Doug Lamoureux wrote: Looks like MS is aware of the issue (mine anyway). MS modified the behavior causing Windows 2003 AD to use the des-cbc-md5 encryption type to encrypt the ticket (I needed to set the 'Use DES Encryption' flag on the user, but that changed the encryption type from rc4-hmac to des-cbc-md5, still not supported by HP-UX Kerberos libraries), rather then the e-type requested by the client. MS is currently working on a fix to this. They plan to allow changes to this behavior via the registry and hotfix distribution is scheduled for SP1.
> Jeffrey Altman wrote: > >> First off, the Windows Telnet service does not support Kerberos >> authentication therefore you cannot except to use Telnet as a test >> protocol from the HP system to the Windows AD. > > > True, I was assuming that the telnet session was using pam_kerberos for > authentication on the hp-ux side (non Kerborized telnet) > >> >> As for Doug's problem with no support for RC4-HMAC in his version of >> MIT Kerberos I suggest that he upgrade his MIT Kerberos to 1.3.1 > > > Ah..., if it was only that simple... :) I'm using the HP supplied Kerberos > client s/w (PAM_Kerberos and SIS) which is based on an older version of > the MIT Kerberos. > >> in order to gain support for RC4-HMAC. What the "use DES ..." setting >> via the UI does is instruct Windows to use a DES session key not a DES >> ticket key. > > > Good to know.. > >> >> I believe that if you want to set an account to only use DES for the >> ticket encryption that you must do so using the /DesOnly switch when >> mapping a Service Principal Name to an account and producing a keytab >> file with ktpass.exe (from the W2K3 Support Tools found on the CD.) > > > According to the ktpass commandline help the default is "do" which I > read as > DesOnly. I tried with the -DesOnly switch (along with -crypto DES-CBC-CRC > since the HP-UX Kerberos client does not support des-cbc-md5). The bevaior > changed, ticket is now encrytped with des-cbc-md5 but this doesn't help > since it's not supported with the hp-ux kerberos s/w. > >> >> If you are installing Kerberos for Windows on the Win2003 server >> you must set the registry key > > > Just using the standard Windows 2003/AD Enteprise Server. > >> >> HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters >> AllowTGTSessionKey = 0x1 (DWORD) >> >> if you want to allow KfW to import Windows LSA credentials into the >> MIT ccache via either ms2mit or Leash. >> >> Jeffrey Altman >> >> >> >> Ryan Odgers wrote: >> >>> Hi Doug, >>> >>> still on win2000 >>> I can authenticate and get tgt ticket with kinit >>> I can get service ticket with kinit -S >>> pamkrbval returns all PASSED >>> nsquery search against ldap returns values in AD >>> (I still seem to need a dummy entry in /etc/passwd for kerberos to >>> create >>> credential cache)?? >>> Well, don't know what else to do >>> >>> Thanks >>> "Doug Lamoureux" <[EMAIL PROTECTED]> wrote in message >>> news:[EMAIL PROTECTED] >>> >>>> Ryan, >>>> Are you running Windows 2003? I've just run into a problem with >>> >>> >>> >>> Win2k3 >>> >>>> encrypting the client tickets with rc4-hmac: >>>> >>>> # kinit -S host/myhost.acme.com dougl >>>> Password for [EMAIL PROTECTED]: >>>> # klist -e >>>> Ticket cache: /tmp/krb5cc_0 >>>> Default principal: host/[EMAIL PROTECTED] >>>> Valid starting Expires Service principal >>>> 01/22/04 09:54:57 01/22/04 19:54:57 >>> >>> >>> >>> host/[EMAIL PROTECTED] >>> >>>> Etype (skey, tkt): DES cbc mode with CRC-32, etype 23 >>>> >>>> etype 23 is RC4-HMAC >>>> >>>> (ethereal trace shows rc4-hmac) >>>> >>>> I've seen a