GSSAPI on Linux using Windows AD Servers as KDCs - Errors about Keytab Entries
Jason D. McCormick
jason at devrandom.org
Sun Jan 6 23:01:05 EST 2008
Richard E. Silverman wrote:
> A couple of questions:
>
> 1) What are the tkt and skey types on the tickets the client gets? The
> etype of the service credentials?
klist -e reports:
Etype (skey, tkt): DES cbc mode with RSA-MD5, ArcFour with HMAC/md5
for the TGT. The keytab lists the key tytpe as "DES cbc mode with CRC-32".
> 2) I assume you generated the service keytabs from AD using ktpass.exe?
> If so, exactly what command did you use?
Yes, I did. I don't have the exact command handy because getting this
working has been an iterative process. I definitely set the key type to
be des-cbc-crc with ktpass. It would have been something like:
ktpass -princ nfs/nfs1.loc1.example.com at AD.EXAMPLE.COM -mapuser
AD\nfs-nfs1 +rndPass -crypto DES-CBC-CRC -out nfs1.keytab
I've also tried it with and without -ptype KRB5_NT_SRV_HST.
- Jason
More information about the Kerberos
mailing list