You probably need to specify the encryption type when you run
ktpass.exe on the Domain Controller. I didn't use the CRC encryption
but rather the MD5 encryption because I believe 2K3 does not support
CRC..

On your KTPASS.EXE command line, add the following switch: -crypto DES-CBC-=
MD5

You will also need to change your krb5.conf file and remove these entries:

default_tkt_enctypes =3D des-cbc-crc
default_tgs_enctypes =3D des-cbc-crc
permitted_enctypes =3D des-cbc-crc


I have used this article from Microsoft to integrate Unix machines
into AD for authentication. If you haven't seen it, it really is
pretty good:
http://www.microsoft.com/technet/sec...ement/idmanag=
e/default.mspx


-Sam


On 3/14/06, Ian Grant wrote:
>
> On 14 Mar 2006, at 03:15, Cribb, Jay [GovSG] wrote:
>
> > Use des-cbc-crc for ticket and keytab export (it's the type that's
> > usually the least common denominator)
> > Is this Windows 2000 or Windows 2003?

>
> Thanks. It's 2003. I seem not to be able to get the enctype to be des-
> cbc-crc for the ticket. In /etc/krb5.conf I have
>
> [libdefaults]
> default_realm =3D AD.CL.CAM.AC.UK
> clockskew =3D 300
> default_tkt_enctypes =3D des-cbc-crc
> default_tgs_enctypes =3D des-cbc-crc
> permitted_enctypes =3D des-cbc-crc
>
> The host keytab looks like this:
>
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> ------------------------------------------------------------------------
> --
> 9 host/somehost.cl.cam.ac.uk@AD.CL.CAM.AC.UK (DES cbc mode with
> CRC-32)
>
> But my ticket for the host principal still ends up des-cbc-md5:
>
> Ticket cache: FILE:/tmp/krb5cc_1696
> Default principal: ig206@AD.CL.CAM.AC.UK
>
> Valid starting Expires Service principal
> 03/14/06 10:50:28 03/14/06 20:50:32 krbtgt/
> AD.CL.CAM.AC.UK@AD.CL.CAM.AC.UK
> renew until 03/15/06 10:50:28, Etype (skey, tkt): DES cbc
> mode with CRC
> 32, ArcFour with HMAC/md5
> 03/14/06 10:50:47 03/14/06 20:50:32 host/
> somehost.cl.cam.ac.uk@AD.CL.CAM.AC.UK
> renew until 03/15/06 10:50:28, Etype (skey, tkt): DES cbc
> mode with CRC
> 32, DES cbc mode with RSA-MD5
>
>