[32390] in Kerberos
KRB5KRB_AP_ERR_MODIFIED: MIT Kerberos 1.8.1 & arcfour-hmac-md5
daemon@ATHENA.MIT.EDU (Richard E. Silverman)
Wed Jun 2 07:41:08 2010
From: "Richard E. Silverman" <res@qoxp.net>
Message-ID: <m2wruhany4.fsf@darwin.oankali.net>
MIME-Version: 1.0
X-Complaints-To: abuse@thundernews.com
Date: Wed, 02 Jun 2010 03:33:23 -0400
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
After upgrading to MIT Kerberos 1.8.1, I get KRB5KRB_AP_ERR_MODIFIED while
trying to authenticate to certain devices; so far, a NetApp filer, and
Windows hosts running BitVise WinSSHD and MS SQL Server (alll part of a
Windows AD realm). Clients are OpenSSH, Samba, and FreeTDS on Solaris.
The same combinations work correctly with 1.6.3. For example:
-----------------------------------------------------------------------
% kinit
Password for res@FOO.COM:
% smbclient -k //fshome1/res
session setup failed: NT_STATUS_MORE_PROCESSING_REQUIRED
did you forget to run kinit?
% klist -ef
Ticket cache: FILE:/tmp/krb5cc_11500_aicJWR9646
Default principal: res@FOO.COM
Valid starting Expires Service principal
06/02/10 03:08:15 06/02/10 13:08:16 krbtgt/FOO.COM@FOO.COM
renew until 06/03/10 03:08:15, Flags: FRIA
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
06/02/10 03:08:21 06/02/10 13:08:16 fshome1$@FOO.COM
renew until 06/03/10 03:08:15, Flags: FRA
---> Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
---------------------
# Now, put this in krb5.conf:
#
# [libdefaults]
# default_tkt_enctypes = des-cbc-md5 des-cbc-crc
% kinit
Password for res@FOO.COM:
% smbclient -k //fshome1/res
OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: \> quit
% klist -ef
Ticket cache: FILE:/tmp/krb5cc_11500_aicJWR9646
Default principal: res@FOO.COM
Valid starting Expires Service principal
06/02/10 03:08:54 06/02/10 13:08:58 krbtgt/FOO.COM@FOO.COM
renew until 06/03/10 03:08:54, Flags: FRIA
Etype (skey, tkt): DES cbc mode with RSA-MD5, ArcFour with HMAC/md5
06/02/10 03:09:00 06/02/10 13:08:58 fshome1$@FOO.COM
renew until 06/03/10 03:08:54, Flags: FRA
---> Etype (skey, tkt): DES cbc mode with RSA-MD5, ArcFour with HMAC/md5
-------------------------
-----------------------------------------------------------------------
Packet capture of the CIFS traffic for the failed smbclient command shows
KRB5KRB_AP_ERR_MODIFIED returned from the server when the session key (and
hence the authenticator) use arcfour-hmac-md5. If I force it to use DES
instead, it works.
The problem is present in 1.8 as well.
Before I dive into figuring out what's gone wrong here, I'd like to know
if anyone's seen this?
Thanks,
--
Richard Silverman
res@qoxp.net
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
