Establish FAST encrypted channel between linux client and windows server

Faisal Ali faisal.ali.101 at gmail.com
Fri Feb 13 01:22:46 EST 2015 

It doesn't appear to be a problem of encryption types. I have tried PnCs of
encryption types and principal types. I could do kinit using keytab
successfully earlier, as well as now, but fails when I use it as armor
cache. Expected padata in KRB5KDC_ERR_PREAUTH_REQUIRED is PA-FX-FAST(136)
from KDC, but usual padata PA-ETYPE-INFO(2) and others are returned.
--------------
Faisal Ali

On Wed Feb 11 2015 at 8:54:30 PM Wilper, Ross <rwilper at slac.stanford.edu>
wrote:

> I had not tried ktpass with a computer account before, but the procedure
> and command line outlined look ok. I would be a little wary of someone
> accidently deleting the computer account since the password will never be
> changing and thus appear to be stale to the AD administrator.
>
> If your issue is with ktpass.exe, the author IS using an older version of
> ktpass.exe and I know that command line parameters have changed somewhat.
> Also, AD no longer supports DES enctypes by default, but ktpass assumes
> that you want to set the account for DES-only enctypes... You could try
> using "-desonly" or check the computer account for the DES only flag.
> (Grasping at straws a bit)
>
> ktpass /out testComputer.keytab /mapuser CONTOSO\Computer$ /princ host/
> computer.contoso.com at CONTOSO.COM /crypto RC4-HMAC-NT /rndpass /ptype
> KRB5_NT_SRV_HST /mapop set -desonly
>
> I'll note that /crypto has allowed values  {DES-CBC-CRC|DES-CBC-MD5|RC4-
> HMAC-NT|AES256-SHA1|AES128-SHA1|All}
> You might want to use AES instead or include more enctypes with a |
>
> -Ross
>
> -----Original Message-----
> From: Faisal Ali [mailto:faisal.ali.101 at gmail.com]
> Sent: Wednesday, February 11, 2015 4:49 AM
> To: Wilper, Ross; kerberos at mit.edu
> Subject: Re: Establish FAST encrypted channel between linux client and
> windows server
>
> http://kerberos.996246.n3.nabble.com/Creating-a-keytab-
> with-ktpass-under-a-Computer-account-td14074.html
>
>
>
> I followed above link to create a computer account on Windows server and
> generate keytab to be used for first kinit. It doesn't seem to work. Have I
> employed wrong procedure or was this expected?
>
> --------------
> Faisal Ali
>
>
> On Mon Feb 09 2015 at 9:20:03 PM Wilper, Ross <rwilper at slac.stanford.edu>
> wrote:
>
>
>         I would be interested to see if you can make this work. It's been
> a while since I've looked into this and did not get very far.
>
>         It sounds like you are on the right path - one of the gotchas is
> that AD does not seem to support pkinit null, which is what many Kerberos
> implementations do to create the armor. What Windows machines do is to use
> the computer account as the armor for the user account logon. This may
> actually be a requirement (that the armor be a computer account) because
> the AD KDC wants to have both involved in the logon interaction so as to
> generate computer and user claims into the resulting ticket. I hope that I
> am wrong on that.
>
>         -Ross
>
>         -----Original Message-----
>         From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu
> <mailto:kerberos-bounces at mit.edu> ] On Behalf Of Faisal Ali
>         Sent: Monday, February 9, 2015 5:55 AM
>         To: kerberos at mit.edu
>         Subject: Establish FAST encrypted channel between linux client and
> windows server
>
>         I am trying to setup windows server for FAST encrypted channel
> support to test OTP pre authentication in kerberos.
>
>         I have already tested on linux machine by deploying KDC using
> krb5-1.12.1 source code, freeradius server and using keytab of service
> principal to receive armor ccache to be used to establish FAST encrypted
> channel between client and KDC.
>
>         I have setup windows server 2012 for kerberos, and added support
> for "KDC support for claims, compound authentication and Kerberos armoring"
> policy on it. I can receive TGT for service principal. But, when I execute
> the command "kinit -T <armor-cache> <principal>", KDC does not reply with
> any padata and no FAST encrypted channel is established (observed through
> wireshark log and Kerberos library logs).
>
>         Is it possible to establish a FAST encrypted channel between linux
> client and Windows AD? Have I missed any setting?
>         ________________________________________________
>         Kerberos mailing list           Kerberos at mit.edu
>         https://mailman.mit.edu/mailman/listinfo/kerberos <
> https://mailman.mit.edu/mailman/listinfo/kerberos>
>
>
>

More information about the Kerberos mailing list