Odd problem with Active Directory
Jeffrey Watts
jeffrey.w.watts at gmail.com
Thu Dec 17 15:22:52 EST 2009
# klist -k -e
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
2 host/lxmefdev02.hrblock.net at HRBINC.HRBLOCK.NET (DES cbc mode with
CRC-32)
2 host/lxmefdev02.hrblock.net at HRBINC.HRBLOCK.NET (DES cbc mode with
RSA-MD5)
2 host/lxmefdev02.hrblock.net at HRBINC.HRBLOCK.NET (ArcFour with HMAC/md5)
2 host/lxmefdev02 at HRBINC.HRBLOCK.NET (DES cbc mode with CRC-32)
2 host/lxmefdev02 at HRBINC.HRBLOCK.NET (DES cbc mode with RSA-MD5)
2 host/lxmefdev02 at HRBINC.HRBLOCK.NET (ArcFour with HMAC/md5)
2 LXMEFDEV02$@HRBINC.HRBLOCK.NET (DES cbc mode with CRC-32)
2 LXMEFDEV02$@HRBINC.HRBLOCK.NET (DES cbc mode with RSA-MD5)
2 LXMEFDEV02$@HRBINC.HRBLOCK.NET (ArcFour with HMAC/md5)
Thanks again for any help. Looking at the other server it has the same
output for 'klist -k -e'.
Jeffrey.
On Wed, Dec 16, 2009 at 7:33 PM, Tom Yu <tlyu at mit.edu> wrote:
>
> Could you repeat this with "klist -k -e"? This will show the enctypes
> for each entry in the keytab. Do the enctype lists differ on
> different hosts?
>
> > Could you explain the single-DES issue a bit more? Is that something
> that
> > needs to be enabled?
>
> I believe that starting with 2008R2 has single-DES disabled as
> "legacy" on AD Kerberos principals by default, as single-DES is no
> longer NIST-approved and no longer provides adequate security.
>
--
"He that would make his own liberty secure must guard even his enemy from
oppression; for if he violates this duty he establishes a precedent that
will reach to himself." -- Thomas Paine
More information about the Kerberos
mailing list