[33144] in Kerberos
Re: Cross Realm Administration?
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Wed Jan 26 10:28:12 2011
Message-ID: <4D403D83.3040407@anl.gov>
Date: Wed, 26 Jan 2011 09:28:03 -0600
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <0788a3db-2501-45fe-8da6-93b4c1068e8f@v31g2000pri.googlegroups.com>
Content-Type: text/plain; charset="windows-1252"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 1/25/2011 3:01 PM, Jeff draht wrote:
> Doug,
> this is the issue I am having after creating a users keytab
> file;
>
> ktutil: addent -password -p xf1adm@LAB-PASSHE.LCL -k 7 -e arcfour-
> hmac-md5
> Password for xf1adm@LAB-PASSHE.LCL:
> ktutil: list
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
> 1 7 xf1adm@LAB-PASSHE.LCL
>
> ktutil: wkt /var/tmp/xf1adm-keytab-new-012511
> ktutil: q
>
> root@yeoman:/usr/local/bin>klist -ke /var/tmp/xf1adm-keytab-new-012511
> ----
> --------------------------------------------------------------------------
> 7 xf1adm@LAB-PASSHE.LCL (ArcFour with HMAC/md5)
>
> Then;
>
> kinit –k –t /var/tmp/xf1adm-keytab-new-012511 xf1adm@LAB-PASSHE.LCL
>
> However, this function does not work; it errors;
>
> kinit -k -t /var/tmp/xf1adm-keytab-new-012511 xf1adm@LAB-PASSHE.LCL
> kinit(v5): Key table entry not found while getting initial credentials
I ran into a problem like this in 2009, on Solaris 10 client to AD 2008
involving AES256.
I think what might be going on is the kinit sends the AS-REQ message
to the KDC with a list of supported enctypes. The KDC then picks the best
enctype supported for that principal and returns the ticket.
If the client send AES, and the KDC supports it, then an AES key will
be needed. The problem is the kinit does not look to see what encytes
are available in the keytab. When using a password, kinit can generate
a key for any enctype from the password so this is not an issue.
The way to see if this is the case is to use Wireshark or other
network trace program on the client. You should see the KRB5 packets
and can see the AS-REQ being sent and the enctypes that are supported.
The AS-REP from the KDC will contain a ticket which is encrypted
for the use by the client principal. I bet it says it is looking
for something other the ArcFour, or the kvno does not match.
Ways around this:
Look at the msDS-SupportedEncryptionTypes attribute on the
xf1adm AD account. (Look at the msDS-KeyVersionNumber too.)
See:
http://msdn.microsoft.com/en-us/library/cc223853(v=prot.13).aspx
This could be changed in AD for the client to only support ArcFour.
Or the keytab entry could have AES256. But if you are using the SAP
client later, make sure SAP can support AES256 too, as it will need
to use the krbtgt ticket to get more tickets.
>
> Thanks and I will start using the link you suggested for my
> questions...
>
> Jeff
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
