kinit request on keytab fails using 2K3sp1 KDC

Tim Alsop Tim.Alsop at CyberSafe.Com
Thu Mar 23 12:44:40 EST 2006 

David,

I have seen this problem before. It does not occur with the pre-SP1
version of ktpass. Conclusion : If you want to create keytable files
which have correct kvno's and which work correctly with des, then you
must use the pre-SP1 version of ktpass. 

Thanks, Tim

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of David Telfer
Sent: 23 March 2006 17:39
To: kerberos at mit.edu
Subject: Re: kinit request on keytab fails using 2K3sp1 KDC

Jeffrey Altman wrote:
> Why do you need the kvno to be 1?  
It wasn't so much that they needed to match, more to tidy up the
situation I had on the KDC.

> For example, what is the enctype of the service ticket issued by the
> KDC?  Does that match the enctype of the keytab entry you are using?
>
> What do the following commands output?
>
>   klist -e -k /etc/krb5.keytab
>
>   kvno HTTP/connect.smg.plc.uk at SMG.PLC.UK
>   klist -e
>   
This appears to be the problem, the keytab is being generated with DES 
CBD MD5, the service principal is sending an ArcFour encrypted tgt.

The reason this never occured to me is that the user account has the 
'use DES encryption for this account' setting ticked.  I have tried the 
following process to force the service principal to be DES;

1 - create account
2 - run ktpass util with -mapop set +DesOnly  and -crypto DES-CBC-MD5 
options set.
3 - view account properites and ensure that 'use DES encryption for this

account' is checked
4 - change password of account (with the intention of forcing the DES 
change from the ktpass step above)
5 - re-run identical ktpass line and use this as the final keytab

Even with these steps, the encryption type of the ServicePrincipal tgt 
stays as ArcFour.

Unfortunately I am not the AD administrator, I have access to an admin 
member of staff who has been applying the changes for me.  Due to this I

cannot be sure of every setting their kdc controller has.  Specifically 
I would be keen to find out whether there is a global setting which 
forces all user and service principals to be created as ArcFour.  Has 
anyone experienced somehing like this, or do they know of a way to hard 
force the enc type of the service principal.
> If the enctypes and output of those commands match, then you must
> double check that the browser client is obtaining service tickets
> with the name HTTP/connect.smg.plc.uk at SMG.PLC.UK and that the
> enctype of that ticket matches the contents of the keytab entry.
>   
I haven't got to the stage of attempting to use mod_auth_kerb yet.  I am

still trying to get past the `#./kinit -k -t /etc/krb5.keytab 
HTTP/connect.smg.plc.uk at SMG.PLC.UK` stage.  I may look into the 
potential for using ArcFour for both the keytab and ServicePrincipal but

I'm sure this will open another can of worms as well.

Thanks,
David




________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list