[36769] in Kerberos
Re: Establish FAST encrypted channel between linux client and windows
daemon@ATHENA.MIT.EDU (Faisal Ali)
Wed Feb 11 07:49:17 2015
MIME-Version: 1.0
From: Faisal Ali <faisal.ali.101@gmail.com>
Date: Wed, 11 Feb 2015 12:49:01 +0000
Message-ID: <CAPRB651Jqa4FsJ0SBDyTQ8k=sxj-GhRfFohH7yJpv2cCOm-9zg@mail.gmail.com>
To: "Wilper, Ross" <rwilper@slac.stanford.edu>,
"kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
http://kerberos.996246.n3.nabble.com/Creating-a-keytab-with-ktpass-under-a-Computer-account-td14074.html
I followed above link to create a computer account on Windows server and
generate keytab to be used for first kinit. It doesn't seem to work. Have I
employed wrong procedure or was this expected?
--------------
Faisal Ali
On Mon Feb 09 2015 at 9:20:03 PM Wilper, Ross <rwilper@slac.stanford.edu>
wrote:
> I would be interested to see if you can make this work. It's been a while
> since I've looked into this and did not get very far.
>
> It sounds like you are on the right path - one of the gotchas is that AD
> does not seem to support pkinit null, which is what many Kerberos
> implementations do to create the armor. What Windows machines do is to use
> the computer account as the armor for the user account logon. This may
> actually be a requirement (that the armor be a computer account) because
> the AD KDC wants to have both involved in the logon interaction so as to
> generate computer and user claims into the resulting ticket. I hope that I
> am wrong on that.
>
> -Ross
>
> -----Original Message-----
> From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
> Behalf Of Faisal Ali
> Sent: Monday, February 9, 2015 5:55 AM
> To: kerberos@mit.edu
> Subject: Establish FAST encrypted channel between linux client and windows
> server
>
> I am trying to setup windows server for FAST encrypted channel support to
> test OTP pre authentication in kerberos.
>
> I have already tested on linux machine by deploying KDC using krb5-1.12.1
> source code, freeradius server and using keytab of service principal to
> receive armor ccache to be used to establish FAST encrypted channel between
> client and KDC.
>
> I have setup windows server 2012 for kerberos, and added support for "KDC
> support for claims, compound authentication and Kerberos armoring" policy
> on it. I can receive TGT for service principal. But, when I execute the
> command "kinit -T <armor-cache> <principal>", KDC does not reply with any
> padata and no FAST encrypted channel is established (observed through
> wireshark log and Kerberos library logs).
>
> Is it possible to establish a FAST encrypted channel between linux client
> and Windows AD? Have I missed any setting?
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
