Cross realm breaks in one direction

Wilper, Ross A rwilper at stanford.edu
Thu Jan 13 13:27:23 EST 2011 

On the campus side of Stanford, the only ones of those that is not set as listed below is the one about LDAP signing (set to none) and the Enctypes (DES is allowed for now, but have tested with it off).

-Ross
 

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Booker Bense
Sent: Thursday, January 13, 2011 10:14 AM
To: kerberos at mit.edu
Subject: Cross realm breaks in one direction

Any experience with 
USGCB (US Gov Computer Baseline) settings for windows systems?

Our windows admins recently applied these settings for windows systems and the
cross realm trust with our unix based KDC has broken in the direction of getting 
unix KDC service tickets with windows credentials. The other way still works just fine. 

The error a client gets is "KDC does not support enctype".  Looking at the logs, it does not appear
that the unix KDC ever gets contacted. 

A list of possible suspect changes are 

Microsoft network client: Digitally sign communications (if server agrees): Enabled

Microsoft network server: Digitally sign communications (always): Enabled
Microsoft network server: Digitally sign communications (if client agrees): Enabled

Network security: LAN Manager authentication level: Send NTLMv2 response only. Refuse LM & NTLM
Network security: LDAP client signing requirements: Negotiate signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
        Require NTLMv2 session security: Enabled
        Require 128-bit encryption: Enabled
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
        Require NTLMv2 session security: Enabled
        Require 128-bit encryption: Enabled
Network security: Configure encryption types allowed for Kerberos
        DES_CBC_CRC: Disabled
        DES_CBC_MD5: Disabled
        RC4_HMAC_MD5: Enabled
        AES128_HMAC_SHA1: Enabled
        AES256_HMAC_SHA1: Enabled
        Future encryption types: Enabled

Everything in the software stack should support  AES256_HMAC_SHA1 and that's the enctype used for 
everything in the get WIN service tickets with unix tgt's case. 

Doing the obvious thing of enabling DES didn't fix anything. Any suggestions? 

thanks, 

- Booker C. Bense  



________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list