Interop/Compat: 3DES used in AS-REP despite no client support

Matt mwreynolds at gmail.com
Tue Dec 6 15:04:10 EST 2005


Thank you to everyone for all the old posts, which have helped me, and
thank you in advance for any ideas on this:

I am trying to create an MIT / Windows interop scenario in a lab, where
the MIT realm is used for accounts, while users log on interactivly to
Windows machines and further authenticate to Windows resources.

MIT realm and domain is called X.X
AD realm (2003 SP1 w XP SP2 clients) and domain is called A.A

Mapped user accounts exist in AD so that when a user authenticates to a
Windows resource in AD domain using user at X.X credentials, we wind up
having an AS exchange with the MIT KDC and a TGS exchange with the
Windows KDC, at which point Windows auth data would be included in the
service ticket, so that the target resource may build a Windows
access/impersonation token for the user. At least in theory.

I have been going around and around with enctypes for three days now
trying to get my interop working. After reading some more threads in
this group I had decided to start over and not put any enctype
restrictions in my krb5.conf or my kdc.conf files. I have also built a
new user database from scratch on the Linux/MIT kerberos box.

Where I am stuck:
++++++++++++++++++++++
When I attempt to authenticate the user "newuser4 at X.X" to log on
interactivly to a Windows XP machine, the MIT KDC uses 3DES in one part
of the AS-REP. It does this despite the fact that the XP machine does
not ask for 3DES in the AS-REQ. Later, when the XP machine approaches
the Windows KDC about a service ticket, the Windows KDC rejects the
request with an ENCTYPE error. I believe that this may be due to the
inclusion of the 3DES encrypted block in the TGS-REQ.

What I think I should do, please comment:
+++++++++++++++++++++++++++++++++
I've come full circle and this is exactly where I was stuck about 36
horus ago, and the last time I tried to solve this by making various
changes to enctypes on the MIT KDC, but I've been around and around
with enctypes (supported, permitted, tgs, tkt) for a few days, and at
this point I really need a fresh perspective.
On one hand, it seems like an error that the MIT KDC uses 3DES when the
client does not specify that as a supported enctype in the request. On
the other hand, my inexperience is surely at the root of this somehow.

The AS-REQ and AS-REP referred to are included below, along with my
current krb5.conf and kdc.conf



No.     Time            Source                Destination
Protocol Info
     53 11:22:21.842719 10.1.1.104            10.1.1.200
KRB5     AS-REQ

Frame 53 (202 bytes on wire, 202 bytes captured)
Ethernet II, Src: 00:03:ff:3d:8e:b6, Dst: 00:03:ff:3f:8e:b6
Internet Protocol, Src Addr: 10.1.1.104 (10.1.1.104), Dst Addr:
10.1.1.200 (10.1.1.200)
User Datagram Protocol, Src Port: 1325 (1325), Dst Port: kerberos (88)
Kerberos AS-REQ
    Pvno: 5
    MSG Type: AS-REQ (10)
    KDC_REQ_BODY
        Padding: 0
        KDCOptions: 40800010 (Forwardable, Renewable, Renewable OK)
        Client Name (Principal): newuser4
        Realm: X.X
        Server Name (Service and Instance): krbtgt/X.X
        till: 2037-09-13 02:48:05 (Z)
        rtime: 2037-09-13 02:48:05 (Z)
        Nonce: 1615283343
        Encryption Types: rc4-hmac rc4-hmac-old rc4-md4 des-cbc-md5
des-cbc-crc rc4-hmac-exp rc4-hmac-old-exp
            Encryption type: rc4-hmac (23)
            Encryption type: rc4-hmac-old (-133)
            Encryption type: rc4-md4 (-128)
            Encryption type: des-cbc-md5 (3)
            Encryption type: des-cbc-crc (1)
            Encryption type: rc4-hmac-exp (24)
            Encryption type: rc4-hmac-old-exp (-135)

