Odd problem with Active Directory
Tom Yu
tlyu at MIT.EDU
Wed Dec 16 20:33:16 EST 2009
Jeffrey Watts <jeffrey.w.watts at gmail.com> writes:
> Their computer account entries are very similar. Here's the contents of the
> krb5.keytab:
> # klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 2 host/lxmefdev02.hrblock.net at HRBINC.HRBLOCK.NET
> 2 host/lxmefdev02.hrblock.net at HRBINC.HRBLOCK.NET
> 2 host/lxmefdev02.hrblock.net at HRBINC.HRBLOCK.NET
> 2 host/lxmefdev02 at HRBINC.HRBLOCK.NET
> 2 host/lxmefdev02 at HRBINC.HRBLOCK.NET
> 2 host/lxmefdev02 at HRBINC.HRBLOCK.NET
> 2 LXMEFDEV02$@HRBINC.HRBLOCK.NET
> 2 LXMEFDEV02$@HRBINC.HRBLOCK.NET
> 2 LXMEFDEV02$@HRBINC.HRBLOCK.NET
Could you repeat this with "klist -k -e"? This will show the enctypes
for each entry in the keytab. Do the enctype lists differ on
different hosts?
> Could you explain the single-DES issue a bit more? Is that something that
> needs to be enabled?
I believe that starting with 2008R2 has single-DES disabled as
"legacy" on AD Kerberos principals by default, as single-DES is no
longer NIST-approved and no longer provides adequate security.
More information about the Kerberos
mailing list