GSSAPI on Linux using Windows AD Servers as KDCs - Errors aboutKeytab Entries
Markus Moeller
huaraz at moeller.plus.com
Mon Jan 7 15:43:37 EST 2008
Jason,
BTW I tested with my Linux MIT kdc and used an RC4-HMAC key for nfs/fqdn in
the keytab only and it seems to work too.
I see: Etype (skey, tkt): DES cbc mode with CRC-32, ArcFour with HMAC/md5
So I would expect to work with a Windows kdc and handling RC4 is easier as
you don't need to worry about the DES flag and salt.
Markus
root at Opensuse:# mount -t nfs4 -o rw,sec=krb5 opensuse.suse.home:/
/suse_work
markus at Opensuse:~> ls /suse_work/
ls: cannot access /suse_work/: Permission denied
markus at Opensuse:~> kinit
Password for markus at SUSE.HOME:
markus at Opensuse:~> ls /suse_work/
src
markus at Opensuse:~> klist -e
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: markus at SUSE.HOME
Valid starting Expires Service principal
01/07/08 20:37:05 01/08/08 06:37:05 krbtgt/SUSE.HOME at SUSE.HOME
renew until 01/08/08 20:37:05, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
01/07/08 20:37:11 01/08/08 06:37:05 nfs/opensuse.suse.home at SUSE.HOME
renew until 01/08/08 20:37:05, Etype (skey, tkt): DES cbc mode with
CRC-32, ArcFour with HMAC/md5
markus at Opensuse:~> sudo klist -ekt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 01/07/08 20:25:41 host/opensuse.suse.home at SUSE.HOME (ArcFour with
HMAC/md5)
6 01/07/08 20:25:41 nfs/opensuse.suse.home at SUSE.HOME (ArcFour with
HMAC/md5)
"Jason D. McCormick" <jason at devrandom.org> wrote in message
news:478274B5.3030700 at devrandom.org...
> Douglas E. Engert wrote:
>> The problem might be that on the AD account the UserAccountControl flag
>> does not have the USE_DES_KEY_ONLY 0x200000 set, So AD is returning an
>> ArcFour ticket, which is not in the keytab. ktpass has a /DESOnly option
>> to set this.
>>
>> See kb 305144 too.
>
> This is EXACTLY what I needed. Everything works now. Thanks to
> everyone for the help.
>
> - Jason
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list