tgt ticket problems

miquel miquel.comas at scytl.com
Mon Apr 22 10:06:29 MDT 2013


after classicupgrade and domain level raise, we have some problems with 
kerberos.

# ./samba-tool domain exportkeytab /tmp.kt
# klist -k -e /tmp.kt |grep -i server
    1 SERVER$@DOMAIN.LOCAL (arcfour-hmac)
    1 SERVER$@DOMAIN.LOCAL (des-cbc-md5)
    1 SERVER$@DOMAIN.LOCAL (des-cbc-crc)
# klist -k -e /tmp.kt |grep -i tgt
    1 krbtgt at DOMAIN.LOCAL (arcfour-hmac)
    1 krbtgt at DOMAIN.LOCAL (des-cbc-md5)
    1 krbtgt at DOMAINLOCAL (des-cbc-crc)

as you can see, keytab for SERVER (samba4 dc) and krbtgt uses 
arcfour-hmac instead of aes256-cts-hmac-sha1-96.
If we change password for this accounts, keytab was updated, but service 
stops to work.

In the client we have the same problem with CIFS service:

22/04/13 11:28:14  22/04/13 21:27:23  cifs/server at DOMAIN.LOCAL
         renew until 22/04/13 23:27:23, Etype (skey, tkt): arcfour-hmac, 
arcfour-hmac


More information about the samba-technical mailing list