GSSAPI on Linux using Windows AD Servers as KDCs - Errors aboutKeytab Entries

Markus Moeller huaraz at moeller.plus.com
Mon Jan 7 15:43:37 EST 2008


Jason,

BTW I tested with my Linux MIT kdc and used an RC4-HMAC key for nfs/fqdn in 
the keytab only and it seems to work too.

I see: Etype (skey, tkt): DES cbc mode with CRC-32, ArcFour with HMAC/md5

So I would expect to work with a Windows kdc and handling RC4 is easier as 
you don't need to worry about the DES flag and salt.

Markus

root at Opensuse:# mount -t nfs4 -o rw,sec=krb5 opensuse.suse.home:/ 
/suse_work

markus at Opensuse:~> ls /suse_work/
ls: cannot access /suse_work/: Permission denied
markus at Opensuse:~> kinit
Password for markus at SUSE.HOME:
markus at Opensuse:~> ls /suse_work/
src
markus at Opensuse:~> klist -e
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: markus at SUSE.HOME

Valid starting     Expires            Service principal
01/07/08 20:37:05  01/08/08 06:37:05  krbtgt/SUSE.HOME at SUSE.HOME
        renew until 01/08/08 20:37:05, Etype (skey, tkt): ArcFour with 
HMAC/md5, ArcFour with HMAC/md5
01/07/08 20:37:11  01/08/08 06:37:05  nfs/opensuse.suse.home at SUSE.HOME
        renew until 01/08/08 20:37:05, Etype (skey, tkt): DES cbc mode with 
CRC-32, ArcFour with HMAC/md5


markus at Opensuse:~> sudo klist -ekt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   3 01/07/08 20:25:41 host/opensuse.suse.home at SUSE.HOME (ArcFour with 
HMAC/md5)
   6 01/07/08 20:25:41 nfs/opensuse.suse.home at SUSE.HOME (ArcFour with 
HMAC/md5)



"Jason D. McCormick" <jason at devrandom.org> wrote in message 
news:478274B5.3030700 at devrandom.org...
> Douglas E. Engert wrote:
>> The problem might be that on the AD account the UserAccountControl flag
>> does not have the USE_DES_KEY_ONLY 0x200000 set, So AD is returning an
>> ArcFour ticket, which is not in the keytab. ktpass has a /DESOnly option
>> to set this.
>>
>> See kb 305144 too.
>
> This is EXACTLY what I needed.  Everything works now.  Thanks to
> everyone for the help.
>
> - Jason
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 





More information about the Kerberos mailing list