[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kinit and Windows Server 2008





Ulf Ekberg wrote:
> 
> Douglas E. Engert wrote:
>>
>> Ulf Ekberg wrote:
>>> Using Heimdal 1.1 (also tried 1.2rc1), the following command:
>>>
>>> kinit -k -t <keytab>
>>> agssuser/winctho2d6naz8.testak2008.net@TESTAK2008.NET
>>>
>>> works find against a Windows Server 2003 system, but fails
>>> like this against Windows Server 2008:
>>>
>> How did you get the keytab file? ktpass?
> 
> Yes, that's right.
> 
>> Did you use the /ptype KRB5_NT_SRV_HST option?
> 
> No, but it made no difference when I tried it.
> 
> (I had tried using "-ptype KRB5_NT_PRINCIPAL" to silence
> a complaint from ktpass: "WARNING: pType and account do
> not match.This might cause some problems." However, while
> the complaint disappeared, kinit still failed. The message
> is still there with "-ptype KRB5_NT_SRV_HST".)
> 
>> Does the Kvno in the keytab match the msDS-KeyVersionNumber attribute?
> 
> I can see the msDS-KeyVersionNumber attribute on 2003, but it's
> absent on 2008.
> 
> Would this be a problem, and how do I create it on
> 2008 ?

It could be. 2003 and 2008 both say they have the msDS-KeyVersionNumber
attribute. http://msdn2.microsoft.com/en-us/library/cc220292.aspx


I see that there is a ktpass for 2008, that has AES.
Maybe you have to use the 2008 ktpass?

I don't have a 2008 server, so am only guessing.

> 
>> Is the UserAccountControl attribute of the AD account the same in 2003
>> and 2008?
> 
> No, it's 2163200 (which is 0x210200) on 2003, and 0x10200 on 2008.
> The 2008 version explains that this is NORMAL_ACCOUNT|
> DONT_EXPIRE_PASSWD).
> 
> So, there's some additional flag present on 2003. I changed it on
> 2008, and got USE_DES_K (it's cut off at the K) as well, which looked
> promising. However, after clicking Apply, the kinit still failed in
> the same way.
> 
> 
>>> kinit: krb5_get_init_creds: Client
>>> (agssuser/winctho2d6naz8.testak2008.net@TESTAK2008.NET) unknown
>>>
>>> In order to exclude the possibility of mistyping the principal
>>> name, I copy-pasted from the AD user account properties to file,
>>> scp:ed the file to the Linux system, and copy-pasted to the command
>>> line. Also tried copy-paste from strings(1) output of the keytab
>>> file. All had the same problem.
>>>
>>> There were no relevant events logged on the WS 2008 system AFAICS.
>>>
>>> Here's partial ethereal output of the packet exchange:
>>>
>>> Kerberos AS-REQ
>>> Pvno: 5
>>> MSG Type: AS-REQ (10)
>>> KDC_REQ_BODY
>>> Padding: 0
>>> KDCOptions: 00000000
>>> Client Name (Principal): agssuser/win-ctho2d6naz8.testak2008.net
>>> Realm: TESTAK2008.NET
>>> Server Name (Principal): krbtgt/TESTAK2008.NET
>>> Name-type: Principal (1)
>>> Name: krbtgt
>>> Name: TESTAK2008.NET
>>> till: 2008-04-12 09:38:20 (Z)
>>> Nonce: 3479015567
>>> Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
>>> des3-cbc-sha1 des3-cbc-sha rc4-hmac des-cbc-md5 des-cbc-md4 des-cbc-crc
>>> HostAddresses: 10.32.0.188 192.168.1.1
>>>
>>>
>>> Kerberos KRB-ERROR
>>> Pvno: 5
>>> MSG Type: KRB-ERROR (30)
>>> stime: 2008-04-11 23:38:11 (Z)
>>> susec: 532943
>>> error_code: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN (6)
>>> Realm: TESTAK2008.NET
>>> Server Name (Principal): krbtgt/TESTAK2008.NET
>>> Name-type: Principal (1)
>>> Name: krbtgt
>>> Name: TESTAK2008.NET
>>> I've set
>>> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\
>>> Kerberos\Parameters\LogLevel
>>>
>>> to 1 via regedit on the WS 2008 system, and that did turn on
>>> some Kerberos logging, but nothing regarding the kinit failure.
>>>
>>> Any idea what might be wrong, or how we could get more information
>>> from the WS 2008 system ?
>>>
>>>
>>>
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444