Skip Menu |
 

Date: Fri, 1 Apr 2005 15:34:52 -0500
From: "Albert AZ. Zuniga" <azuniga@kimberlycredit.com>
To: <krb5-bugs@mit.edu>
Subject: krb5 etypes error

Is there a fix for the problem with getting a TGS form win2003 with krb5 1.3.1.

 

Thanks,

[azuniga@kimberlycredit.com - Fri Apr 1 18:34:20 2005]:

Show quoted text
> Is there a fix for the problem with getting a TGS form win2003 with krb5
> 1.3.1.

I am not aware of any problems obtaining service tickets from a windows
2003 Active Directory. AD supports DES-CBC-CRC, DES-CBC-MD5 and
RC4-HMAC. All of these enctypes are supported by krb5 1.3.1.

In case you were not aware, the current release of MIT krb5 is 1.4.

Can you elaborate on why you believe there to be a bug?

Jeffrey Altman
Subject: RE: [krbdev.mit.edu #2996] krb5 etypes error
Date: Mon, 4 Apr 2005 10:12:17 -0400
From: "Albert AZ. Zuniga" <azuniga@kimberlycredit.com>
To: <rt-comment@krbdev.mit.edu>
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.6KiB
Thanks for replying.

My OS is FC2 and I am using krb5 1.3.6-4. and Samba 3.0.1.10-1.fc2.
Everything seems to be configured properly and I am even able to
successfully do a smbclient from linux to a windows share. When trying
to connect to a samba share I am prompted with a password box. The net
ads join was successfully so the samba box is listed in active
directory. Going through the troubleshooting steps I did a smbclient -L
{machine} -k and got "session setup failed: NT_STATUS_LOGON_FAILURE" a
klist tickets returned "klist: No credentials cache found (ticket cache
FILE:tickets)" and on the windows 2003 DC I found the following error
listed multiple times. "While processing a TGS request for the target
server host/samba.mydomian.com, the account SAMBA$@mydomain.COM did not
have a suitable key for generating a Kerberos ticket (the missing key
has an ID of 8). The requested etypes were 2. The accounts available
etypes were 23 -133 -128 3 1.
"

Thanks
AL

Show quoted text
-----Original Message-----
From: Unprivileged W User,,,, [mailto:www@MIT.EDU] On Behalf Of Jeffrey
Altman via RT
Sent: Saturday, April 02, 2005 12:44 AM
To: Albert AZ. Zuniga
Subject: [krbdev.mit.edu #2996] krb5 etypes error

[azuniga@kimberlycredit.com - Fri Apr 1 18:34:20 2005]:

> Is there a fix for the problem with getting a TGS form win2003 with
krb5
> 1.3.1.

I am not aware of any problems obtaining service tickets from a windows
2003 Active Directory. AD supports DES-CBC-CRC, DES-CBC-MD5 and
RC4-HMAC. All of these enctypes are supported by krb5 1.3.1.

In case you were not aware, the current release of MIT krb5 is 1.4.

Can you elaborate on why you believe there to be a bug?

Jeffrey Altman
How do you have your client configured that it is requesting a ticket of
type DES-CBC-MD4? This enctype is not supported by Active Directory nor
is it requested by default by MIT Kerberos.

Please check your krb5.conf file. If you are defining a list of
enctypes, please remove it. Restricting the list of enctypes used by
MIT Kerberos can only cause problems.
closing ticket due to lack of response