Re: Win 2008R2 kdc and linux client: no support for encryption type while getting initial credentials
Douglas E. Engert
Lars Schimmer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi!
>
> I want to setup a Windows 2008R2 server as a AD with a KDC to obtian
> krb5 tickets and later on obtain OpenAFS tokens with these tickets.
>
> Our setup:
> running Windows 2003 server with AD CGV.TUGRAZ.AT and running krb5 kdc
> on it.
> User, service principal afs for OpenAFS, works good so far.
>
> I added a second server with Windows 2008R2, added 2nd server to the AD
> domain and raised 2nd server as AD server.
>
> I set on the Win 2008R2:
> - - Add a REG_DWORD (32 bit) named KdcUseRequestedEtypesForTickets with
> value 1 at HKLM\SYSTEM\CurrentControlSet\services\kdc.
> - - In the DC's Local Security Policy, I enabled all ciphers by checking
> all 6 boxes at Security Settings \ Local Policies \ Security Options \
> "Network security: Configure encryption types allowed for Kerberos"
> - - I set "use DES enctypes" for some test users (it was enabled for the
> afs service principal)
>
> I restarted the Win 2008R2 and setp a test client with Debian and krb5
> version 1.8+dfsg~alpha1-7.
> I have a windows 7 enterprise test machine, to.
>
> On debian client I set the:
>
> allow_weak_crypto = true
> option in krb5.conf.
>
> With the Win 2003 kdc server I could obtian tickets and tokens.
> If I set the Win2008R2 server active in krb5.conf I get the:
> kinit: KDC has no support for encryption type while getting initial
> credentials
> error.
What user are you using with the kinit?
Does a network trace show anything?
We have seen issues with using the kinit -k with a keytab
if the keytab does not have the highest enctype both client and server
support (AES256).
All of our DCs are now 2008R2, and afs aklog works well on
and Solaris 9 and 10; Ubuntu Dapper-Karmic; Windows XP, Vista and W7 clients.
> This error appears on Win7 with Network ID Manager 1.3.1.0, to.
>
> Any idea how I can set the win2008R2 active to send out valid tickets
> from which I could obtain OpenAFS tokens?
>
>
> MfG,
> Lars Schimmer
> - --
> - -------------------------------------------------------------
> TU Graz, Institut f�r ComputerGraphik & WissensVisualisierung
> Tel: +43 316 873-5405 E-Mail: l.sch...@cgv.tugraz.at
> Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkuWHZgACgkQmWhuE0qbFyMV6ACeOeP2w4xrYta+kLAWrn9LkeeD
> +AkAn2bpcViL1AVqB4NkUdV51aM26P/Q
> =D6aU
> -----END PGP SIGNATURE-----
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEn...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Jeffrey Watts
Oddly enough, it only seemed to happen with certain systems and not with
others. Identical systems using the same DC and on the same network
wouldn't have the issue, so I'm not sure why it would affect one and not the
other. Affected systems: RHEL4 and RHEL5.
Anyhow, the solution for us was to add the following to /etc/krb5.conf in
the [libdefaults] section:
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
We had created our keytabs using Samba's 'net' command.
Jeffrey.
Lars Schimmer
Hash: SHA1
Douglas E. Engert wrote:
>
>
>> What user are you using with the kinit?
I did used the users with "use DES enctypes" enabled.
Now I tried with the users without this function enabled and I get
tickets. But no tokens :-(
Error:
adiotest:~# kinit schimmer
Password for schi...@CGV.TUGRAZ.AT:
adiotest:~# aklog
aklog: Couldn't get cgv.tugraz.at AFS tickets:
aklog: unknown RPC error (-1765328370) while getting AFS tickets
adiotest:~# tokens
Tokens held by the Cache Manager:
--End of list--
adiotest:~#
klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: schi...@CGV.TUGRAZ.AT
Valid starting Expires Service principal
03/10/10 10:18:24 03/11/10 10:18:24 krbtgt/CGV.TU...@CGV.TUGRAZ.AT
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
So looks like no DES enctype for OpenAFS.
But I need DES enctypes.
>> Does a network trace show anything?
