Jason D. McCormick wrote: > Richard E. Silverman wrote: > >> A couple of questions: >> >> 1) What are the tkt and skey types on the tickets the client gets? The >> etype of the service credentials? > > klist -e reports:
(Normally Kerberos does not save a ticket in tha cache if it does not work so you may not see the ticket for the service. Wireshark can show a lot more.) > > Etype (skey, tkt): DES cbc mode with RSA-MD5, ArcFour with HMAC/md5 > > for the TGT. The keytab lists the key tytpe as "DES cbc mode with CRC-32". > >> 2) I assume you generated the service keytabs from AD using ktpass.exe? >> If so, exactly what command did you use? > > Yes, I did. I don't have the exact command handy because getting this > working has been an iterative process. I definitely set the key type to > be des-cbc-crc with ktpass. It would have been something like: > > ktpass -princ nfs/[EMAIL PROTECTED] -mapuser > AD\nfs-nfs1 +rndPass -crypto DES-CBC-CRC -out nfs1.keytab The problem might be that on the AD account the UserAccountControl flag does not have the USE_DES_KEY_ONLY 0x200000 set, So AD is returning an ArcFour ticket, which is not in the keytab. ktpass has a /DESOnly option to set this. See kb 305144 too. Why are you using DES? All the newer Kerberos can use ArcFour. So try ktpass witout the crypto option. > > I've also tried it with and without -ptype KRB5_NT_SRV_HST. > > - Jason > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
