kerberos and Windows 2008R2 - kinit: Key table entry not found while getting initial credentials

Douglas E. Engert deengert at anl.gov
Fri Apr 29 10:26:28 EDT 2011 


On 4/28/2011 4:08 PM, Gomes, Charles wrote:
> Hello Kerberos List,
>
> I'm trying to set a Kerberos ticket between a Unix and a Windows 2008 R2 server.
> I've created a user on windows and used the ktpass to generate the Kerberos keytab:
> C:\Windows\System32\ktpass princ host/jc1lqaldap.testdomain.com at TESTDOMAIN.COM mapuser TESTDOMAIN\host_jc1lqaldap -crypto DES-CBC-MD5 -pass * -ptype KRB5_NT_PRINCIPAL out c:\nis_data\host_jc1lqaldap.keytab
>
> I did make sure that "User Kerberos DES encryption types for this account" was checked.

Do you really need DES? Your krb5.conf says you can use RC4, and 2008 supports AES-128 and AES-256.
2008 and newer versions of Kerberos turn it off be default too.

http://support.microsoft.com/kb/977321
explains how to check the logs and turn DES back on, if you really really need DES.

Also consider using  a better tool then ktpass, like msktutil
http://fuhm.net/software/msktutil/ or the Samba windbind.

> First I was getting:
> root at jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0 host/jc1lqaldap.testdomain.com
> kinit: KDC has no support for encryption type while getting initial credentials



>
> So I've checked "Do not require Kerberos preauthentication" and I get:
> root at jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0 host/jc1lqaldap.testdomain.com
> kinit: Key table entry not found while getting initial credentials


There is a kerberos client issue as well. The client will send a list of
enctypes to the KDC. This is based on what is supported by hte libraries
and krb5.conf not on what keys are in the keytab file.

The KDC will pick one based on the keys it has for that principal. But with Windows
AD the password is stored and used to generate a key on the fly, so AD can generate
a key for any enctype the client says it can accept. So the KDC can return a ticket
the client can not use.

If you still have problems, Google for the msDS-SupportedEncryptionTypes attribute
for a AD account.

>
> Where should that key table entry be located ?
to see what is the default, try klist -k

> I cannot go forward with this. Is there a way to get more verbose logging so I can troubleshoot this.

Wireshark, it can format the krb5 packets.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Klist
> root at jc1lqaldap:/etc# klist -ke -t /etc/krb5.keytab
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Timestamp         Principal
> ---- ----------------- --------------------------------------------------------
>    12 12/31/69 19:00:00 host/jc1lqaldap.testdomain.com at TESTDOMAIN.COM (DES cbc mode with RSA-MD5)
>
>
>
>
>
> Cat /etc/krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = TESTDOMAIN.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
>
> default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>
> [realms]
> TESTDOMAIN.COM = {
>    kdc = server.testdomain.com:88
>    admin_server = server.testdomain.com:749
>    default_domain = testdomain.com
> }
>
> [domain_realm]
> .testdomain.com = TESTDOMAIN.COM
> testdomain.com = TESTDOMAIN.COM
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
>     debug = false
>     ticket_lifetime = 36000
>     renew_lifetime = 36000
>     forwardable = true
>     krb4_convert = false
>     validate = true
> }
>
>
>
>
>
> DISCLAIMER:
> This e-mail, and any attachments thereto, is intended only for use by the addressee(s)named herein and
> may contain legally privileged and/or confidential information. If you are not the intended recipient of this
> e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachments
> thereto, is strictly prohibited. If you have received this in error, please immediately notify me and permanently
> delete the original and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free.
> The sender therefore does not accept liability for any errors or omissions in the contents of this message which
> arise as a result of e-mail transmission.
> NOTICE REGARDING PRIVACY AND CONFIDENTIALITY
> Knight Capital Group may, at its discretion, monitor and review the content of all e-mail communications.
>
> http://www.knight.com<http://www.knight.com/>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list