Windows 2008R2 USER/root preauthentication failure
David Thompson
dthompson at waisman.wisc.edu
Fri Sep 27 14:51:25 EDT 2013
On 9/26/13 3:55 PM, David Thompson wrote:
>
> I have a working kerberos environment, with Windows 2008R2 acting as
> KDC, serving a mix of OS X and Linux (think RHEL 6) clients.
>
> I am trying to add ksu ability, with principals of the form USER/root,
> and cannot authenticate those principals.
Just to follow up on reply I received off-list: It turns out that if I
reset the password on the primary account (dt) using the normal AD tools
(AD Users and Computers), I can then kinit to the alternate instance
(dt/root) using the password I set for the primary account. Also,
preauth works, and the enctype selected for the successful kinit is
aes256-cts-hmac-sha1-96, which means that the salting is working fine at
that point.
However, this is little consolation, as the whole point is to
distinguish between the two principals, and forcing the same password
defeats most of the benefit. If I get really desperate, I could hack
something by attaching the /root instance to a secondary AD account, but
at this point it doesn't seems worth it.
Apparently, however ktpass sets the key for the alternate principal is
not doing enough to make the principal usable to standard krb5 clients.
Again, thanks to all who replied.
--
David Thompson
Waisman Center Brain Imaging and Behavior Lab
1500 Highland Ave. Room T133
Madison, WI 53705-2280
(608) 265-6608
dthompson (at) waisman (dot) wisc (dot) edu
More information about the Kerberos
mailing list