Odd problem with Active Directory

Jeffrey Watts jeffrey.w.watts at gmail.com
Thu Dec 17 15:22:52 EST 2009


# klist -k -e
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   2 host/lxmefdev02.hrblock.net at HRBINC.HRBLOCK.NET (DES cbc mode with
CRC-32)
   2 host/lxmefdev02.hrblock.net at HRBINC.HRBLOCK.NET (DES cbc mode with
RSA-MD5)
   2 host/lxmefdev02.hrblock.net at HRBINC.HRBLOCK.NET (ArcFour with HMAC/md5)
   2 host/lxmefdev02 at HRBINC.HRBLOCK.NET (DES cbc mode with CRC-32)
   2 host/lxmefdev02 at HRBINC.HRBLOCK.NET (DES cbc mode with RSA-MD5)
   2 host/lxmefdev02 at HRBINC.HRBLOCK.NET (ArcFour with HMAC/md5)
   2 LXMEFDEV02$@HRBINC.HRBLOCK.NET (DES cbc mode with CRC-32)
   2 LXMEFDEV02$@HRBINC.HRBLOCK.NET (DES cbc mode with RSA-MD5)
   2 LXMEFDEV02$@HRBINC.HRBLOCK.NET (ArcFour with HMAC/md5)

Thanks again for any help.  Looking at the other server it has the same
output for 'klist -k -e'.

Jeffrey.

On Wed, Dec 16, 2009 at 7:33 PM, Tom Yu <tlyu at mit.edu> wrote:

>
> Could you repeat this with "klist -k -e"?  This will show the enctypes
> for each entry in the keytab.  Do the enctype lists differ on
> different hosts?
>
> > Could you explain the single-DES issue a bit more?  Is that something
> that
> > needs to be enabled?
>
> I believe that starting with 2008R2 has single-DES disabled as
> "legacy" on AD Kerberos principals by default, as single-DES is no
> longer NIST-approved and no longer provides adequate security.
>



-- 

"He that would make his own liberty secure must guard even his enemy from
oppression; for if he violates this duty he establishes a precedent that
will reach to himself." -- Thomas Paine



More information about the Kerberos mailing list