number of suggestions to set the "Use DES encryption" >>>> flag on >>> >>> >>> >>> the >>> >>>> users account and reset the password, but that has not resolved the >>> >>> >>> >>> problem. >>> >>>> Checkout your syslog.log file for potential errors. You don't have to >>> >>> >>> >>> setup >>> >>>> cross-realm authentication for ldap-ux/kerberos to work with AD on >>>> hp-ux >>> >>> >>> >>> (you >>> >>>> will if you want to have multi-domain support). Make sure you can >>>> see the >>> >>> >>> >>> user >>> >>>> defined in AD: >>>> >>>> # pwget -n dougl >>>> dougl:*:10001:20::/home/dougl:/usr/bin/ksh >>>> # /usr/contrib/bin/nsquery passwd dougl ldap >>>> >>>> Using "ldap" for the passwd policy. >>>> >>>> Searching ldap for dougl >>>> User name: dougl >>>> User Id: 10001 >>>> Group Id: 20 >>>> Gecos: >>>> Home Directory: /home/dougl >>>> Shell: /usr/bin/ksh >>>> >>>> Switch configuration: Terminates Search >>>> >>>> Then make sure you can use kinit to authenticate: >>>> >>>> # kinit dougl >>>> Password for [EMAIL PROTECTED]: >>>> >>>> You can also validate the Kerberos client configuration using >>>> pamkrbval: >>>> >>>> # /usr/sbin/pamkrbval >>>> >>>> Validating the pam configuration files >>>> ---------- --- --- ------------- ----- >>>> >>>> Validating the /etc/pam.conf file >>>> [PASS] : The validation of config file: /etc/pam.conf passed >>>> >>>> [NOTICE] : The validation of config file: /etc/pam_user.conf is not >>>> done >>>> as libpam_updbe library is not configured >>>> >>>> Validating the kerberos config file >>>> ---------- --- -------- ------ ----- >>>> [PASS] : Initialization of kerberos passed >>>> >>>> Connecting to default Realm >>>> ---------- -- ------- ----- >>>> [PASS] : Default Realm is issuing tickets >>>> >>>> Validating the keytab entry for the host service principal >>>> ---------- --- ------ ----- --- --- ---- ------- --------- >>>> /usr/sbin/pamkrbval: Program lacks support for encryption type for this >>> >>> >>> >>> entry >>> >>>> [FAIL] : The keytab validation Failed >>>> >>>> Cheers, >>>> Doug >>>> >>>> >>>> Ryan Odgers wrote: >>>> >>>> >>>>> (I apologize if this has already been posted, I am new to this list) >>>>> >>>>> Hi, >>>>> >>>>> What is the trick to getting services to work via kerberos? >>>>> >>>>> I have been playing around with trying to use kerberos as a SSO for >>>>> our >>>>> environment, but am a bit confused. >>>>> >>>>> To date: >>>>> I have installed and configured MS SFU 3.5 (services for Unix) on our >>> >>> >>> >>> AD, >>> >>>>> extended the schema. >>>>> I have an HP-UX 11.11 machine in which I have setup the LDAP client to >>> >>> >>> >>> talk >>> >>>>> to the AD via kerberos. I can successfully search the AD and can login >>> >>> >>> >>> with >>> >>>>> windows credentials via a keytab created for the host. >>>>> >>>>> The telnet service in HP-UX is kerberos aware, but after creating a >>> >>> >>> >>> service >>> >>>>> instance and keytab file for the telnet service in AD, and importing >>> >>> >>> >>> into >>> >>>>> the unix keytab file, I cannot telnet into unix via kerberos. I have >>>>> followed Microsoft's doc on inter-operability, but cannot get the >>> >>> >>> >>> services >>> >>>>> side of kerberos to work. >>>>> >>>>> If the KDC is win2000 and the kerberos client is UNIX or MIT, does >>>>> cross-realm authentication still need to be set up? >>>>> It is the same kerberos realm, the unix machine points to the 2000 KDC >>> >>> >>> >>> as >>> >>>>> its server. >>>>> >>>>> Any help is VERY appreciated >>>>> Ryan >>>>> >>>>> >>>> >>> >>> > ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
