[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kinit and Windows Server 2008





Douglas E. Engert wrote:
> 
> 
> Ulf Ekberg wrote:
>>
>> Douglas E. Engert wrote:
>>>
>>> Ulf Ekberg wrote:
>>>> Using Heimdal 1.1 (also tried 1.2rc1), the following command:
>>>>
>>>> kinit -k -t <keytab>
>>>> agssuser/winctho2d6naz8.testak2008.net@TESTAK2008.NET
>>>>
>>>> works find against a Windows Server 2003 system, but fails
>>>> like this against Windows Server 2008:
>>>>
>>> How did you get the keytab file? ktpass?
>>
>> Yes, that's right.
>>
>>> Did you use the /ptype KRB5_NT_SRV_HST option?
>>
>> No, but it made no difference when I tried it.
>>
>> (I had tried using "-ptype KRB5_NT_PRINCIPAL" to silence
>> a complaint from ktpass: "WARNING: pType and account do
>> not match.This might cause some problems." However, while
>> the complaint disappeared, kinit still failed. The message
>> is still there with "-ptype KRB5_NT_SRV_HST".)
>>
>>> Does the Kvno in the keytab match the msDS-KeyVersionNumber attribute?
>>
>> I can see the msDS-KeyVersionNumber attribute on 2003, but it's
>> absent on 2008.
>>
>> Would this be a problem, and how do I create it on
>> 2008 ?
> 
> It could be. 2003 and 2008 both say they have the msDS-KeyVersionNumber
> attribute. http://msdn2.microsoft.com/en-us/library/cc220292.aspx

By default, the msDS-KeyVersionNumber attribute isn't visible from
ADSIedit in 2008. You have to change the filter. While looking at
the properties of an account, click Filter, then select Constructed.

> 
> I see that there is a ktpass for 2008, that has AES.
> Maybe you have to use the 2008 ktpass?

I've been using the ktpass command that came with the 2008
distribution. While that ktpass command appears to read the
attribute to determine the kvno, it no longer increments the kvno
when you generate a keytab file. Looking at the msDS-KeyVersionNumber
attribute, it doesn't change after running ktpass, not even if
you explicitly specify /kvno on the ktpass command line.

When asked about this possible problem with ktpass (at least,
it's a change from 2003), Microsoft just said that the ktpass
command isn't supported.

> I don't have a 2008 server, so am only guessing.
> 
>>
>>> Is the UserAccountControl attribute of the AD account the same in 2003
>>> and 2008?
>>
>> No, it's 2163200 (which is 0x210200) on 2003, and 0x10200 on 2008.
>> The 2008 version explains that this is NORMAL_ACCOUNT|
>> DONT_EXPIRE_PASSWD).
>>
>> So, there's some additional flag present on 2003. I changed it on
>> 2008, and got USE_DES_K (it's cut off at the K) as well, which looked
>> promising. However, after clicking Apply, the kinit still failed in
>> the same way.
>>
>>
>>>> kinit: krb5_get_init_creds: Client
>>>> (agssuser/winctho2d6naz8.testak2008.net@TESTAK2008.NET) unknown
>>>>
>>>> In order to exclude the possibility of mistyping the principal
>>>> name, I copy-pasted from the AD user account properties to file,
>>>> scp:ed the file to the Linux system, and copy-pasted to the command
>>>> line. Also tried copy-paste from strings(1) output of the keytab
>>>> file. All had the same problem.
>>>>
>>>> There were no relevant events logged on the WS 2008 system AFAICS.
>>>>
>>>> Here's partial ethereal output of the packet exchange:
>>>>
>>>> Kerberos AS-REQ
>>>> Pvno: 5
>>>> MSG Type: AS-REQ (10)
>>>> KDC_REQ_BODY
>>>> Padding: 0
>>>> KDCOptions: 00000000
>>>> Client Name (Principal): agssuser/win-ctho2d6naz8.testak2008.net
>>>> Realm: TESTAK2008.NET
>>>> Server Name (Principal): krbtgt/TESTAK2008.NET
>>>> Name-type: Principal (1)
>>>> Name: krbtgt
>>>> Name: TESTAK2008.NET
>>>> till: 2008-04-12 09:38:20 (Z)
>>>> Nonce: 3479015567
>>>> Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
>>>> des3-cbc-sha1 des3-cbc-sha rc4-hmac des-cbc-md5 des-cbc-md4 des-cbc-crc
>>>> HostAddresses: 10.32.0.188 192.168.1.1
>>>>
>>>>
>>>> Kerberos KRB-ERROR
>>>> Pvno: 5
>>>> MSG Type: KRB-ERROR (30)
>>>> stime: 2008-04-11 23:38:11 (Z)
>>>> susec: 532943
>>>> error_code: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN (6)
>>>> Realm: TESTAK2008.NET
>>>> Server Name (Principal): krbtgt/TESTAK2008.NET
>>>> Name-type: Principal (1)
>>>> Name: krbtgt
>>>> Name: TESTAK2008.NET
>>>> I've set
>>>> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\
>>>> Kerberos\Parameters\LogLevel
>>>>
>>>> to 1 via regedit on the WS 2008 system, and that did turn on
>>>> some Kerberos logging, but nothing regarding the kinit failure.
>>>>
>>>> Any idea what might be wrong, or how we could get more information
>>>> from the WS 2008 system ?
>>>>
>>>>
>>>>
>>
>>
>