Thank you, Todd Grayson for detailed information. On Thu, Nov 8, 2018 at 10:07 PM Todd Grayson <tgray...@cloudera.com> wrote: > > oops, typo by me: > > You are hard forcing AES for initial ticket granting ticket with the settings > you are using for enctypes. > > Should read > > You are hard forcing AES for initial session key and ticket granting ticket > with the settings you are using for enctypes. > > On Thu, Nov 8, 2018 at 9:35 AM Todd Grayson <tgray...@cloudera.com> wrote: >> >> You are hard forcing AES for initial ticket granting ticket with the >> settings you are using for enctypes. Unset (comment out) the 3 enctype >> lines for one of your tests. How to comment out lines in the krb5.conf is >> covered in the second paragraph here: >> >> https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html >> >> Use klist -ef after you successfully authenticate and inspect the ticket >> encryption types used. It will look something like this after commenting >> out those lines I mentioned and then retrying your kinit: >> >> dude@host:~$ kinit administra...@ad.sec.example.com >> Password for administra...@ad.sec.example.com: >> dude@host:~$ klist -ef >> Ticket cache: FILE:/tmp/krb5cc_1000 >> Default principal: administra...@ad.sec.example.com >> >> Valid starting Expires Service principal >> 11/08/2018 09:16:00 11/08/2018 19:16:00 >> krbtgt/ad.sec.example....@ad.sec.example.com >> renew until 11/15/2018 09:15:53, Flags: FRIA >> Etype (skey, tkt): arcfour-hmac, aes256-cts-hmac-sha1-96 >> >> You can see on the Etype line, by default the inital session key is actualy >> rc4-hmac (arcfour-hmac is same thing, just different names) But the actual >> ticket granting ticket. The above example is against a windows 2008 KDC, but >> 2016 is probably doing the same thing for backward comparability. >> >> >> Kerberos will negotiate strongest encryption types by default within the >> available configuration. >> >> AD exposes per user account settings in the properties dialog, under account >> details, that allow you to set using AES encryption types. Doing it for all >> accounts would be a global policy in AD. This mail list does not really >> cover how to manage active directory as a KDC at that level, microsoft >> discussion boards would be best there. >> >> Given you are new to kerberos, I would suggest starting here, reading this >> will help you understand your terminology, what to search/google for, how >> things work in kerberos, etc. >> >> http://www.kerberos.org/software/tutorial.html >> >> The administration guide would be next step. >> >> Microsoft AD kerberos info is here, I would start with this AFTER going >> through the kerberos tutorial. >> >> https://docs.microsoft.com/en-us/windows/desktop/secauthn/microsoft-kerberos >> >> >> >> On Thu, Nov 8, 2018 at 9:03 AM Silambarasan Madhappan >> <silambarasa...@gmail.com> wrote: >>> >>> Hi, >>> >>> I am new to Kerberos. I am not able to obtain Kerberos >>> ticket-granting tickets with strong encryption types from "Windows >>> Server 2016 AD" >>> >>> My client kerberos configuration as below >>> ======================== >>> >>> $ cat /etc/krb5.conf >>> [libdefaults] >>> default_realm = CIFS.COM >>> default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 >>> default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 >>> preferred_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 >>> ccache_type = 2 >>> >>> [realms] >>> CIFS.COM = { >>> kdc = WIN.cifs.com:88 >>> } >>> >>> [domain_realm] >>> .cifs.com = CIFS.COM >>> >>> [logging] >>> kdc = FILE:/var/log/krb5kdc.log >>> admin_server = FILE:/var/log/kadmin.log >>> default = FILE:/var/log/krb5lib.log >>> [bash4.2]$ >>> >>> Issue : >>> ===== >>> $ kinit Administrator >>> kinit(v5): KDC has no support for encryption type while getting >>> initial credentials >>> $ >>> >>> Please let me know where can I find the kdc configuration types in >>> Active Directory (Windows Server 2016) ? >>> Do I have to change any configuration on Kerberos Client or Server ? >>> Please help me on this. >>> >>> Thanks, >>> Silambarasan M >>> ________________________________________________ >>> Kerberos mailing list Kerberos@mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> >> >> -- >> Todd Grayson >> Customer Operations Engineering >> Security SME >> > > > -- > Todd Grayson > Customer Operations Engineering > Security SME >
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
