Windows Server 2003 -Ktpass – crypto: enum value ‘rc4-hmac’ is not known

I'm trying to create a keytab with Ktpass on a Windows Server 2003 with:

Ktpass -princ host/prueba-mail.ejemplo.org@EJEMPLO.ORG -mapuser host -pass password -crypto rc4-hmac -out UNIXhost.keytab

I get the following error:

crypto: enum value 'rc4-hmac' is not known.
Error: argument for option "crypto" must be one of the following values:
DES-CBC-CRC : for compatibility
DES-CBC-MD5 : default
Command line options:

---------------------most useful args
[- /]          out : Keytab to produce
[- /]        princ : Principal name (user@REALM)
[- /]         pass : password to use
                     use "*" to prompt for password.
---------------------less useful stuff
[- /]      mapuser : map princ (above) to this user account (default: don't)
[- /]        mapOp : how to set the mapping attribute (default: add it)
[- /]        mapOp :  is one of:
[- /]        mapOp :        add : add value (default)
[- /]        mapOp :        set : set value
[- +]      DesOnly : Set account for des-only encryption (default:do)
[- /]           in : Keytab to read/digest
---------------------options for key generation
[- /]       crypto : Cryptosystem to use
[- /]       crypto :  is one of:
[- /]       crypto : DES-CBC-CRC : for compatibility
[- /]       crypto : DES-CBC-MD5 : default
[- /]        ptype : principal type in question
[- /]        ptype :  is one of:
[- /]        ptype : KRB5_NT_PRINCIPAL : The general ptype-- recommended
[- /]        ptype : KRB5_NT_SRV_INST : user service instance
[- /]        ptype : KRB5_NT_SRV_HST : host service instance
[- /]         kvno : Override Key Version Number
                     Default: query DC for kvno.  Use /kvno 1 for Win2K compat.
[- +]       Answer : +Answer answers YES to prompts.  -Answer answers NO.
[- /]       Target : Which DC to use.  Default:detect

I have two questions:

1)
This I'm intendo to achieve single sign on to Windows users with imap service is on a Centos 6.
Although you can use "-crypto rc4-hmac" can also serve DES-CBC-CRC or DES-CBC-MD5?.
I believe that Windows customers have all encrypted ticket rc4-hmac and this will not allow things work and I suspect that one of my problems is out there.

2)
There are way to allow Windows Server 2003 you can have the option rc4-hmac?.

Thanks for any help.

Best Answer

I'm not sure I understand your first question, but if you are worried about Windows XP clients, they surely support RC4-HMAC keys but not newer AES based ones.

In order to employ RC4-HMAC encrypted keys in your keytab you'll need to install Service Pack 1. As the usage message after the error indicates, ktpass in Windows Server 2003 only supports DES ciphered keys. Please note that the KDC in Windows 2003 doesn't support authentication with RC4-HMAC without SP1 according to this article on Kerberos interoperability. Alternatively, upgrade to Windows Server 2008 or Windows 2008 R2 to have AES support as well.

The crypto option value for RC4-HMAC is RC4-HMAC-NT, although I would recommend using AES based ones if the clients support it. RedHat has builtin support for AES keys since at least RHEL 5 so I assume CentOS 6 has as well

Best Answer

Related Solutions

Ssh – Wrong principal in request (SSH/ GSSAPI/Kerberos/Debian)

Linux – ActiveDirectory Kerberos keytab unusable from Linux

Related Topic