Odd problem with Active Directory

Jeffrey Watts jeffrey.w.watts at gmail.com
Wed Dec 16 17:24:07 EST 2009 

Thanks for the response.  Here's what's in my krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 DOMAIN.EXAMPLE.COM = {
  kdc = kdc1.domain.example.com:88
  kdc = kdc2.domain.example.com:88
  kdc = kdc3.domain.example.com:88
  admin_server = kdc1.domain.example.com:749
  default_domain = domain.example.com
 }

[domain_realm]
 example.com = DOMAIN.EXAMPLE.COM
 .example.com = DOMAIN.EXAMPLE.COM
 domain.example.com = DOMAIN.EXAMPLE.COM
 .domain.example.com = DOMAIN.EXAMPLE.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

The two systems I mentioned are exactly the same in terms of configuration
and software installed (they're an Oracle RAC test pair).  They have the
same basic hostname format (devserver01, devserver02) in the same domain.
They're using the krb5-workstation-1.6.1-36.el5 package supplied by Red
Hat.  I believe that's the latest.

Their computer account entries are very similar.  Here's the contents of the
krb5.keytab:
# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   2 host/lxmefdev02.hrblock.net at HRBINC.HRBLOCK.NET
   2 host/lxmefdev02.hrblock.net at HRBINC.HRBLOCK.NET
   2 host/lxmefdev02.hrblock.net at HRBINC.HRBLOCK.NET
   2 host/lxmefdev02 at HRBINC.HRBLOCK.NET
   2 host/lxmefdev02 at HRBINC.HRBLOCK.NET
   2 host/lxmefdev02 at HRBINC.HRBLOCK.NET
   2 LXMEFDEV02$@HRBINC.HRBLOCK.NET
   2 LXMEFDEV02$@HRBINC.HRBLOCK.NET
   2 LXMEFDEV02$@HRBINC.HRBLOCK.NET

Could you explain the single-DES issue a bit more?  Is that something that
needs to be enabled?

Thanks again for any help you might be able to provide.
Jeffrey.


On Wed, Dec 16, 2009 at 4:07 PM, Tom Yu <tlyu at mit.edu> wrote:

> Jeffrey Watts <jeffrey.w.watts at gmail.com> writes:
>
> > Reaching out again hoping that someone might have an idea as to what my
> > problem is.
> >
> > Thanks,
> > Jeffrey.
> >
> > On Fri, Dec 11, 2009 at 10:43 AM, Jeffrey Watts
> > <jeffrey.w.watts at gmail.com>wrote:
> >
> >> Hello, I've been working with Kerberos for the last few months getting
> >> Linux and HP-UX servers to authenticate against AD.  I've been using
> >> pam_krb5 and nss_ldap on Linux, and pam_krb5 and LDAP-UX on HP-UX.
> >>
> >> Anyhow, I'm having an odd issue with a few Linux servers.  Our domain
> >> crosses many networks, so using DNS to find domain controllers hasn't
> worked
> >> very well, so I'm using three separate kdc entries in /etc/krb5.conf.  I
> >> have dns_lookup_realm and dns_lookup_kdc set to false.
> >>
> >> I'm using Kerberos to secure the LDAP connection.  Here are the relevant
> >> lines from my ldap.conf:
> >> use_sasl on
> >> krb5_ccname FILE:/etc/.ldapcache
> >> sasl_secprops maxssf=0
> >>
> >> When I initially migrated the systems I used 'net ads join' to create a
> >> machine account, and then I run 'kinit -k MACHINENAME$ -c
> /etc/.ldapcache'
> >> in a cronjob to keep a fresh ticket.
> >>
> >> I have all systems pointing to those three KDCs, in the same order:
> >> kdc1
> >> kdc2
> >> kdc3
> >>
> >> They were all running Windows2003 (not R2, but using the Windows2008R2
> >> schema).  Two weeks ago, kdc1 was upgraded to Windows2008R2.  Suddenly
> five
> >> of my Linux boxes (out of 109) stopped being able to check out tickets
> from
> >> that particular Windows2008R2 server.  This includes RHEL4 and 5
> systems.
> >> They are located in different networks, and identically configured
> systems
> >> do work (for example, devserver1 will work, but devserver2 will not).
>  The
> >> keytab still works with the Windows2003 servers.  The remaining 104
> systems
> >> work fine with no issues.
> >>
> >> I've deleted the machine accounts and the local keytabs and recreated
> them,
> >> but those same machines still have the same problem (can authenticate
> >> against Win2003 servers but not Win2008R2).  The last successful ticket
> >> checkout for all five of them occurred within an hour of each other, and
> it
> >> appears to be during the time when that KDC was upgraded.
> >>
> >> There is another Windows2008R2 server (kdc4) on our network that we
> don't
> >> normally use, and if I point those systems to it they have the same
> problem,
> >> so it seems to be some issue involving Windows2008R2 and these
> particular
> >> systems.
>
> I have heard that Windows Server 2008R2 has single-DES disabled by
> default.  What entries are in your keytab?  What krb5 release are you
> running on the Linux boxes?  Is there anything different about how the
> broken machines are named if they are otherwise identically
> configured?
>



-- 

"He that would make his own liberty secure must guard even his enemy from
oppression; for if he violates this duty he establishes a precedent that
will reach to himself." -- Thomas Paine

More information about the Kerberos mailing list