[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Why is the server using DES but not RC4?

Hi. After I was successful with DES (thank you very much!!!) I want to
switch to RC4.

I used following command on domain controller:
ktpass -princ HTTP/bsdfloh.domain.tld@DOMAIN.tld -mapuser
domain\bsdflohkerberos$ -crypto rc4-hmac-nt -ptype KRB5_NT_SRV_HST
-pass **** -out c:\temp\bsdflohkeytab

I did copy bsdflohkeytab to apache server. Then I did test following:
-bash-3.00# kinit user@DOMAIN.TLD
user@DOMAIN.TLD's Password:
kinit: NOTICE: ticket renewable lifetime is 10 hours
-bash-3.00# kgetcred HTTP/bsdfloh.domain.tld@DOMAIN.TLD
-bash-3.00# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: user@DOMAIN.TLD
    Cache version: 4

Ticket etype: arcfour-hmac-md5, kvno 2
Auth time:  Jun 26 16:19:39 2007
End time:   Jun 26 22:59:39 2007
Renew till: Jun 27 02:19:39 2007
Ticket flags: renewable, initial, pre-authenticated
Addresses: IPv4:

Server: HTTP/bsdfloh.domain.tld@DOMAIN.TLD
Ticket etype: des-cbc-md5, kvno 11
Auth time:  Jun 26 16:19:39 2007
Start time: Jun 26 16:19:46 2007
End time:   Jun 26 22:59:39 2007
Ticket flags: pre-authenticated
Addresses: IPv4:

-bash-3.00# kinit -k -t /usr/local/etc/apache2/bsdflohkeytab
kinit: krb5_get_init_creds: Additional pre-authentication required
-bash-3.00# ktutil -k /usr/local/etc/apache2/bsdflohkeytab list

Vno  Type              Principal
 11  arcfour-hmac-md5  HTTP/bsdfloh.domain.tld@DOMAIN.TLD
If you inspect the output of 'klist -v' you'll notice the server
HTTP/bsdfloh.domain.tld@DOMAIN.TLD is using etype des-cbc-md5.
Why? The result of 'ktutil -k bsdflohkeytab list' sounds good, so the
ktpass-command on domain controller should be ok.

cu Floh