Solaris 10 & Windows 2008R2 KDC's
Anders Holm
anders.holm at ni.com
Wed Nov 14 10:26:31 EST 2012
Hi.
I am facing issues with kerberos authentication after the Windows team
here have upgraded to Win 2k8r2 AD's. There's still Win 2k3 AD's,
running KDC's as well. We're running a mix of RedHat, Oracle Enterprise
Linux (OEL) and Solaris. All Linux hosts authenticate happily against
either of the Windows Platforms. Solaris however I am facing some
problems with.
What I see is that, on both Linux and Solaris, TXT SRV records are
preferred over hard coded configuration done in krb5.conf. As such, that
means a client can hit *either* a 2k3 or 2k8 Windows KDC. To make
matters slightly more interesting, Win 2k8 KDC's have defaulted to not
use the DES encryption we have used for some time here. In itself, not a
major issue.
However, responses back from the Windows KDC's are now having the
Solaris clients running into problems.
First off, there's seemingly KDC's that simply do not like the
encryption types we have defined:
default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5
default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5
rc4-hmac is supposedly supported and available on all KDC's
(nevertheless seemingly not always used, as I'm seeing enctypes errors
and failures)
Leading to the client retrying the request with $random_kdc_for_domain
which may be the same KDC again, depending on what is returned in the
TXT SRV record as $next_KDC ..
I am facing that same headache when a Windows KDC also responds with
"hey, I have an auth response for you, but it's too big for UDP, please
change to TCP to come and grab it!" .... *sigh* I may see the client
then conneting again to $random_kdc_for_domain which might give me a
success, or might simply go "Nope, that enctype isn't supported here" ..
(Could I ask to add a feature, or change behaviour to connect to the
*same* KDC when switching to TCP, please? :) )
Yep, I know, all of the above appear to be Windows related issues.
However, those are managed by another team, and for those, if anyone
here has recommendations I would be more than happy to take those
onboard and forward on to the Windows team.
Does anyone here have a similar setup, know of one, or has any
recommendations I can look at and use when talking to the Windows team?
Yep, we are using the exact same krb5.conf on both Linux and Solaris.
Yep, distributed out via config management system. We've got Kerberos
1.6.3 and testing 1.10.3 on a couple of Solaris hosts. RedHat/OEL are
using what was supplied by the vendor. We've had zero luck in getting
the Sun supplied libraries working, at all.
I also have tcpdumps available so I can provide a lot more details if
needed, though I suspect this may have been surfaced previously and I
have simply not been able to find anything about it. :)
Thanks in advance folks!
//anders
--
echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D4D465452snlbxq'|dc
More information about the Kerberos
mailing list