| Date: | Thu, 29 Apr 2004 18:28:22 -0500 |
| From: | "Lantzer, Ryan" <lantzer@umr.edu> |
| To: | <krb5-bugs@mit.edu> |
| Subject: | Problems with ms2mit.exe and aklog.exe with KFW 2.6.1 and OpenAFS |
The ms2mit.exe package included with KFW 2.6.1 loads a TGT into the MIT
credentials cache that has an encryption type of arcfour-hmac, after
logging into a Windows XP system joined to a Windows 2000 native mode
domain. The aklog.exe included with KFW 2.6.1 does not seem to be able
to use a TGT with this encryption type. I noticed in the ms2mit.exe
source code that the code was changed to use the TGT from the Microsoft
credentials cache if the encryption type was a supported type, and that
arcfour-hmac was listed as a supported type. If aklog.exe cannot be used
with an arcfour-hmac encryption type, then perhaps the ms2mit.exe code
should check the krb5.ini file for requested encryption types and
attempt to acquire a TGT with a requested encryption type if one isn't
returned from the Microsoft credentials cache.
I am able to use leash32.exe from KFW 2.6.1 to get AFS tokens, but it
does not work when I try to use ms2mit.exe and aklog.exe from KFW 2.6.1.
The following is an edited log of my attempt to use aklog.exe with
ms2mit.exe from KFW 2.6.1:
C:\>ms2mit
C:\>klist -e
Ticket cache: API:krb5cc
Default principal: userid@REALM
Valid starting Expires Service principal
04/29/04 17:58:02 05/29/04 17:58:02 krbtgt/REALM@REALM
renew until 05/29/04 17:58:02, Etype (skey, tkt): ArcFour with
HMAC/md5,
ArcFour with HMAC/md5
Kerberos 4 ticket cache: API:krb4cc
klist: No ticket file (tf_util)
C:\>aklog -d
Authenticating to cell CELL.
Getting v5 tickets: afs/CELL@REALM
Kerberos error code returned by get_cred: -1765328184
aklog: Couldn't get umr.edu AFS tickets:
C:\>
-1765328184: Invalid KDC option combination (library internal error)
I also have problems when trying to use kinit.exe and aklog.exe from KFW
2.6.1. I did not have this problem with KFW 2.6-beta9.
The following is an edited log of my attempt to use aklog.exe with
kinit.exe from KFW 2.6.1:
C:\>kinit -5
Password for userid@REALM:
C:\>klist -e
Ticket cache: API:krb5cc
Default principal: userid@REALM
Valid starting Expires Service principal
04/29/04 18:21:57 04/30/04 04:21:57 krbtgt/REALM@REALM
Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with
CRC-32
Kerberos 4 ticket cache: API:krb4cc
klist: No ticket file (tf_util)
C:\>aklog -d
Authenticating to cell umr.edu.
Getting v5 tickets: afs/CELL@REALM
Set username to userid
Getting tokens.
aklog: unable to obtain tokens for cell CELL (status: 11862786).
C:\>
KTC_INVAL 11862786 /* an invalid argument was passed in */
Ryan Lantzer
credentials cache that has an encryption type of arcfour-hmac, after
logging into a Windows XP system joined to a Windows 2000 native mode
domain. The aklog.exe included with KFW 2.6.1 does not seem to be able
to use a TGT with this encryption type. I noticed in the ms2mit.exe
source code that the code was changed to use the TGT from the Microsoft
credentials cache if the encryption type was a supported type, and that
arcfour-hmac was listed as a supported type. If aklog.exe cannot be used
with an arcfour-hmac encryption type, then perhaps the ms2mit.exe code
should check the krb5.ini file for requested encryption types and
attempt to acquire a TGT with a requested encryption type if one isn't
returned from the Microsoft credentials cache.
I am able to use leash32.exe from KFW 2.6.1 to get AFS tokens, but it
does not work when I try to use ms2mit.exe and aklog.exe from KFW 2.6.1.
The following is an edited log of my attempt to use aklog.exe with
ms2mit.exe from KFW 2.6.1:
C:\>ms2mit
C:\>klist -e
Ticket cache: API:krb5cc
Default principal: userid@REALM
Valid starting Expires Service principal
04/29/04 17:58:02 05/29/04 17:58:02 krbtgt/REALM@REALM
renew until 05/29/04 17:58:02, Etype (skey, tkt): ArcFour with
HMAC/md5,
ArcFour with HMAC/md5
Kerberos 4 ticket cache: API:krb4cc
klist: No ticket file (tf_util)
C:\>aklog -d
Authenticating to cell CELL.
Getting v5 tickets: afs/CELL@REALM
Kerberos error code returned by get_cred: -1765328184
aklog: Couldn't get umr.edu AFS tickets:
C:\>
Show quoted text
>From a web search:
-1765328184: Invalid KDC option combination (library internal error)
I also have problems when trying to use kinit.exe and aklog.exe from KFW
2.6.1. I did not have this problem with KFW 2.6-beta9.
The following is an edited log of my attempt to use aklog.exe with
kinit.exe from KFW 2.6.1:
C:\>kinit -5
Password for userid@REALM:
C:\>klist -e
Ticket cache: API:krb5cc
Default principal: userid@REALM
Valid starting Expires Service principal
04/29/04 18:21:57 04/30/04 04:21:57 krbtgt/REALM@REALM
Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with
CRC-32
Kerberos 4 ticket cache: API:krb4cc
klist: No ticket file (tf_util)
C:\>aklog -d
Authenticating to cell umr.edu.
Getting v5 tickets: afs/CELL@REALM
Set username to userid
Getting tokens.
aklog: unable to obtain tokens for cell CELL (status: 11862786).
C:\>
Show quoted text
>From a web search:
KTC_INVAL 11862786 /* an invalid argument was passed in */
Ryan Lantzer