Odd problem with Active Directory

RJT rob.townley at gmail.com
Thu Jan 7 09:33:25 EST 2010


On Dec 17 2009, 2:30 pm, Jeffrey Watts <jeffrey.w.wa... at gmail.com>
wrote:
> Thanks a lot Michael, that worked!
>
> I'm still not sure why some systems would get the aes256 encrypted answer
> and others not?  It seems very odd.  They have all the same versions of
> Samba and Kerberos, and I'm having a hard time figuring out why they'd be
> different.
>
> Also, is this an ideal solution going forward?  How much longer will ArcFour
> be supported?
>
> Jeffrey.
>
>
>
> On Thu, Dec 17, 2009 at 2:48 AM, Michael Calmer <m... at suse.de> wrote:
>
> > I think your problem is the aes256 enctype. Windows2008 support this
> > enctype,
> > Windows2003 not.
>
> > The keytab is created by samba and samba only write the two "des" and the
> > "rc4-hmac" enctype into the keytab.
>
> > kinit -k tell the Windows server that it supports aes256 and Windows2008
> > respond with an encrypted answer using this ecntype. But kinit do not find
> > this key in your keytab and cannot decrypt the answer.
> > This would explains the error:
>
> >  kinit(v5): Key table entry not found while getting initial credentials
>
> > One solution would be to tell the Windows Server, that your kerberos
> > installation do not support aes.
>
> > [libdefaults]
> >    ...
> >    default_tkt_enctypes = arcfour-hmac-md5des-cbc-crcdes-cbc-md5
> >    default_tgs_enctypes = arcfour-hmac-md5des-cbc-crcdes-cbc-md5
>
> > I hope this helps.
>
> --
>
> "He that would make his own liberty secure must guard even his enemy from
> oppression; for if he violates this duty he establishes a precedent that
> will reach to himself." -- Thomas Paine

So did you get this working by setting supported enctypes on the
client using
 msDS-SupportedEncryptionTypes?  Please give details.

i am troubled that setting enctypes in /etc/krb5.conf but then
/var/cache/samba/smb_krb5/krb5.conf.NBDOMAINAME
will have weaker enctypes.

For each user account in "Active Directory Users and Computers",
you can specify to allow DES in a dropdown checkbox list.  So i
do not understand why DES would be offered as an enctype if
that ~"allow des checkbox" is not enabled.  This DES checkbox
is not enabled by default on our mixed Win2000 / Win2003 domain,
but des_cbc_xxx shows up in the /var/cache/samba/smb_krb5/ conf.

Maybe it has something with different use scenarios as
in Machine Joins may accept DES but user level encryption does not?
The kdc may not accept DES Ticket Requests for user authentication but
may
accept DES for some other kerberos operation such as
a service request to print to the printer.

conpiracy theory scenario: i wonder if MS clients know
not to use DES so even when DES is listed as enctype,
the MS client knows not to use it.

The OP asked about a book.  i do not know of a book
but found an inexpensive workshop via irc #kerberos.
http://workshop.openafs.org/afsbpw10/registration.html







More information about the Kerberos mailing list