[31786] in Kerberos
Re: Odd problem with Active Directory
daemon@ATHENA.MIT.EDU (Michael Calmer)
Thu Dec 17 03:49:28 2009
From: Michael Calmer <mc@suse.de>
To: kerberos@mit.edu, watts@jayhawks.net
Date: Thu, 17 Dec 2009 09:48:53 +0100
In-Reply-To: <65631e800912161356m1a0a51c6h51974d89d5e33925@mail.gmail.com>
MIME-Version: 1.0
Message-Id: <200912170948.53947.mc@suse.de>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi,
Am Mittwoch, 16. Dezember 2009 22:56:30 schrieb Jeffrey Watts:
> Reaching out again hoping that someone might have an idea as to what my
> problem is.
>
> Thanks,
> Jeffrey.
>
> On Fri, Dec 11, 2009 at 10:43 AM, Jeffrey Watts
> <jeffrey.w.watts@gmail.com>wrote:
[...]
> > When I initially migrated the systems I used 'net ads join' to create a
> > machine account, and then I run 'kinit -k MACHINENAME$ -c /etc/.ldapcache'
> > in a cronjob to keep a fresh ticket.
> >
> > I have all systems pointing to those three KDCs, in the same order:
> > kdc1
> > kdc2
> > kdc3
> >
> > They were all running Windows2003 (not R2, but using the Windows2008R2
> > schema). Two weeks ago, kdc1 was upgraded to Windows2008R2. Suddenly
> > five of my Linux boxes (out of 109) stopped being able to check out
> > tickets from that particular Windows2008R2 server. This includes RHEL4
> > and 5 systems.
> > They are located in different networks, and identically configured systems
> > do work (for example, devserver1 will work, but devserver2 will not). The
> > keytab still works with the Windows2003 servers. The remaining 104
> > systems work fine with no issues.
I think your problem is the aes256 enctype. Windows2008 support this enctype,
Windows2003 not.
The keytab is created by samba and samba only write the two "des" and the
"rc4-hmac" enctype into the keytab.
kinit -k tell the Windows server that it supports aes256 and Windows2008
respond with an encrypted answer using this ecntype. But kinit do not find
this key in your keytab and cannot decrypt the answer.
This would explains the error:
kinit(v5): Key table entry not found while getting initial credentials
One solution would be to tell the Windows Server, that your kerberos
installation do not support aes.
[libdefaults]
...
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
I hope this helps.
--
MFG
Michael Calmer
--------------------------------------------------------------------------
Michael Calmer
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
T: +49 (0) 911 74053 0
F: +49 (0) 911 74053575 - e-mail: Michael.Calmer@suse.com
--------------------------------------------------------------------------
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