Not so far yet.
>> We have seen issues with using the kinit -k with a keytab
>> if the keytab does not have the highest enctype both client and server
>> support (AES256).
I want to obtain tokens with the PAM module later on (and on Windows 7
while login, I never used the -k option so far).
>> All of our DCs are now 2008R2, and afs aklog works well on
>> and Solaris 9 and 10; Ubuntu Dapper-Karmic; Windows XP, Vista and W7
>> clients.
I want that setup, to. But how do I enable the DES enctypes....
Thank you so far.
MfG,
Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut f�r ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405 E-Mail: l.sch...@cgv.tugraz.at
Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkuXZFAACgkQmWhuE0qbFyO+/ACfZeLhC4QIOMfqps3lcfn3ZSt9
UMAAn23FFFLy4UezmaBUuD96sX48Y2Ja
=/uXf
-----END PGP SIGNATURE-----
Douglas E. Engert
DES. You should be ask on the OpenAFS list, as there
have been similar issues before on setting up the afs/cell
principal.
Lars Schimmer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Douglas E. Engert wrote:
>>
>
>>> What user are you using with the kinit?
>
> I did used the users with "use DES enctypes" enabled.
Only the AD account for the afs and afs/cell principals
need to have DES. All others can use the defaults.
> Now I tried with the users without this function enabled and I get
> tickets. But no tokens :-(
> Error:
> adiotest:~# kinit schimmer
> Password for schi...@CGV.TUGRAZ.AT:
> adiotest:~# aklog
> aklog: Couldn't get cgv.tugraz.at AFS tickets:
> aklog: unknown RPC error (-1765328370) while getting AFS tickets
> adiotest:~# tokens
>
aklog -d will show some debug output.
What versions of OpenAFS and Kerberos are running on the client?
> Tokens held by the Cache Manager:
>
> --End of list--
> adiotest:~#
>
> klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: schi...@CGV.TUGRAZ.AT
>
> Valid starting Expires Service principal
> 03/10/10 10:18:24 03/11/10 10:18:24 krbtgt/CGV.TU...@CGV.TUGRAZ.AT
> Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
>
> So looks like no DES enctype for OpenAFS.
You also said in a previous note:
> I set on the Win 2008R2:
> - - Add a REG_DWORD (32 bit) named KdcUseRequestedEtypesForTickets with
> value 1 at HKLM\SYSTEM\CurrentControlSet\services\kdc.
> - - In the DC's Local Security Policy, I enabled all ciphers by checking
> all 6 boxes at Security Settings \ Local Policies \ Security Options \
> "Network security: Configure encryption types allowed for Kerberos"
> - - I set "use DES enctypes" for some test users (it was enabled for the
> afs service principal)
I don't recall asking our AD admin to make these registry changes in 2008
to get AFS to work. This may be your problem. It may override
the ADS_UF_USE_DES_KEY_ONLY in the UserAccountControl attribute in the account.
On the afs service account what are the values of the
msDS-SupportedEncryptionTypes, UserAccountControl and msDS-KeyVersionNumber
attributes?
http://msdn.microsoft.com/en-us/library/cc223853(PROT.13).aspx
http://msdn.microsoft.com/en-us/library/ms680832(VS.85).aspx
> But I need DES enctypes.
>
>>> Does a network trace show anything?
>
> Not so far yet.
Wireshark can show the AS-REQ when aklog requests the ticket
for afs/afs/cgv.tugraz.at, and the AS-REP or ERROR packet returned.
>
>>> We have seen issues with using the kinit -k with a keytab
>>> if the keytab does not have the highest enctype both client and server
>>> support (AES256).
>
> I want to obtain tokens with the PAM module later on (and on Windows 7
> while login, I never used the -k option so far).
>
>>> All of our DCs are now 2008R2, and afs aklog works well on
>>> and Solaris 9 and 10; Ubuntu Dapper-Karmic; Windows XP, Vista and W7
>>> clients.
>
> I want that setup, to. But how do I enable the DES enctypes....
>
> Thank you so far.
