RE: kinit request on keytab fails using 2K3sp1 KDC - Kerberos

This is a discussion on RE: kinit request on keytab fails using 2K3sp1 KDC - Kerberos ; David, I have seen this problem before. It does not occur with the pre-SP1 version of ktpass. Conclusion : If you want to create keytable files which have correct kvno's and which work correctly with des, then you must use ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: RE: kinit request on keytab fails using 2K3sp1 KDC

  1. RE: kinit request on keytab fails using 2K3sp1 KDC

    David,

    I have seen this problem before. It does not occur with the pre-SP1
    version of ktpass. Conclusion : If you want to create keytable files
    which have correct kvno's and which work correctly with des, then you
    must use the pre-SP1 version of ktpass.

    Thanks, Tim

    -----Original Message-----
    From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
    Behalf Of David Telfer
    Sent: 23 March 2006 17:39
    To: kerberos@mit.edu
    Subject: Re: kinit request on keytab fails using 2K3sp1 KDC

    Jeffrey Altman wrote:
    > Why do you need the kvno to be 1?

    It wasn't so much that they needed to match, more to tidy up the
    situation I had on the KDC.

    > For example, what is the enctype of the service ticket issued by the
    > KDC? Does that match the enctype of the keytab entry you are using?
    >
    > What do the following commands output?
    >
    > klist -e -k /etc/krb5.keytab
    >
    > kvno HTTP/connect.smg.plc.uk@SMG.PLC.UK
    > klist -e
    >

    This appears to be the problem, the keytab is being generated with DES
    CBD MD5, the service principal is sending an ArcFour encrypted tgt.

    The reason this never occured to me is that the user account has the
    'use DES encryption for this account' setting ticked. I have tried the
    following process to force the service principal to be DES;

    1 - create account
    2 - run ktpass util with -mapop set +DesOnly and -crypto DES-CBC-MD5
    options set.
    3 - view account properites and ensure that 'use DES encryption for this

    account' is checked
    4 - change password of account (with the intention of forcing the DES
    change from the ktpass step above)
    5 - re-run identical ktpass line and use this as the final keytab

    Even with these steps, the encryption type of the ServicePrincipal tgt
    stays as ArcFour.

    Unfortunately I am not the AD administrator, I have access to an admin
    member of staff who has been applying the changes for me. Due to this I

    cannot be sure of every setting their kdc controller has. Specifically
    I would be keen to find out whether there is a global setting which
    forces all user and service principals to be created as ArcFour. Has
    anyone experienced somehing like this, or do they know of a way to hard
    force the enc type of the service principal.
    > If the enctypes and output of those commands match, then you must
    > double check that the browser client is obtaining service tickets
    > with the name HTTP/connect.smg.plc.uk@SMG.PLC.UK and that the
    > enctype of that ticket matches the contents of the keytab entry.
    >

    I haven't got to the stage of attempting to use mod_auth_kerb yet. I am

    still trying to get past the `#./kinit -k -t /etc/krb5.keytab
    HTTP/connect.smg.plc.uk@SMG.PLC.UK` stage. I may look into the
    potential for using ArcFour for both the keytab and ServicePrincipal but

    I'm sure this will open another can of worms as well.

    Thanks,
    David




    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: kinit request on keytab fails using 2K3sp1 KDC

    Tim Alsop wrote:
    > David,
    >
    > I have seen this problem before. It does not occur with the pre-SP1
    > version of ktpass. Conclusion : If you want to create keytable files
    > which have correct kvno's and which work correctly with des, then you
    > must use the pre-SP1 version of ktpass.
    >
    > Thanks, Tim


    To which I once again ask, why would you use DES when you can use
    RC4?

    RC4 is a strong enctype and is the enctype that Windows wants to
    use. I seem to remember that if you want to be able to "Use DES only"
    then you must set the flag in AD and then change the password on
    the account before it will take effect.

    Jeffrey Altman


+ Reply to Thread