Call for help: hostkey tab generated by ktpass doesn't work well on unit host.

Robert Wehn robert.wehn at rz.uni-augsburg.de
Fri Feb 1 08:40:07 EST 2013 

Hi Shuaijie

On 01.02.2013 10:07, shuaijie wang wrote:
> So I doubt that it is because the Etype in keytab is not compatible with
> the Etype of server ticket that this key can not be used in authentication.
i think you're correct, the types don't match
> But since ktpass only supports des-cbc-crc and des-cbc-md5, so how can I
> generate a keytab that use hmac or other encryption types on windows
> machines?
On windows the following enctypes are possible:

Windows 2000/2003/XP:                 arcfour-hmac , des-cbc-md5 ,
des-cbc-crc

Windows 2008 (+R2), Vista, 7 2012, 8: aes256-cts-hmac-sha1-96 ,
aes128-cts-hmac-sha1-96 , arcfour-hmac
                                      Disabled by default (unsafe):
des-cbc-md5 , des-cbc-crc
des3-hmac-sha1 is never Supported on Windows.

Older Unix Kerberos Version usually
                             support: des3-hmac-sha1, des-cbc-md5 ,
des-cbc-crc
Actual Unix Kerberos Version usually
                             support: aes256-cts-hmac-sha1-96 ,
aes128-cts-hmac-sha1-96 , arcfour-hmac , des3-hmac-sha1
                                      Disabled by default (unsafe):
des-cbc-md5 , des-cbc-crc

As you see:
The Combination that works depends on the oldest Version of Windows/Unix
that is used:

Old UNIX Krb with old Windows KDC/Clients:
-> des-cbc-md5 is the best that works everywhere and has to be allowed
on newer Windows/Unix Machines and the KDC

New UNIX Krb and some old Windows Machines (kdc or Clients):
-> arcfour-hmacis the best that works everywhere and mus be allowed on
the Unix Machines

In Your Case:
Old Unix services (using old mit libaries) used with new Windows
Machines (Clients and kdc):
-> des-cbc-md5 ordes-cbc-crc has to be allowed on all Windows Machines
(kdc and Clients) as fall-back.

This can be done in GPOs for the 2008 R2 KDC (e.g. Default Domain
Controller Policy)
and the Clients that want to use the Services Kerberized (e.g. Default
Domain Policy)

Then is should be possible to Use the old Application in a Windows
Kerberos Environment.

Robert Wehn.

-- 

Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
86135 Augsburg .................................. Fax. (0821) 598-2028

More information about the Kerberos mailing list