Re: gssapi-with-mic and a Windows AD KDC



You probably need to specify the encryption type when you run
ktpass.exe on the Domain Controller. I didn't use the CRC encryption
but rather the MD5 encryption because I believe 2K3 does not support
CRC..

On your KTPASS.EXE command line, add the following switch: -crypto DES-CBC-MD5

You will also need to change your krb5.conf file and remove these entries:

default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
permitted_enctypes = des-cbc-crc


I have used this article from Microsoft to integrate Unix machines
into AD for authentication. If you haven't seen it, it really is
pretty good:
http://www.microsoft.com/technet/security/topics/identitymanagement/idmanage/default.mspx


-Sam


On 3/14/06, Ian Grant <ian.grant@xxxxxxxxxxxx> wrote:

On 14 Mar 2006, at 03:15, Cribb, Jay [GovSG] wrote:

Use des-cbc-crc for ticket and keytab export (it's the type that's
usually the least common denominator)
Is this Windows 2000 or Windows 2003?

Thanks. It's 2003. I seem not to be able to get the enctype to be des-
cbc-crc for the ticket. In /etc/krb5.conf I have

[libdefaults]
default_realm = AD.CL.CAM.AC.UK
clockskew = 300
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
permitted_enctypes = des-cbc-crc

The host keytab looks like this:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
------------------------------------------------------------------------
--
9 host/somehost.cl.cam.ac.uk@xxxxxxxxxxxxxxx (DES cbc mode with
CRC-32)

But my ticket for the host principal still ends up des-cbc-md5:

Ticket cache: FILE:/tmp/krb5cc_1696
Default principal: ig206@xxxxxxxxxxxxxxx

Valid starting Expires Service principal
03/14/06 10:50:28 03/14/06 20:50:32 krbtgt/
AD.CL.CAM.AC.UK@xxxxxxxxxxxxxxx
renew until 03/15/06 10:50:28, Etype (skey, tkt): DES cbc
mode with CRC
32, ArcFour with HMAC/md5
03/14/06 10:50:47 03/14/06 20:50:32 host/
somehost.cl.cam.ac.uk@xxxxxxxxxxxxxxx
renew until 03/15/06 10:50:28, Etype (skey, tkt): DES cbc
mode with CRC
32, DES cbc mode with RSA-MD5





Relevant Pages

  • Re: ZIP Encryption
    ... I am aware of the re-implemented AE-2, which no longer stores the CRC of each ... The question which started this thread asked for a 'higher encryption than ... Any other [Delphi] components out there? ...
    (borland.public.delphi.thirdpartytools.general)
  • Re: Limiting RC4 to "40 bit" strength
    ... an attacker can't read the CRC. ... the CRC doesn't really help much if at all. ... >(and anyway it does error check on the true messages). ... dependent on the strong encryption. ...
    (sci.crypt)
  • Re: how can i recover my unencrypted bitstream starting from encrypted one and knowing the KEY
    ... For those working to use your own AES256 decryption software for ... decrypting the bitstream, sorry I can't be of more help. ... I will find out which CRC we are using, ... if the options are identical with the exception of the encryption. ...
    (comp.arch.fpga)
  • Re: Is plaintext with CRC more suseptable to cryptoanalysis?
    ... A `good' encryption scheme won't be weakened by this. ... protect against chosen ciphertext attacks. ... should you assume that your CRC offers any sort of security /benefit/. ...
    (sci.crypt)