[31780] in Kerberos
Re: Odd problem with Active Directory
daemon@ATHENA.MIT.EDU (Tom Yu)
Wed Dec 16 20:33:40 2009
To: watts@jayhawks.net
From: Tom Yu <tlyu@mit.edu>
Date: Wed, 16 Dec 2009 20:33:16 -0500
In-Reply-To: <65631e800912161424u5e8a7d53l22ac5b4da25b3971@mail.gmail.com>
(Jeffrey Watts's message of "Wed, 16 Dec 2009 16:24:07 -0600")
Message-ID: <ldvljh2gzab.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Jeffrey Watts <jeffrey.w.watts@gmail.com> writes:
> Their computer account entries are very similar. Here's the contents of the
> krb5.keytab:
> # klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 2 host/lxmefdev02.hrblock.net@HRBINC.HRBLOCK.NET
> 2 host/lxmefdev02.hrblock.net@HRBINC.HRBLOCK.NET
> 2 host/lxmefdev02.hrblock.net@HRBINC.HRBLOCK.NET
> 2 host/lxmefdev02@HRBINC.HRBLOCK.NET
> 2 host/lxmefdev02@HRBINC.HRBLOCK.NET
> 2 host/lxmefdev02@HRBINC.HRBLOCK.NET
> 2 LXMEFDEV02$@HRBINC.HRBLOCK.NET
> 2 LXMEFDEV02$@HRBINC.HRBLOCK.NET
> 2 LXMEFDEV02$@HRBINC.HRBLOCK.NET
Could you repeat this with "klist -k -e"? This will show the enctypes
for each entry in the keytab. Do the enctype lists differ on
different hosts?
> Could you explain the single-DES issue a bit more? Is that something that
> needs to be enabled?
I believe that starting with 2008R2 has single-DES disabled as
"legacy" on AD Kerberos principals by default, as single-DES is no
longer NIST-approved and no longer provides adequate security.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
