSS-API / Windows SSPI :
Norbert Klasen
norbert+lists.mit-kerberos at burgundy.dyndns.org
Mon Sep 20 09:18:15 EDT 2004
--On Freitag, 17. September 2004 20:35 +0000 Jeffrey Altman
<jaltman2 at nyc.rr.com> wrote:
> Jacques Lebastard wrote:
>
>> How can I check this and, second question, how can I generate a keytab
>> with RC4-HMAC encryption ? The ktpass tool does not accept the RC4-HMAC
>> crypto type:
>>
>> [- /] crypto : Cryptosystem to use
>> [- /] crypto : is one of:
>> [- /] crypto : DES-CBC-CRC : for compatibility
>> [- /] crypto : DES-CBC-MD5 : default
>>
>> Trying '-crypto RC4-HMAC' indicates that the SPN is marked for DES only
>> ! How can I modify this ?
>>
>> Thanks for your help,
>
> You need to use the KTPASS.EXE from the SUPPORT folder of Windows 2003
> SP1 pre-release in order to generate a keytab with RC4-HMAC.
If you don't need a separate service account you can use Samba >= 3.0.6.
and join the host into your AD domain. With "use kerberos keytab = yes" in
smb.conf, Samba will populate your keytab with all known enc-types:
2 des3-cbc-sha1 host/brittany.ad.local at AD.LOCAL
2 des3-cbc-md5 host/linux.ad.local at AD.LOCAL
2 arcfour-hmac-md5 host/linux.ad.local at AD.LOCAL
2 des-cbc-md5 host/linux.ad.local at AD.LOCAL
2 des-cbc-md4 host/linux.ad.local at AD.LOCAL
2 des-cbc-crc host/linux.ad.local at AD.LOCAL
2 des3-cbc-sha1 cifs/linux.ad.local at AD.LOCAL
[..]
The keytab can be managed (e.g. add another principal) with "net ads
keytab".
Norbert
More information about the Kerberos
mailing list