Kerberos client fails in mixed KDC environments

Solution Unverified - Updated -

Issue

  • We authenticate Linux Kerberos client (pam_krb5) in a Kerberos realm served by a mixed KDC Windows 2008 (2) and Windows 2003 (3) server environment to authenticate users on linux systems. When the client (pam_krb5) asks for a ticket, it gets a preauthentication error. Therefore the client issues a second encrypted request and the client sent it to Windows 2003 Server.

The problem is, While Windows 2008 server supports stronger encryption types(AES256 in this case), the second server (2003) does not support this entryption type and it returns KDC has no support for encryption type error.

Note: Because of round robin DNS, it happens that first server is a Windows 2008, while it is a Windows 2003 on a later DNS query.

  • To summarize:

    1 - CLIENT -> KDC_2008 :                           AS_REQ
    // Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac 
    des-cbc-crc des-cbc-md5 des-cbc-md4 rsa-sha1-cms rsa-md5-cms des-ede3-cbc-env rc2-cbc-env rsa-env
    2 - KDC_2008 -> CLIENT:                   KRB-ERROR (KRB5KDC_ERR_PREAUTH_REQUIRED) 
    PA-ENCTYPE-INFO2: aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-md5 des-cbc-crc
    3 - CLIENT -> KDC_2003 :                     AS_REQ  (PA-ENC-TIMESTAMP)
    Encryption type: aes256-cts-hmac-sha1-96
    4 - KDC_2003 -> CLIENT:                   KRB-ERROR  (KRB5KDC_ERR_ETYPE_NOSUPP)
    PA-ENCTYPE-INFO rc4-hmac des-cbc-md5 des-cbc-crc
    
  • The client now gets a login error, loggend in /var/log/secure:

    Authentication failure (KDC has no support for encryption type)
    
  • Should not be that the client sticks to the same KDC for both the requests?

  • How to solve the problem / the recommended configuration ?

Environment

  • Red Hat Enterprise Linux 5/6
  • krb5-libs

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.