Odd problem with Active Directory

Michael Calmer mc at suse.de
Thu Dec 17 03:48:53 EST 2009 

Hi,

Am Mittwoch, 16. Dezember 2009 22:56:30 schrieb Jeffrey Watts:
> Reaching out again hoping that someone might have an idea as to what my
> problem is.
> 
> Thanks,
> Jeffrey.
> 
> On Fri, Dec 11, 2009 at 10:43 AM, Jeffrey Watts
> <jeffrey.w.watts at gmail.com>wrote:

[...] 

> > When I initially migrated the systems I used 'net ads join' to create a
> > machine account, and then I run 'kinit -k MACHINENAME$ -c /etc/.ldapcache'
> > in a cronjob to keep a fresh ticket.
> >
> > I have all systems pointing to those three KDCs, in the same order:
> > kdc1
> > kdc2
> > kdc3
> >
> > They were all running Windows2003 (not R2, but using the Windows2008R2
> > schema).  Two weeks ago, kdc1 was upgraded to Windows2008R2.  Suddenly
> > five of my Linux boxes (out of 109) stopped being able to check out
> > tickets from that particular Windows2008R2 server.  This includes RHEL4
> > and 5 systems.
> > They are located in different networks, and identically configured systems
> > do work (for example, devserver1 will work, but devserver2 will not).  The
> > keytab still works with the Windows2003 servers.  The remaining 104
> > systems work fine with no issues.

I think your problem is the aes256 enctype. Windows2008 support this enctype, 
Windows2003 not.

The keytab is created by samba and samba only write the two "des" and the 
"rc4-hmac" enctype into the keytab.

kinit -k tell the Windows server that it supports aes256 and Windows2008 
respond with an encrypted answer using this ecntype. But kinit do not find 
this key in your keytab and cannot decrypt the answer.
This would explains the error:

 kinit(v5): Key table entry not found while getting initial credentials

One solution would be to tell the Windows Server, that your kerberos 
installation do not support aes.

[libdefaults]
    ...
    default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
    default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

I hope this helps.

-- 
MFG

	Michael Calmer

--------------------------------------------------------------------------
Michael Calmer
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
T: +49 (0) 911 74053 0
F: +49 (0) 911 74053575  - e-mail: Michael.Calmer at suse.com
--------------------------------------------------------------------------
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)

More information about the Kerberos mailing list