On 6/29/2011 10:42 PM, Rex, Martin wrote: > Creating a keytab for a Microsoft AD account that is comprehensible > to MIT Kerberos (e.g. kinit -k) appears to require heavy wizardry. > > I've tried everything I can reasonably think of, but kinit -k > always fails with the non-sensical error message > "kinit: Key table entry not found while getting initial credentials" > > strace says that kinit is reading the correct file, and the > keytab definitely contains keys for the specified principal. > (klist -ke sees the content, wether I use ktutil to create > the keytab or Microsoft's KTPASS.EXE has no visible impact) > > So if anything, kinit might tell me that it received something > encrypted with kvno "a" but only found kvnos "b", "c", "d" and "e" > for the specified principal in the specified keytab -- but the error > message it currently prints when providing the full principal > name on the command line just doesn't seem to make sense. > > > I've created user account "[email protected]" in an W2K8 AD > and "kinit [email protected]" works fine. Shouldn't kinit > be in the perfect position, after having just successfully obtained > a TGT for that user, to write out a perfect keytab that will > work with "kinit -k" -- or otherwise tell me all necessary details > about what I will have to type into tools like ktutil or what to > supply to Microsoft's KTPASS.EXE in order to achieve with "kinit -k" > what kinit without -k just succeeded doing?
We had seen similar problems with accounts like this. The kinit/libkrb5 via the AS-REQ tell the KDC it can do all the enctypes, listed in krb5.conf. The KDC then returns a AS-REP using AES-256. But the keytab has only arcfour (or maybe only DES!), so no matching keytab entry is found. klist -k -e should show what is in the keytab. So One of these is needed: (1) Create a keytab with all the enctypes of the AES-256, AES-128, arcfour, or at least, the strongest one. (2) Set the account attribute for the msds-supportedEncryptionTypes http://msdn.microsoft.com/en-us/library/cc223853(v=prot.10).aspx to match what is in the keytab. (3) Modify the kinit code looks at the enctypes available in the keytab, and use this in the AS-REQ. We use msktutil to create keytabs and add/update accounts like this in AD: http://fuhm.net/software/msktutil/ Other tools from Samba are also available. (And of course set the password to not expire for the account.) A related issue is Java does not support AES-256 by default. Google for: java Unlimited Strength Jusifdiction Policy Files to find the jar to allow AES-256. or do (2) or (3) above. > > > In case that anyone happens to know the exact sequence of commands > and their command line parameters that I would have to type in order > to obtain a working keytab for an ActiveDirectory 2008R2 account > that will be usable with MIT Kerberos 1.9.1, I would be glad to know. > > If I ever manage to get a working configuration (keytab), > the clients that should ultimately should be able to connect > to the service are WinXP,2003,Vista and Win7, so it should probably > be using an arcfour-hmac enctype, I assume. > > (I will NOT need hostbased service names, in case you're wondering, > and I did already call "SETSPN dont/care FOO.CORP\TestService" to > allow 1-/2-Token authentications with the TestService account > for a post-2000 ActiveDirectory). > > -Martin > > > PS: my windows administrative expertise is limited. > I have setspn.exe, ktpass.exe within reach and know how to > run the MMC snap-in "Active Directory - Users and Computers", > but know nothing else about AD and LDAP... > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
