[31790] in Kerberos
Re: Odd problem with Active Directory
daemon@ATHENA.MIT.EDU (Jeffrey Watts)
Thu Dec 17 15:30:42 2009
MIME-Version: 1.0
In-Reply-To: <200912170948.53947.mc@suse.de>
Date: Thu, 17 Dec 2009 14:30:21 -0600
Message-ID: <65631e800912171230m3a589a55j3555d2422de56e0d@mail.gmail.com>
From: Jeffrey Watts <jeffrey.w.watts@gmail.com>
To: Michael Calmer <mc@suse.de>
Cc: kerberos@mit.edu
Reply-To: watts@jayhawks.net
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Thanks a lot Michael, that worked!
I'm still not sure why some systems would get the aes256 encrypted answer
and others not? It seems very odd. They have all the same versions of
Samba and Kerberos, and I'm having a hard time figuring out why they'd be
different.
Also, is this an ideal solution going forward? How much longer will ArcFour
be supported?
Jeffrey.
On Thu, Dec 17, 2009 at 2:48 AM, Michael Calmer <mc@suse.de> wrote:
>
> I think your problem is the aes256 enctype. Windows2008 support this
> enctype,
> Windows2003 not.
>
> The keytab is created by samba and samba only write the two "des" and the
> "rc4-hmac" enctype into the keytab.
>
> kinit -k tell the Windows server that it supports aes256 and Windows2008
> respond with an encrypted answer using this ecntype. But kinit do not find
> this key in your keytab and cannot decrypt the answer.
> This would explains the error:
>
> kinit(v5): Key table entry not found while getting initial credentials
>
> One solution would be to tell the Windows Server, that your kerberos
> installation do not support aes.
>
> [libdefaults]
> ...
> default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>
> I hope this helps.
>
>
--
"He that would make his own liberty secure must guard even his enemy from
oppression; for if he violates this duty he establishes a precedent that
will reach to himself." -- Thomas Paine
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
