[37174] in Kerberos
Re: Cannot authenticate with client keytab and AES128/256 against
daemon@ATHENA.MIT.EDU (Todd Grayson)
Wed Jul 29 14:23:30 2015
MIME-Version: 1.0
In-Reply-To: <68644224DA0DE64CA5A49838ED219A0425A98A1E@DEFTHW99EJ5MSX.ww902.siemens.net>
From: Todd Grayson <tgrayson@cloudera.com>
Date: Wed, 29 Jul 2015 12:22:49 -0600
Message-ID: <CALNT6MVL1QUgJo+ZjsoDtGpafyW7SEN=2wp9ZZGUeq6U0_Kc1Q@mail.gmail.com>
To: "Osipov, Michael" <michael.osipov@siemens.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Have you enabled AES Encryption for the account in AD?
http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx
This can, I believe, be achieved as well with group policy, as well...
On Wed, Jul 29, 2015 at 5:43 AM, Osipov, Michael <michael.osipov@siemens.com
> wrote:
> Hi,
>
> I have created a client keytab with ktutil:
>
> add_entry -password -p osipovmi@COMAPNY.NET -k 1 -e
> aes256-cts-hmac-sha1-96
> add_entry -password -p osipovmi@COMAPNY.NET -k 1 -e
> aes128-cts-hmac-sha1-96
> add_entry -password -p osipovmi@COMAPNY.NET -k 1 -e arcfour-hmac
>
> then trying to obtain a TGT with 'kinit -k -i' but all I get is:
> kinit: Invalid argument while getting initial credentials
>
> Turning on KRB5_TRACE and Wireshark, I see that the server is rejecting
> both AES ciphers from my client.
>
> If I reduce the keytab down to arcfour-hmac, all works fine.
>
> I am on FreeBSD 9.x, MIT Kerberos 1.13.2 from ports system and multiple
> Windows Server 2008 R2.
>
> How can I locate this issue? Any advises? KRB5_TRACE and pcap file can
> be provided privately.
>
> Regards,
>
> Michael Osipov
>
> PS: I triple-checked the password, so the issue is not with that.
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Customer Operations Engineering
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
