need help -- kinit (1.9.1) fails to process keytab
Douglas E. Engert
deengert at anl.gov
Thu Jun 30 09:59:46 EDT 2011
On 6/29/2011 10:42 PM, Rex, Martin wrote:
> Creating a keytab for a Microsoft AD account that is comprehensible
> to MIT Kerberos (e.g. kinit -k) appears to require heavy wizardry.
>
> I've tried everything I can reasonably think of, but kinit -k
> always fails with the non-sensical error message
> "kinit: Key table entry not found while getting initial credentials"
>
> strace says that kinit is reading the correct file, and the
> keytab definitely contains keys for the specified principal.
> (klist -ke sees the content, wether I use ktutil to create
> the keytab or Microsoft's KTPASS.EXE has no visible impact)
>
> So if anything, kinit might tell me that it received something
> encrypted with kvno "a" but only found kvnos "b", "c", "d" and "e"
> for the specified principal in the specified keytab -- but the error
> message it currently prints when providing the full principal
> name on the command line just doesn't seem to make sense.
>
>
> I've created user account "TestService at FOO.CORP" in an W2K8 AD
> and "kinit TestService at FOO.CORP" works fine. Shouldn't kinit
> be in the perfect position, after having just successfully obtained
> a TGT for that user, to write out a perfect keytab that will
> work with "kinit -k" -- or otherwise tell me all necessary details
> about what I will have to type into tools like ktutil or what to
> supply to Microsoft's KTPASS.EXE in order to achieve with "kinit -k"
> what kinit without -k just succeeded doing?
We had seen similar problems with accounts like this. The
kinit/libkrb5 via the AS-REQ tell the KDC it can do all the enctypes,
listed in krb5.conf. The KDC then returns a AS-REP using AES-256. But
the keytab has only arcfour (or maybe only DES!), so no matching keytab
entry is found.
klist -k -e
should show what is in the keytab.
So One of these is needed:
(1) Create a keytab with all the enctypes of the AES-256, AES-128,
arcfour, or at least, the strongest one.
(2) Set the account attribute for the msds-supportedEncryptionTypes
http://msdn.microsoft.com/en-us/library/cc223853(v=prot.10).aspx
to match what is in the keytab.
(3) Modify the kinit code looks at the enctypes available in the
keytab, and use this in the AS-REQ.
We use msktutil to create keytabs and add/update accounts like this
in AD:
http://fuhm.net/software/msktutil/
Other tools from Samba are also available.
(And of course set the password to not expire for the account.)
A related issue is Java does not support AES-256 by default.
Google for: java Unlimited Strength Jusifdiction Policy Files
to find the jar to allow AES-256. or do (2) or (3) above.
>
>
> In case that anyone happens to know the exact sequence of commands
> and their command line parameters that I would have to type in order
> to obtain a working keytab for an ActiveDirectory 2008R2 account
> that will be usable with MIT Kerberos 1.9.1, I would be glad to know.
>
> If I ever manage to get a working configuration (keytab),
> the clients that should ultimately should be able to connect
> to the service are WinXP,2003,Vista and Win7, so it should probably
> be using an arcfour-hmac enctype, I assume.
>
> (I will NOT need hostbased service names, in case you're wondering,
> and I did already call "SETSPN dont/care FOO.CORP\TestService" to
> allow 1-/2-Token authentications with the TestService account
> for a post-2000 ActiveDirectory).
>
> -Martin
>
>
> PS: my windows administrative expertise is limited.
> I have setspn.exe, ktpass.exe within reach and know how to
> run the MMC snap-in "Active Directory - Users and Computers",
> but know nothing else about AD and LDAP...
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list