-
タイトル
User ticket encryption types uses arcfour-hmac-md encryption, even though only AES encryption typ -
説明
User ticket encryption types uses arcfour-hmac-md encryption, even though only AES encryption types have been specified in vas.conf
--
vas.conf entries:[libdefaults]
default_realm = I.TS.HAL.CA.QSFTticket_lifetime = 36000
forwardable = true
default_keytab_name = /etc/opt/quest/vas/host.keytab
#default_etypes = arcfour-hmac-md5
# default_etypes_des = des-cbc-crc
default_etypes = aes256-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96[root@v403h-rh6 ~]# klist -c /tmp/krb5cc_498322464 -v
Credentials cache: FILE:/tmp/krb5cc_498322464
Principal: gboudreau@I.TS.HAL.CA.QSFT
Cache version: 4Server: krbtgt/I.TS.HAL.CA.QSFT@I.TS.HAL.CA.QSFT
Client: gboudreau@I.TS.HAL.CA.QSFT
Ticket etype: arcfour-hmac-md5, kvno 2
Ticket length: 953
Auth time: Jul 13 10:01:01 2012
End time: Jul 13 20:01:01 2012
Ticket flags: forwardable, initial, pre-authenticated
Addresses: IPv4:10.5.84.117Server: V403H-RH6$@I.TS.HAL.CA.QSFT
Client: gboudreau@I.TS.HAL.CA.QSFT
Ticket etype: arcfour-hmac-md5, kvno 4
Ticket length: 979
Auth time: Jul 13 10:01:01 2012
Start time: Jul 13 10:01:02 2012
End time: Jul 13 20:01:01 2012
Ticket flags: pre-authenticated
Addresses: IPv4:10.5.84.117
-
原因
Product Defect 26546
-
対策
WORKAROUND:
The host account’s AD object needs to set have its supported encryption type set to a value that supports AES encryption. A value of 31 will allow the host to support all Windows OS supported encryption types. See the following Microsoft article about supported encryption types:
http://msdn.microsoft.com/en-us/library/cc223853%28v=prot.10%29.aspx
To update the host accounts AD object with an encryption type that supports AES run:
$ /opt/quest/bin/vastool -u <ad username> setattrs host/ msDS-SupportedEncryptionTypes 31
NOTE:
When the host object negotiates an encryption type the DC checks the host AD objects operatingSystemVersion to see if it can support certain encryption types. Depending on what the value was set to for the Unix box, The windows DC may determine that the OS is too old to support AES. If the value of this attribute when converted to an integer is less than 6, windows will return 0x7 as the supported encryption type eve if the msDS-SupportedEncryptionTypes itself has a value of 0x1F (31). AES was introduced with Windows Vista which was Windows version 6.xxxx so anything prior to this wouldn’t need AES.
A safe value to set the operatingSystemVersion attribute to would be to start it with an alpha character such as Linux 3.2.0-27 instead of simply 3.2.0-27.
$ /opt/quest/bin/vastool -u <ad username> setattrs host/ operatingSystemVersion “Linux 3.2.0-27”
STATUS: Pending fix in a future release
-
変更要求
26546