tgt ticket problems
miquel
miquel.comas at scytl.com
Mon Apr 22 10:06:29 MDT 2013
after classicupgrade and domain level raise, we have some problems with
kerberos.
# ./samba-tool domain exportkeytab /tmp.kt
# klist -k -e /tmp.kt |grep -i server
1 SERVER$@DOMAIN.LOCAL (arcfour-hmac)
1 SERVER$@DOMAIN.LOCAL (des-cbc-md5)
1 SERVER$@DOMAIN.LOCAL (des-cbc-crc)
# klist -k -e /tmp.kt |grep -i tgt
1 krbtgt at DOMAIN.LOCAL (arcfour-hmac)
1 krbtgt at DOMAIN.LOCAL (des-cbc-md5)
1 krbtgt at DOMAINLOCAL (des-cbc-crc)
as you can see, keytab for SERVER (samba4 dc) and krbtgt uses
arcfour-hmac instead of aes256-cts-hmac-sha1-96.
If we change password for this accounts, keytab was updated, but service
stops to work.
In the client we have the same problem with CIFS service:
22/04/13 11:28:14 22/04/13 21:27:23 cifs/server at DOMAIN.LOCAL
renew until 22/04/13 23:27:23, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac
More information about the samba-technical
mailing list