Solaris 10 & Windows 2008R2 KDC's

Anders Holm anders.holm at ni.com
Wed Nov 14 10:26:31 EST 2012


Hi.

I am facing issues with kerberos authentication after the Windows team 
here have upgraded to Win 2k8r2 AD's. There's still Win 2k3 AD's, 
running KDC's as well. We're running a mix of RedHat, Oracle Enterprise 
Linux (OEL) and Solaris. All Linux hosts authenticate happily against 
either of the Windows Platforms. Solaris however I am facing some 
problems with.

What I see is that, on both Linux and Solaris, TXT SRV records are 
preferred over hard coded configuration done in krb5.conf. As such, that 
means a client can hit *either* a 2k3 or 2k8 Windows KDC. To make 
matters slightly more interesting, Win 2k8 KDC's have defaulted to not 
use the DES encryption we have used for some time here. In itself, not a 
major issue.

However, responses back from the Windows KDC's are now having the 
Solaris clients running into problems.

First off, there's seemingly KDC's that simply do not like the 
encryption types we have defined:

default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 
aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5
default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 
aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5

rc4-hmac is supposedly supported and available on all KDC's 
(nevertheless seemingly not always used, as I'm seeing enctypes errors 
and failures)

Leading to the client retrying the request with $random_kdc_for_domain 
which may be the same KDC again, depending on what is returned in the 
TXT SRV record as $next_KDC ..

I am facing that same headache when a Windows KDC also responds with 
"hey, I have an auth response for you, but it's too big for UDP, please 
change to TCP to come and grab it!" .... *sigh* I may see the client 
then conneting again to $random_kdc_for_domain which might give me a 
success, or might simply go "Nope, that enctype isn't supported here" .. 
(Could I ask to add a feature, or change behaviour to connect to the 
*same* KDC when switching to TCP, please? :) )

Yep, I know, all of the above appear to be Windows related issues. 
However, those are managed by another team, and for those, if anyone 
here has recommendations I would be more than happy to take those 
onboard and forward on to the Windows team.

Does anyone here have a similar setup, know of one, or has any 
recommendations I can look at and use when talking to the Windows team? 
Yep, we are using the exact same krb5.conf on both Linux and Solaris. 
Yep, distributed out via config management system. We've got Kerberos 
1.6.3 and testing 1.10.3 on a couple of Solaris hosts. RedHat/OEL are 
using what was supplied by the vendor. We've had zero luck in getting 
the Sun supplied libraries working, at all.

I also have tcpdumps available so I can provide a lot more details if 
needed, though I suspect this may have been surfaced previously and I 
have simply not been able to find anything about it. :)

Thanks in advance folks!

//anders

-- 
echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D4D465452snlbxq'|dc



More information about the Kerberos mailing list