[37176] in Kerberos
Re: Cannot authenticate with client keytab and AES128/256 against
daemon@ATHENA.MIT.EDU (Osipov, Michael)
Wed Jul 29 16:54:42 2015
From: "Osipov, Michael" <michael.osipov@siemens.com>
To: Greg Hudson <ghudson@mit.edu>, "kerberos@mit.edu" <kerberos@mit.edu>
Date: Wed, 29 Jul 2015 20:54:24 +0000
Message-ID: <68644224DA0DE64CA5A49838ED219A0425A98BF1@DEFTHW99EJ5MSX.ww902.siemens.net>
Content-Language: de-DE
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> On 07/29/2015 07:43 AM, Osipov, Michael wrote:
> > add_entry -password -p osipovmi@COMAPNY.NET -k 1 -e
> > aes256-cts-hmac-sha1-96 add_entry -password -p osipovmi@COMAPNY.NET -k
> > 1 -e aes128-cts-hmac-sha1-96 add_entry -password -p
> > osipovmi@COMAPNY.NET -k 1 -e arcfour-hmac
> [...]
> > kinit: Invalid argument while getting initial credentials
>
> Your primary problem here has to do with salts. From the trace logs you provided
> me, the salt string for this principal was constructed using the principal name
> michael.osipov@COMAPNY.NET (not the actual realm name), not
> osipovmi@COMAPNY.NET. ktutil unfortunately has no way to specify the salt
> string or to retrieve it from the KDC; it can only use the default salt for the principal
> name when adding a keytab entry using a password. The RC4 enctype does not
> use the salt, so you don't encounter this problem when using only an RC4 key.
I am afraid you are right. Surprisingly, I read MS-KILE, chapter "3.1.1.2 Cryptographic Material"
and it does build the salt just like MIT Kerberos does. I see currently no reason why this happens
to my account.
I need to mention that we have a company-wide UPN suffix and every employee has an
enterprise principal in the form of <firstname>.<lastname>@company.com (same as email
address).
Moreover, I will try a few other accounts and will give you notice.
Unfortunately, I have no idea how Windows obtains the "custom" salt to derive the password
but would it be feasible to modify ktutil to receive a custom salt?
> I believe that people generally have better luck with msktutil for creating keytabs
> for use with Active Directory; it may solve this problem.
I will try that as soon as I get it compiled on FreeBSD. The port does not compile.
I was able to compile that with code modifications but unfortunately, this tool does not do
the same as ktutil. I cannot simply create a keytab for a user account. It constantly tries
to manipulate the machine account or create a computer/service account.
> The secondary problem is that you are getting the error message "Invalid
> argument" instead of something more accurate, like "Password incorrect"
> or "Preauthentication failed." I don't know the exact cause of this problem yet,
> though I believe it has to do with our PKINIT code.
I guess this can be improved, can't it?
Michael
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
