Call for help: hostkey tab generated by ktpass doesn't work well on unit host.

Douglas E. Engert deengert at anl.gov
Fri Feb 1 10:56:42 EST 2013 

Get a new version of ktpass or use something like msktutil.


http://technet.microsoft.com/en-us/library/cc753771(v=ws.10).aspx

It supports:
[/crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All}]

Don't use DES, it is off by default in Kerberos and AD.


On 2/1/2013 3:07 AM, shuaijie wang wrote:
> Hi all,
>
> I have this requirements:
>
> 1. I have several legacy server applications that build on top of MIT krb5
> libs, and they require a keytab installed on each host.
>
> 2. I need to migrate KDC server from MIT KDC server to AD.
>
> So in order for them to work smoothly, first I use ktpass to generate a
> keytab file on Domain Controller, then I copy this key table to the UNIX
> host, but when I test it with my legacy servers, I got error message saying
> that "key table entry not found", I debugged a little,  and I doubt that
> the key encryption type used in keytab file didn't agree with the server
> ticket, please see below:
>
> The TGT cache is as follows:
>   sjwang at wsj_vm0-168: klist -e
> Ticket cache: FILE:/tmp/krb5cc_34252
> Default principal: administrator at WSJ.ENG.PLATFORMLAB.IBM.COM
>
> Valid starting     Expires            Service principal
> 02/01/13 03:39:33  02/01/13 04:09:33  krbtgt/
> WSJ.ENG.PLATFORMLAB.IBM.COM at WSJ.ENG.PLATFORMLAB.IBM.COM
>          renew until 02/08/13 03:39:33, Etype (skey, tkt): arcfour-hmac,
> arcfour-hmac
> 02/01/13 03:43:37  02/01/13 04:09:33
> administrator at WSJ.ENG.PLATFORMLAB.IBM.COM  <====this is the server ticket,
> its Etype is hmac
>          renew until 02/08/13 03:39:33, Etype (skey, tkt): arcfour-hmac,
> arcfour-hmac
>
>
>
>
> The keytab on server host is:
>
>   sjwang at wsj_vm0-170: sudo klist -ke
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>     1 administrator at WSJ.ENG.PLATFORMLAB.IBM.COM (des-cbc-crc)
> <=====Server key, Etype is des-cbc-crc
>
>
>
>
> So I doubt that it is because the Etype in keytab is not compatible with
> the Etype of server ticket that this key can not be used in authentication.
>
> But since ktpass only supports des-cbc-crc and des-cbc-md5, so how can I
> generate a keytab that use hmac or other encryption types on windows
> machines?
>
> Thanks.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list