2

I'm trying to create a keytab with Ktpass on a Windows Server 2003 with:

Ktpass -princ host/prueba-mail.ejemplo.org@EJEMPLO.ORG -mapuser host -pass password -crypto rc4-hmac -out UNIXhost.keytab

I get the following error:

crypto: enum value 'rc4-hmac' is not known.
Error: argument for option "crypto" must be one of the following values:
DES-CBC-CRC : for compatibility
DES-CBC-MD5 : default
Command line options:

---------------------most useful args
[- /]          out : Keytab to produce
[- /]        princ : Principal name (user@REALM)
[- /]         pass : password to use
                     use "*" to prompt for password.
---------------------less useful stuff
[- /]      mapuser : map princ (above) to this user account (default: don't)
[- /]        mapOp : how to set the mapping attribute (default: add it)
[- /]        mapOp :  is one of:
[- /]        mapOp :        add : add value (default)
[- /]        mapOp :        set : set value
[- +]      DesOnly : Set account for des-only encryption (default:do)
[- /]           in : Keytab to read/digest
---------------------options for key generation
[- /]       crypto : Cryptosystem to use
[- /]       crypto :  is one of:
[- /]       crypto : DES-CBC-CRC : for compatibility
[- /]       crypto : DES-CBC-MD5 : default
[- /]        ptype : principal type in question
[- /]        ptype :  is one of:
[- /]        ptype : KRB5_NT_PRINCIPAL : The general ptype-- recommended
[- /]        ptype : KRB5_NT_SRV_INST : user service instance
[- /]        ptype : KRB5_NT_SRV_HST : host service instance
[- /]         kvno : Override Key Version Number
                     Default: query DC for kvno.  Use /kvno 1 for Win2K compat.
[- +]       Answer : +Answer answers YES to prompts.  -Answer answers NO.
[- /]       Target : Which DC to use.  Default:detect

I have two questions:

1) This I'm intendo to achieve single sign on to Windows users with imap service is on a Centos 6. Although you can use "-crypto rc4-hmac" can also serve DES-CBC-CRC or DES-CBC-MD5?. I believe that Windows customers have all encrypted ticket rc4-hmac and this will not allow things work and I suspect that one of my problems is out there.

2) There are way to allow Windows Server 2003 you can have the option rc4-hmac?.

Thanks for any help.

Maria José
  • 131
  • 3
  • 12
  • What SP do you have? Our Windows 2k3 servers with SP2 have the `RC4-HMAC-NT option` – Meiko Watu Jul 25 '13 at 05:30
  • Sorry for the delay in responding, he had not seen. I tell you that I went to install SP1 but I found that it is a Windows Server 2003 has SP2 installed. What may be the casue of that having SP2 does not recognize this encryption?. – Maria José Jul 29 '13 at 13:30

2 Answers2

1

I'm not sure I understand your first question, but if you are worried about Windows XP clients, they surely support RC4-HMAC keys but not newer AES based ones.

In order to employ RC4-HMAC encrypted keys in your keytab you'll need to install Service Pack 1. As the usage message after the error indicates, ktpass in Windows Server 2003 only supports DES ciphered keys. Please note that the KDC in Windows 2003 doesn't support authentication with RC4-HMAC without SP1 according to this article on Kerberos interoperability. Alternatively, upgrade to Windows Server 2008 or Windows 2008 R2 to have AES support as well.

The crypto option value for RC4-HMAC is RC4-HMAC-NT, although I would recommend using AES based ones if the clients support it. RedHat has builtin support for AES keys since at least RHEL 5 so I assume CentOS 6 has as well

Mathias R. Jessen
  • 24,907
  • 4
  • 62
  • 95
  • Hi!, Thanks for your answer. Sorry, I am poorly worded my question and unintelligible. My goal is to have an imap server on Centos 6 which validates against an Active Directory that is on a Windows Server 2003 and that also allows sso for users attempting to access from Windows, with a desktop application like Thunderbird, etc. By not work I thought that one of the problems is due to the type of encryption. I'm using DES-CBC-MD5. I can stay reassured that this will not be a constraint, am I right?. Greetings and thanks! – Maria José Jul 25 '13 at 13:28
  • Install at least SP1 and [KB919557](http://support.microsoft.com/kb/919557) on the 2003 DC before generating the keytab, and you should be good to go. If you have a Windows 2008 DC, use that and specify "All" as the crypto option. That way you'll have all the keys needed to service both DES- and RC4-compliant clients – Mathias R. Jessen Jul 25 '13 at 13:59
  • I'll try that and notice. Since Windows Server 2003 is not proof we have to wait to install outside of working hours. Note something else may be causing me problems with sso. If ahgo kvno imap/prueba-mail.ejemplo.org@EJEMPLO.ORG this tells me "Server not found in Kerberos database while getting credentials for imap/prueba-mail.ejemplo.org@EJEMPLO.ORG". However, in doing kvno imap/prueba-mail@EJEMPLO.ORG generates the ticket with the name of the principal "imap/prueba-mail.ejemplo.org" when it should be "imap/prueba-mail.ejemplo.org". – Maria José Jul 26 '13 at 12:53
  • I found that it is a Windows Server 2003 with SP2. What may be the casue of that having SP2 does not recognize this encryption?. – Maria José Jul 29 '13 at 13:32
  • What is the file version of ktpass.exe on the server? – Mathias R. Jessen Jul 29 '13 at 15:39
  • The version is 5.2.3790.0. – Maria José Jul 29 '13 at 18:49
  • According to http://support.microsoft.com/kb/919557 (which should be included in SP2) the version should be 5.2.3790.2732 – Mathias R. Jessen Jul 29 '13 at 22:03
  • Hi, still no probe with that because I'm trying to install another windows server 2003 and create a virtual network to do all the tests without having to continue to take care of generating a problem with users. As soon try this notice on the forum if it worked. – Maria José Jul 30 '13 at 21:52
  • I wanted to confirm that Install the testing environment and I have already stayed RC4-HMAC and solved the kvno. Thank you. – Maria José Aug 02 '13 at 18:12
  • Sorry but! I'm just solved the encryption. Even still if you run the kvno. – Maria José Aug 02 '13 at 18:43
  • The last problem, that of kvno solved and I'm already getting the sso with windows. The problem with kvno was due to hand had created in the active computer directroy. Once you delete everything worked properly. – Maria José Aug 05 '13 at 18:06
0

Check what version of Support Tools for Microsoft Windows 2003 is installed. Maybe you have old SP1 version, but need SP2.

Vasily
  • 1