[31789] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Odd problem with Active Directory

daemon@ATHENA.MIT.EDU (Jeffrey Watts)
Thu Dec 17 15:23:40 2009

MIME-Version: 1.0
In-Reply-To: <ldvljh2gzab.fsf@cathode-dark-space.mit.edu>
Date: Thu, 17 Dec 2009 14:22:52 -0600
Message-ID: <65631e800912171222y24a34b87ya9928ed6d139b9d4@mail.gmail.com>
From: Jeffrey Watts <jeffrey.w.watts@gmail.com>
To: Tom Yu <tlyu@mit.edu>
Cc: kerberos@mit.edu
Reply-To: watts@jayhawks.net
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

# klist -k -e
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   2 host/lxmefdev02.hrblock.net@HRBINC.HRBLOCK.NET (DES cbc mode with
CRC-32)
   2 host/lxmefdev02.hrblock.net@HRBINC.HRBLOCK.NET (DES cbc mode with
RSA-MD5)
   2 host/lxmefdev02.hrblock.net@HRBINC.HRBLOCK.NET (ArcFour with HMAC/md5)
   2 host/lxmefdev02@HRBINC.HRBLOCK.NET (DES cbc mode with CRC-32)
   2 host/lxmefdev02@HRBINC.HRBLOCK.NET (DES cbc mode with RSA-MD5)
   2 host/lxmefdev02@HRBINC.HRBLOCK.NET (ArcFour with HMAC/md5)
   2 LXMEFDEV02$@HRBINC.HRBLOCK.NET (DES cbc mode with CRC-32)
   2 LXMEFDEV02$@HRBINC.HRBLOCK.NET (DES cbc mode with RSA-MD5)
   2 LXMEFDEV02$@HRBINC.HRBLOCK.NET (ArcFour with HMAC/md5)

Thanks again for any help.  Looking at the other server it has the same
output for 'klist -k -e'.

Jeffrey.

On Wed, Dec 16, 2009 at 7:33 PM, Tom Yu <tlyu@mit.edu> wrote:

>
> Could you repeat this with "klist -k -e"?  This will show the enctypes
> for each entry in the keytab.  Do the enctype lists differ on
> different hosts?
>
> > Could you explain the single-DES issue a bit more?  Is that something
> that
> > needs to be enabled?
>
> I believe that starting with 2008R2 has single-DES disabled as
> "legacy" on AD Kerberos principals by default, as single-DES is no
> longer NIST-approved and no longer provides adequate security.
>



-- 

"He that would make his own liberty secure must guard even his enemy from
oppression; for if he violates this duty he establishes a precedent that
will reach to himself." -- Thomas Paine
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post