KRB5KRB_AP_ERR_MODIFIED: MIT Kerberos 1.8.1 & arcfour-hmac-md5 session key

Richard E. Silverman res at qoxp.net
Wed Jun 2 03:33:23 EDT 2010 

After upgrading to MIT Kerberos 1.8.1, I get KRB5KRB_AP_ERR_MODIFIED while
trying to authenticate to certain devices; so far, a NetApp filer, and
Windows hosts running BitVise WinSSHD and MS SQL Server (alll part of a
Windows AD realm).  Clients are OpenSSH, Samba, and FreeTDS on Solaris.
The same combinations work correctly with 1.6.3.  For example:

-----------------------------------------------------------------------

% kinit
Password for res at FOO.COM: 

% smbclient -k //fshome1/res
session setup failed: NT_STATUS_MORE_PROCESSING_REQUIRED
did you forget to run kinit?

% klist -ef
Ticket cache: FILE:/tmp/krb5cc_11500_aicJWR9646
Default principal: res at FOO.COM

Valid starting     Expires            Service principal
06/02/10 03:08:15  06/02/10 13:08:16  krbtgt/FOO.COM at FOO.COM
        renew until 06/03/10 03:08:15, Flags: FRIA
        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 
06/02/10 03:08:21  06/02/10 13:08:16  fshome1$@FOO.COM
        renew until 06/03/10 03:08:15, Flags: FRA
--->    Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 
                           ---------------------

# Now, put this in krb5.conf:
#
# [libdefaults]
# default_tkt_enctypes = des-cbc-md5 des-cbc-crc

% kinit
Password for res at FOO.COM: 

% smbclient -k //fshome1/res
OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: \> quit

% klist -ef
Ticket cache: FILE:/tmp/krb5cc_11500_aicJWR9646
Default principal: res at FOO.COM

Valid starting     Expires            Service principal
06/02/10 03:08:54  06/02/10 13:08:58  krbtgt/FOO.COM at FOO.COM
        renew until 06/03/10 03:08:54, Flags: FRIA
        Etype (skey, tkt): DES cbc mode with RSA-MD5, ArcFour with HMAC/md5 
06/02/10 03:09:00  06/02/10 13:08:58  fshome1$@FOO.COM
        renew until 06/03/10 03:08:54, Flags: FRA
--->    Etype (skey, tkt): DES cbc mode with RSA-MD5, ArcFour with HMAC/md5 
                           -------------------------

-----------------------------------------------------------------------

Packet capture of the CIFS traffic for the failed smbclient command shows
KRB5KRB_AP_ERR_MODIFIED returned from the server when the session key (and
hence the authenticator) use arcfour-hmac-md5.  If I force it to use DES
instead, it works.

The problem is present in 1.8 as well.

Before I dive into figuring out what's gone wrong here, I'd like to know
if anyone's seen this?

Thanks,

-- 
  Richard Silverman
  res at qoxp.net

More information about the Kerberos mailing list