Odd problem with Active Directory

Jeffrey Watts jeffrey.w.watts at gmail.com
Thu Dec 17 15:30:21 EST 2009


Thanks a lot Michael, that worked!

I'm still not sure why some systems would get the aes256 encrypted answer
and others not?  It seems very odd.  They have all the same versions of
Samba and Kerberos, and I'm having a hard time figuring out why they'd be
different.

Also, is this an ideal solution going forward?  How much longer will ArcFour
be supported?

Jeffrey.

On Thu, Dec 17, 2009 at 2:48 AM, Michael Calmer <mc at suse.de> wrote:

>
> I think your problem is the aes256 enctype. Windows2008 support this
> enctype,
> Windows2003 not.
>
> The keytab is created by samba and samba only write the two "des" and the
> "rc4-hmac" enctype into the keytab.
>
> kinit -k tell the Windows server that it supports aes256 and Windows2008
> respond with an encrypted answer using this ecntype. But kinit do not find
> this key in your keytab and cannot decrypt the answer.
> This would explains the error:
>
>  kinit(v5): Key table entry not found while getting initial credentials
>
> One solution would be to tell the Windows Server, that your kerberos
> installation do not support aes.
>
> [libdefaults]
>    ...
>    default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>    default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>
> I hope this helps.
>
>
-- 

"He that would make his own liberty secure must guard even his enemy from
oppression; for if he violates this duty he establishes a precedent that
will reach to himself." -- Thomas Paine



More information about the Kerberos mailing list