>
> MfG,
> Lars Schimmer
> - --
> - -------------------------------------------------------------
> TU Graz, Institut f�r ComputerGraphik & WissensVisualisierung
> Tel: +43 316 873-5405 E-Mail: l.sch...@cgv.tugraz.at
> Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkuXZFAACgkQmWhuE0qbFyO+/ACfZeLhC4QIOMfqps3lcfn3ZSt9
> UMAAn23FFFLy4UezmaBUuD96sX48Y2Ja
> =/uXf
> -----END PGP SIGNATURE-----
Lars Schimmer
Hash: SHA1
Douglas E. Engert wrote:
> Your problem is more of an OpenAFS problem in how it has to use
> DES. You should be ask on the OpenAFS list, as there
> have been similar issues before on setting up the afs/cell
> principal.
Maybe, maybe not. As it works with 2003, it is somehow problem of 2008R2
sending out the correct DES enctypes.
>>>>> What user are you using with the kinit?
>
> I did used the users with "use DES enctypes" enabled.
>
>> Only the AD account for the afs and afs/cell principals
>> need to have DES. All others can use the defaults.
Ok, good to know.
> Now I tried with the users without this function enabled and I get
> tickets. But no tokens :-(
> Error:
> adiotest:~# kinit schimmer
> Password for schi...@CGV.TUGRAZ.AT:
> adiotest:~# aklog
> aklog: Couldn't get cgv.tugraz.at AFS tickets:
> aklog: unknown RPC error (-1765328370) while getting AFS tickets
> adiotest:~# tokens
>
>
>> aklog -d will show some debug output.
>
>> What versions of OpenAFS and Kerberos are running on the client?
OpenAFS 1.4.11 from lenny-backports and krb5-user:
Installed: 1.8+dfsg~alpha1-7
On Win7 netID manager 1.3.1.0
> Tokens held by the Cache Manager:
>
> --End of list--
> adiotest:~#
>
> klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: schi...@CGV.TUGRAZ.AT
>
> Valid starting Expires Service principal
> 03/10/10 10:18:24 03/11/10 10:18:24 krbtgt/CGV.TU...@CGV.TUGRAZ.AT
> Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
>
> So looks like no DES enctype for OpenAFS.
>
>> You also said in a previous note:
>
> I set on the Win 2008R2:
> - Add a REG_DWORD (32 bit) named KdcUseRequestedEtypesForTickets with
> value 1 at HKLM\SYSTEM\CurrentControlSet\services\kdc.
> - In the DC's Local Security Policy, I enabled all ciphers by checking
> all 6 boxes at Security Settings \ Local Policies \ Security Options \
> "Network security: Configure encryption types allowed for Kerberos"
> - I set "use DES enctypes" for some test users (it was enabled for the
> afs service principal)
>
>
>> I don't recall asking our AD admin to make these registry changes in 2008
>> to get AFS to work. This may be your problem. It may override
>> the ADS_UF_USE_DES_KEY_ONLY in the UserAccountControl attribute in the
>> account.
Hm.Other guys told me I have re re-enable the DES enctypes to use server
with OpenAFS again. But if the settings in the AD says "enable DES" - it
should be the same as "use DES enctypes" in the account, isn't it?
>> On the afs service account what are the values of the
>> msDS-SupportedEncryptionTypes, UserAccountControl and msDS-KeyVersionNumber
>> attributes?
>
>> http://msdn.microsoft.com/en-us/library/cc223853(PROT.13).aspx
>> http://msdn.microsoft.com/en-us/library/ms680832(VS.85).aspx
Got me - where to change those parts, in the account dteails of the
domain I do not see those.
Thank you so far.
MfG,
Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405 E-Mail: l.sch...@cgv.tugraz.at
Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkufk5oACgkQmWhuE0qbFyPMwgCfbfmIFbipTsbkR6tH+kQQjUuO
JB0AnRmn4vv/P6z9RoTf3RB1M1mhWtyH
=7LNa
-----END PGP SIGNATURE-----
Lars Schimmer
Hash: SHA1
Hi!
Just want to note here, that problem was solved with a (not yet public)
patch from Microsoft.
http://support.microsoft.com/?kbid=978055
Go and ask your Microsoft Support for it.