0000  00 03 ff 3f 8e b6 00 03 ff 3d 8e b6 08 00 45 00
...?.....=....E.
0010  00 bc 0e 92 00 00 80 11 14 6e 0a 01 01 68 0a 01
.........n...h..
0020  01 c8 05 2d 00 58 00 a8 ad 96 6a 81 9d 30 81 9a
...-.X....j..0..
0030  a1 03 02 01 05 a2 03 02 01 0a a4 81 8d 30 81 8a
.............0..
0040  a0 07 03 05 00 40 80 00 10 a1 15 30 13 a0 03 02
..... at .....0....
0050  01 01 a1 0c 30 0a 1b 08 6e 65 77 75 73 65 72 34
....0...newuser4
0060  a2 05 1b 03 58 2e 58 a3 18 30 16 a0 03 02 01 02
....X.X..0......
0070  a1 0f 30 0d 1b 06 6b 72 62 74 67 74 1b 03 58 2e
..0...krbtgt..X.
0080  58 a5 11 18 0f 32 30 33 37 30 39 31 33 30 32 34
X....20370913024
0090  38 30 35 5a a6 11 18 0f 32 30 33 37 30 39 31 33
805Z....20370913
00a0  30 32 34 38 30 35 5a a7 06 02 04 60 47 44 8f a8
024805Z....`GD..
00b0  19 30 17 02 01 17 02 02 ff 7b 02 01 80 02 01 03
.0.......{......
00c0  02 01 01 02 01 18 02 02 ff 79                     .........y




No.     Time            Source                Destination
Protocol Info
     54 11:22:21.847416 10.1.1.200            10.1.1.104
KRB5     AS-REP

Frame 54 (556 bytes on wire, 556 bytes captured)
Ethernet II, Src: 00:03:ff:3f:8e:b6, Dst: 00:03:ff:3d:8e:b6
Internet Protocol, Src Addr: 10.1.1.200 (10.1.1.200), Dst Addr:
10.1.1.104 (10.1.1.104)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1325 (1325)
Kerberos AS-REP
    Pvno: 5
    MSG Type: AS-REP (11)
    padata: Unknown:19
    Client Realm: X.X
    Client Name (Principal): newuser4
    Ticket
        Tkt-vno: 5
        Realm: X.X
        Server Name (Service and Instance): krbtgt/X.X
        enc-part des3-cbc-sha1
            Encryption type: des3-cbc-sha1 (16)
            Kvno: 1
            enc-part:
75D0D7D9FE992BBC4D6C6E4A04D1E5845D1FF810281FE81F...
    enc-part des-cbc-md5

