-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I am working with integrating various Linux distros as domain members
with an Active Directory Domain running on Windows Server 2008 R2 native.
The Domain admins have allowed des keys for backwards (nfs)
compatibility, but prefers the default enctypes supported in 2008 r2:
http://support.microsoft.com/kb/977321
* AES256-CTS-HMAC-SHA1-96
* AES128-CTS-HMAC-SHA1-96
* RC4-HMAC
I would like to allow the Domain Members to work with their own keytabs
via the "net ads keytab" command set but have found that the default
(i.e. "net ads keytab create -P" or "net ads keytab add HTTP
-P") only
creates the two des and ArcFour with HMAC/md5 enctypes, no AES enctypes
are listed. The Domain admins can use tools on their side to create
SPNs and keytabs that have AES and we would prefer them over DES/ArcFour
except in special circumstances.:
# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
- ----
- --------------------------------------------------------------------------
5 host/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU (DES cbc mode with CRC-32)
5 host/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU (DES cbc mode with RSA-MD5)
5 host/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU (ArcFour with HMAC/md5)
5 host/IU-ITPS-RHEL6AD at ADS.IU.EDU (DES cbc mode with CRC-32)
5 host/IU-ITPS-RHEL6AD at ADS.IU.EDU (DES cbc mode with RSA-MD5)
5 host/IU-ITPS-RHEL6AD at ADS.IU.EDU (ArcFour with HMAC/md5)
5 IU-ITPS-RHEL6AD$@ADS.IU.EDU (DES cbc mode with CRC-32)
5 IU-ITPS-RHEL6AD$@ADS.IU.EDU (DES cbc mode with RSA-MD5)
5 IU-ITPS-RHEL6AD$@ADS.IU.EDU (ArcFour with HMAC/md5)
5 ssh/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU (DES cbc mode with CRC-32)
5 ssh/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU (DES cbc mode with RSA-MD5)
5 ssh/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU (ArcFour with HMAC/md5)
5 ssh/IU-ITPS-RHEL6AD at ADS.IU.EDU (DES cbc mode with CRC-32)
5 ssh/IU-ITPS-RHEL6AD at ADS.IU.EDU (DES cbc mode with RSA-MD5)
5 ssh/IU-ITPS-RHEL6AD at ADS.IU.EDU (ArcFour with HMAC/md5)
# net ads keytab list -P
Vno Type Principal
5 DES cbc mode with CRC-32 host/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU
5 DES cbc mode with RSA-MD5 host/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU
5 ArcFour with HMAC/md5 host/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU
5 DES cbc mode with CRC-32 host/IU-ITPS-RHEL6AD at ADS.IU.EDU
5 DES cbc mode with RSA-MD5 host/IU-ITPS-RHEL6AD at ADS.IU.EDU
5 ArcFour with HMAC/md5 host/IU-ITPS-RHEL6AD at ADS.IU.EDU
5 DES cbc mode with CRC-32 IU-ITPS-RHEL6AD$@ADS.IU.EDU
5 DES cbc mode with RSA-MD5 IU-ITPS-RHEL6AD$@ADS.IU.EDU
5 ArcFour with HMAC/md5 IU-ITPS-RHEL6AD$@ADS.IU.EDU
5 DES cbc mode with CRC-32 ssh/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU
5 DES cbc mode with RSA-MD5 ssh/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU
5 ArcFour with HMAC/md5 ssh/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU
5 DES cbc mode with CRC-32 ssh/IU-ITPS-RHEL6AD at ADS.IU.EDU
5 DES cbc mode with RSA-MD5 ssh/IU-ITPS-RHEL6AD at ADS.IU.EDU
5 ArcFour with HMAC/md5 ssh/IU-ITPS-RHEL6AD at ADS.IU.EDU
Is there a way to have the "net" command specify enctypes when working
with keytabs?
Thanks,
Robert
- --
________
Robert Freeman-Day
https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1St5MACgkQup357T5MfTaH3ACeMion3aBVfmu5UkHT1e9jgi2m
p5MAoJIGjeIWs7LTQvy1jAIxq5IXyhsV
=bDeC
-----END PGP SIGNATURE-----