Looks like it only happens on x64 servers.
MfG,
Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405 E-Mail: l.sch...@cgv.tugraz.at
Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkunlEQACgkQmWhuE0qbFyOQlgCeOfU9O7LXz+qpw4XTozNDpBhx
zOwAnjjzGPuVMfD2xDlcZNCJ9EoMy0VX
=Pct7
-----END PGP SIGNATURE-----
Michael B Allen
<l.sch...@cgv.tugraz.at> wrote:
> Hi!
>
> Just want to note here, that problem was solved with a (not yet public)
> patch from Microsoft.
> http://support.microsoft.com/?kbid=978055
>
> Go and ask your Microsoft Support for it.
>
> Looks like it only happens on x64 servers.
Hi Lars,
Actually I would not be surprised if that "hot fix" is never made
public. DES is being phased out. If you have any Windows accounts that
use DES, you should update them to AES-256, AES-128 or RC4 in that
order of preference.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
Christopher D. Clausen
> Michael B Allen wrote:
>
>> Actually I would not be surprised if that "hot fix" is never made
>> public. DES is being phased out. If you have any Windows accounts that
>> use DES, you should update them to AES-256, AES-128 or RC4 in that
>> order of preference.
>
OpenAFS also requires single DES, which is what what the original poster is
using based on a similar message sent to the openafs mailing list.
<<CDC
Michael B Allen
> Michael B Allen wrote:
>
>> Actually I would not be surprised if that "hot fix" is never made
>> public. DES is being phased out. If you have any Windows accounts that
>> use DES, you should update them to AES-256, AES-128 or RC4 in that
>> order of preference.
>
> I'd have to check again, but I think linux-nfs still uses DES.
Well as an NFS on Linux user (albeit without Kerberos) I hope whomever
is responsible for that code has a plan to parameterize the enctype.
Jeffrey Altman
> On Mon, Mar 22, 2010 at 12:01 PM, Lars Schimmer
> <l.sch...@cgv.tugraz.at> wrote:
>> Hi!
>>
>> Just want to note here, that problem was solved with a (not yet public)
>> patch from Microsoft.
>> http://support.microsoft.com/?kbid=978055
>>
>> Go and ask your Microsoft Support for it.
>>
>> Looks like it only happens on x64 servers.
>
> Hi Lars,
>
> public. DES is being phased out. If you have any Windows accounts that
> use DES, you should update them to AES-256, AES-128 or RC4 in that
> order of preference.
>
>
I have confirmation from Microsoft that this "hot fix" will be
published. The failure to publish
this "hot fix" was an oversight.
Jeffrey Altman
Lars Schimmer
Hash: SHA1
Michael B Allen wrote:
> On Mon, Mar 22, 2010 at 12:01 PM, Lars Schimmer
> <l.sch...@cgv.tugraz.at> wrote:
>> Hi!
>>
>> Just want to note here, that problem was solved with a (not yet public)
>> patch from Microsoft.
>> http://support.microsoft.com/?kbid=978055
>>
>> Go and ask your Microsoft Support for it.
>>
>> Looks like it only happens on x64 servers.
>
> Hi Lars,
>
> Actually I would not be surprised if that "hot fix" is never made
> public. DES is being phased out. If you have any Windows accounts that
> use DES, you should update them to AES-256, AES-128 or RC4 in that
> order of preference.
As others already posted, I need DES enctypes for OpenAFS.
OpenAFS is already on the way to be able to use newer/better/safer
enctypes, but it cannot change overnight.
Thanks to Jeffrey Altman for the notice about patch being published by MS.
And as addendum: patch is needed if you run a Win2003 Server and a
Win2008R2 x64 server and you need DES enctypes.
> Mike
>
MfG,
Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut f�r ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405 E-Mail: l.sch...@cgv.tugraz.at
Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkurHVsACgkQmWhuE0qbFyOTawCfW90WG8IEOZyF0FyEhoJBN3xw
+6QAni2wmC3kWM7A3ldNCjCHflTr4pjL
=EzWk
-----END PGP SIGNATURE-----