I had not tried ktpass with a computer account before, but the procedure and
command line outlined look ok. I would be a little wary of someone accidently
deleting the computer account since the password will never be changing and
thus appear to be stale to the AD administrator.
If your issue is with ktpass.exe, the author IS using an older version of
ktpass.exe and I know that command line parameters have changed somewhat.
Also, AD no longer supports DES enctypes by default, but ktpass assumes that
you want to set the account for DES-only enctypes... You could try using
"-desonly" or check the computer account for the DES only flag. (Grasping at
straws a bit)
ktpass /out testComputer.keytab /mapuser CONTOSO\Computer$ /princ
host/computer.contoso....@contoso.com /crypto RC4-HMAC-NT /rndpass /ptype
KRB5_NT_SRV_HST /mapop set -desonly
I'll note that /crypto has allowed values
{DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All}
You might want to use AES instead or include more enctypes with a |
-Ross
-----Original Message-----
From: Faisal Ali [mailto:faisal.ali....@gmail.com]
Sent: Wednesday, February 11, 2015 4:49 AM
To: Wilper, Ross; kerberos@mit.edu
Subject: Re: Establish FAST encrypted channel between linux client and windows
server
http://kerberos.996246.n3.nabble.com/Creating-a-keytab-with-ktpass-under-a-Computer-account-td14074.html
I followed above link to create a computer account on Windows server and
generate keytab to be used for first kinit. It doesn't seem to work. Have I
employed wrong procedure or was this expected?
--------------
Faisal Ali
On Mon Feb 09 2015 at 9:20:03 PM Wilper, Ross <rwil...@slac.stanford.edu> wrote:
I would be interested to see if you can make this work. It's been a
while since I've looked into this and did not get very far.
It sounds like you are on the right path - one of the gotchas is that
AD does not seem to support pkinit null, which is what many Kerberos
implementations do to create the armor. What Windows machines do is to use the
computer account as the armor for the user account logon. This may actually be
a requirement (that the armor be a computer account) because the AD KDC wants
to have both involved in the logon interaction so as to generate computer and
user claims into the resulting ticket. I hope that I am wrong on that.
-Ross
-----Original Message-----
From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu
<mailto:kerberos-boun...@mit.edu> ] On Behalf Of Faisal Ali
Sent: Monday, February 9, 2015 5:55 AM
To: kerberos@mit.edu
Subject: Establish FAST encrypted channel between linux client and
windows server
I am trying to setup windows server for FAST encrypted channel support
to test OTP pre authentication in kerberos.
I have already tested on linux machine by deploying KDC using
krb5-1.12.1 source code, freeradius server and using keytab of service
principal to receive armor ccache to be used to establish FAST encrypted
channel between client and KDC.
I have setup windows server 2012 for kerberos, and added support for
"KDC support for claims, compound authentication and Kerberos armoring" policy
on it. I can receive TGT for service principal. But, when I execute the command
"kinit -T <armor-cache> <principal>", KDC does not reply with any padata and no
FAST encrypted channel is established (observed through wireshark log and
Kerberos library logs).
Is it possible to establish a FAST encrypted channel between linux
client and Windows AD? Have I missed any setting?
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
<https://mailman.mit.edu/mailman/listinfo/kerberos>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
