GSSAPI on Linux using Windows AD Servers as KDCs - Errors about Keytab Entries

Douglas E. Engert deengert at anl.gov
Mon Jan 7 10:54:50 EST 2008



Jason D. McCormick wrote:
> Richard E. Silverman wrote:
> 
>> A couple of questions:
>>
>> 1) What are the tkt and skey types on the tickets the client gets?  The
>>    etype of the service credentials?
> 
> klist -e reports:

(Normally Kerberos does not save a ticket in tha cache if it does not work
so you may not see the ticket for the service. Wireshark can show a lot more.)

> 
> Etype (skey, tkt): DES cbc mode with RSA-MD5, ArcFour with HMAC/md5
> 
> for the TGT.  The keytab lists the key tytpe as "DES cbc mode with CRC-32".
> 
>> 2) I assume you generated the service keytabs from AD using ktpass.exe?
>>    If so, exactly what command did you use?
> 
> Yes, I did.  I don't have the exact command handy because getting this
> working has been an iterative process.  I definitely set the key type to
> be des-cbc-crc with ktpass.  It would have been something like:
> 
> ktpass -princ nfs/nfs1.loc1.example.com at AD.EXAMPLE.COM -mapuser
> AD\nfs-nfs1 +rndPass -crypto DES-CBC-CRC -out nfs1.keytab

The problem might be that on the AD account the UserAccountControl flag
does not have the USE_DES_KEY_ONLY 0x200000 set, So AD is returning an
ArcFour ticket, which is not in the keytab. ktpass has a /DESOnly option
to set this.

See kb 305144 too.

Why are you using DES? All the newer Kerberos can use ArcFour. So try
ktpass witout the crypto option.

> 
> I've also tried it with and without -ptype KRB5_NT_SRV_HST.
> 
> - Jason
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list