Win 2008R2 kdc and linux client: no support for encryption type while getting initial credentials

Jeffrey Watts jeffrey.w.watts at gmail.com
Tue Mar 9 12:12:41 EST 2010


Yeah, I was one of the folks who ran into that problem with Win2008R2.
Oddly enough, it only seemed to happen with certain systems and not with
others.  Identical systems using the same DC and on the same network
wouldn't have the issue, so I'm not sure why it would affect one and not the
other.  Affected systems:  RHEL4 and RHEL5.

Anyhow, the solution for us was to add the following to /etc/krb5.conf in
the [libdefaults] section:

default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

We had created our keytabs using Samba's 'net' command.

Jeffrey.

On Tue, Mar 9, 2010 at 10:48 AM, Douglas E. Engert <deengert at anl.gov> wrote:

>
> What user are you using with the kinit?
> Does a network trace show anything?
>
> We have seen issues with using the kinit -k  with a keytab
> if the keytab does not have the highest enctype both client and server
> support (AES256).
>
> All of our DCs are now 2008R2, and afs aklog works well on
> and Solaris 9 and 10; Ubuntu Dapper-Karmic; Windows XP, Vista and W7
> clients.
>
>



More information about the Kerberos mailing list