0000  00 03 ff 3d 8e b6 00 03 ff 3f 8e b6 08 00 45 00
...=.....?....E.
0010  02 1e 00 03 40 00 40 11 21 9b 0a 01 01 c8 0a 01
.... at .@.!.......
0020  01 68 00 58 05 2d 02 0a 11 ef 6b 82 01 fe 30 82
.h.X.-....k...0.
0030  01 fa a0 03 02 01 05 a1 03 02 01 0b a2 16 30 14
..............0.
0040  30 12 a1 03 02 01 13 a2 0b 04 09 30 07 30 05 a0
0..........0.0..
0050  03 02 01 01 a3 05 1b 03 58 2e 58 a4 15 30 13 a0
........X.X..0..
0060  03 02 01 01 a1 0c 30 0a 1b 08 6e 65 77 75 73 65
......0...newuse
0070  72 34 a5 81 e6 61 81 e3 30 81 e0 a0 03 02 01 05
r4...a..0.......
0080  a1 05 1b 03 58 2e 58 a2 18 30 16 a0 03 02 01 02
....X.X..0......
0090  a1 0f 30 0d 1b 06 6b 72 62 74 67 74 1b 03 58 2e
..0...krbtgt..X.
00a0  58 a3 81 b7 30 81 b4 a0 03 02 01 10 a1 03 02 01
X...0...........
00b0  01 a2 81 a7 04 81 a4 75 d0 d7 d9 fe 99 2b bc 4d
.......u.....+.M
00c0  6c 6e 4a 04 d1 e5 84 5d 1f f8 10 28 1f e8 1f 01
lnJ....]...(....
00d0  c5 cc 2f 5a 83 cf f9 65 7c eb 44 4b ef 5f 08 74
../Z...e|.DK._.t
00e0  51 20 35 ec 7d ed 38 67 ee c3 69 8e 07 4a 36 77   Q
5.}.8g..i..J6w
00f0  15 f2 13 d8 b2 f0 20 1d 30 87 8a ed 55 60 51 2d   ......
.0...U`Q-
0100  b3 c0 e9 a9 f9 66 70 11 e7 53 36 f7 44 48 ed 94
.....fp..S6.DH..
0110  6e 26 b7 36 eb 8f 80 56 80 94 5b 71 c7 52 56 69
n&.6...V..[q.RVi
0120  c0 49 1f cc 10 9c 9e 09 e3 b9 54 7b 19 fe 1f c0
.I........T{....
0130  04 83 07 d6 49 14 da 96 c7 17 d3 4f 21 04 3e 89
....I......O!.>.
0140  43 60 7c ec 50 8d eb 94 72 60 bd 7a 15 1b 00 3d
C`|.P...r`.z...=
0150  da 5a be d1 2e 97 6b 08 35 4b ef a6 81 ce 30 81
.Z....k.5K....0.
0160  cb a0 03 02 01 03 a2 81 c3 04 81 c0 ed 61 26 19
.............a&.
0170  73 ee 2d 62 31 56 3a 97 78 d1 cf 60 11 19 07 55
s.-b1V:.x..`...U
0180  17 d7 56 4d 75 26 b6 39 27 30 6c e7 37 b9 9c aa
..VMu&.9'0l.7...
0190  7e d3 db 9a f8 03 75 e1 6e f8 14 9c bc cd 48 ab
~.....u.n.....H.
01a0  f4 5d e4 37 dd 42 72 87 3b 6d c7 8e 00 cb cf 41
.].7.Br.;m.....A
01b0  28 6f d6 22 88 40 9c 1f 96 02 b4 9c 17 03 3f 61
(o.". at ........?a
01c0  41 ea cd 3b 01 87 84 5a 37 30 af 16 dd 4c 8e 6f
A..;...Z70...L.o
01d0  48 99 a1 de 6d a4 ca a6 be 5a eb 3e 7e d5 74 bb
H...m....Z.>~.t.
01e0  bb 29 2c 03 af 47 4e b2 cf 63 11 6c 12 cb bf 4a
.),..GN..c.l...J
01f0  8f ce 94 fe 0e 8e e5 03 9d f6 ff 5d a2 ef fa e8
...........]....
0200  9c 5b 10 a2 75 c0 f3 7d b7 57 f6 12 4e a7 9a b6
.[..u..}.W..N...
0210  1d 95 2d 39 25 10 ab 80 fd b7 8a 0b 8d 38 05 88
..-9%........8..
0220  98 a1 6c f1 8c 92 13 5e 4d fb 80 09               ..l....^M...


krb5.conf file on MIT KDC box

[libdefaults]
	default_realm = X.X
	dns_lookup_realm = false
	dns_lookup_kdc = false

[realms]
	X.X = {
                kdc = suse-c.x.x
		admin_server = suse-c.x.x
		default_domain = x.x
	}

[domain_realm]
	.x.x = X.X
	x.x = X.X

[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log



kdc.conf file on MIT KDC box

[kdcdefaults]
	kdc_ports = 750,88

[realms]
	X.X = {
		database_name = /var/lib/kerberos/krb5kdc/principal
		admin_keytab =
FILE:/var/lib/kerberos/krb5kdc/kadm5.keytab
		acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl
		key_stash_file = /var/lib/kerberos/krb5kdc/.k5.X.X
		kdc_ports = 750,88
		max_life = 10h 0m 0s
		max_renewable_life = 7d 0h 0m 0s
	}
[logging]
    kdc = FILE:/var/log/kdc.log
    admin_server = FILE:/var/log/kadmin.log



More information about the Kerberos mailing list