Kerberos aes-256 encryption does not work
Server is RHEL7, Kerberos is AD (Windows). I'm just a KDC client.
Arcfour-hmac works fine, but when I change the encryption type to aes-256 and set up a new keytab, kinit still works, but not kvno. And even if the user has a valid ticket (in the klist), he can no longer start services.
I don't have access to AD Kerberos, but it is properly configured to use aes-256 as end users (on Windows computers) are already requesting tickets in this type of encryption.
My krb5.conf:
[libdefaults] default_realm = TOTO.NET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_tkt_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc default_tgs_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc permitted_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc [realms] TOTO.NET = { kdc = kdc1.toto.net kdc = kdc2.toto.net admin_server = kdc1.toto.net } [domain_realm] .toto.net = TOTO.NET toto.net = TOTO.NET
And here are the errors I got when I try to purchase a ticket with kvno:
[2477332] 1493147723.961912: Getting credentials myuser@TOTO.NET -> nn/myserver@TOTO.NET using ccache FILE:/tmp/krb5cc_0
[2477332] 1493147723.962055: Retrieving myuser@TOTO.NET -> nn/myserver@TOTO.NET from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_0)
[2477332] 1493147723.962257: Retrieving myuser@TOTO.NET -> krbtgt/TOTO.NET@TOTO.NET from FILE:/tmp/krb5cc_0 with result: 0/Success
[2477332] 1493147723.962267: Starting with TGT for client realm: myuser@TOTO.NET -> krbtgt/TOTO.NET@TOTO.NET
[2477332] 1493147723.962274: Requesting tickets for nn/myserver@TOTO.NET, referrals on
[2477332] 1493147723.962309: Generated subkey for TGS request: aes256-cts/17DF
[2477332] 1493147723.962363: etypes requested in TGS request: aes256-cts, aes128-cts
[2477332] 1493147723.962504: Encoding request body and padata into FAST request
[2477332] 1493147723.962575: Sending request (1716 bytes) to TOTO.NET
[2477332] 1493147723.962725: Resolving hostname kdc1.TOTO.NET
[2477332] 1493147723.963054: Initiating TCP connection to stream ip_of_kdc1:88
[2477332] 1493147723.964205: Sending TCP request to stream ip_of_kdc1:88
[2477332] 1493147724.3751: Received answer (329 bytes) from stream ip_of_kdc1:88
[2477332] 1493147724.3765: Terminating TCP connection to stream ip_of_kdc1:88
[2477332] 1493147724.3846: Response was not from master KDC
[2477332] 1493147724.3879: Decoding FAST response
[2477332] 1493147724.3965: TGS request result: -1765328370/KDC has no support for encryption type
klist -ket mykeytab
Keytab name: FILE:nn.service.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 01/01/1970 01:00:00 nn/myserver01@TOTO.NET (aes256-cts-hmac-sha1-96)
1 03/22/2017 16:34:55 nn/myserver02@TOTO.NET (aes256-cts-hmac-sha1-96)
thanks for the help
source to share
Ask your AD administrator to enable support for AES-256 encryption types in the AD account associated with the keytab. To find this account, run the following command:
setspn -Q nn/myserver01@TOTO.NET
the output will be the account name. It will start with CN = xxx, where "xxx" is the name of the AD account. To enable support for AES-256 encryption types in your AD account, inform your AD administrator that the This account supports 256-bit Kerberos AES encryption checkbox must be verified and found in the Account tab as shown below.
source to share