need help -- kinit (1.9.1) fails to process keytab
Rex, Martin
martin.rex at sap.com
Fri Jul 1 22:03:17 EDT 2011
Martin Rex wrote:
>
> I think I can wiggle through the MIT Kerberos part of the
> puzzle with KRB5_TRACE infos, but I'm heavily confused on
> Microsoft side of the game (KTPASS.EXE/W2K8-AD).
Or so I thought ...
The Microsoft Windows W2K8-R2 / Active Directory side
of the game is not very much fun.
1.) enctype issue. I am seeing what looks like an
aes256-cts sticky-ness AS_REP combined with an
rc4-hmac sticky-ness for TGS_REP, causing either
"kinit -k" or security context establishment to fail.
After using KTPASS.EXE to set&create a keytab with a random
password, i.e (+rndpass -crypto AES256-SHA1) "kinit -k"
can successfully acquire a TGT (etype aes256-cts)
Trying to establish a security context with itself
(using the keytab and the TGT acquired by "kinit -k")
gss_init_sec_context() receives a service ticket with the
etype "rc4-hmac" and gss_accept_sec_context() fails
because there is no rc4-hmac key in the keytab.
Now what puzzles me: I've set a random password with KTPASS.EXE
for exactly one specific etype (AES256-SHA1) and the account
has the property "Store password using reversible encryption"
*DISABLED*, so intuitively, it should be impossible for AD
to create anything else than a aes256-cts ticket to that
account/service, shouldn't it?
Probable Workaround: I can use "+randpass -crypto ALL" to
create a keytab with keys of all enctypes
It creates 5 Keytab entries with des-cbc-crc, des-cbc-md5,
rc4-hmac, aes256-cts, aes128-cts) and the two single-DES
keytabs are created even though I have des enctypes
disabled for that account in the account properties...)
With service keys for all enctypes in the keytab.
authentication may succeed for all Kerberos protocol
exchanges, no matter what goofy etypes selections
W2K8-AD might come up with in various situations,
I assume.
For interop with a considerable variety of
Kerberos peers, a keytab with as many etypes as
possible might be preferable anyway for the
final usage scenario that I have in mind.
2.) salt issue: W2K8-R2 KTPASS.EXE is probably buggy
KTPASS.EXE fails to update the salt in AD when creating a
keytab with a vanilla Kerberos Principal Name (the keytab
entries are created with the correct salt though (visible
when adding the "/dumpsalt" parameter to KTPASS.EXE)
The resulting configuration is non-functional, of course.
"kinit -k" fails.
Supplying KTPASS with an explicit salt (/rawsalt) causes
KTPASS.EXE to crash when the string is empty and causes
it to wedge in a tight loop spilling out nonsense when the
supplied salt is what it should be for that vanilla
Kerberos principal.
Workaround, call KTPASS.EXE once with a lone forward slash
character prefixed to the vanilla principal name, which
succeeds in writing the correct Salt into the AD, and
then call KTPASS.EXE again without that forward slash
in front of the vanilla Kerberos Principal name to
create a usable keytab for that Principal.
So now I'm able to use krb5-1.9.1 on linux with
an account in an W2K8-R2 and my GSSTEST succeeds local
security context establishments with itself.
I am confused by some strange gss_compare_name() failures
in 1.9.1 libgssapi_krb5.so reported by GSSTEST that I have
never seen before with any libraries. The printable and hexdump
inputs and outputs of the names for which gss_compare_name()
fails are clean. It seems to affect MN to non-MN comparisons.
So I'm going back to work now on the actual gssapi client
and server "apps" that I originally wanted to give to
colleagues in order to show them "how simple it is"
to retrofit Kerberos-SSO into a specific existing
client-server scenario. I hope that the rest is
really as simple as I light-heartedly claimed
the entire "proof-of-concept" to be... :-/
-Martin
More information about the Kerberos
mailing list