0

My FreeBSD box is using Heimdal Kerberos-implementation. It is registered with the corporate AD, its msDS-KeyVersionNumber-attribute is set to 2, and its keytab has the following entries:

FILE:/etc/krb5.keytab:

Vno  Type                     Principal                                 Aliases
  2  aes256-cts-hmac-sha1-96  [email protected]                       
  2  aes128-cts-hmac-sha1-96  [email protected]                       
  2  des3-cbc-sha1            [email protected]                       
  2  arcfour-hmac-md5         [email protected]                       
  2  des-cbc-md5              [email protected]                       
  2  des-cbc-crc              [email protected]                       
  2  aes256-cts-hmac-sha1-96  host/[email protected]  
  2  aes128-cts-hmac-sha1-96  host/[email protected]  
  2  des3-cbc-sha1            host/[email protected]  
  2  arcfour-hmac-md5         host/[email protected]  
  2  des-cbc-md5              host/[email protected]  
  2  des-cbc-crc              host/[email protected]  
  2  aes256-cts-hmac-sha1-96  nfs/[email protected]                    
  2  aes128-cts-hmac-sha1-96  nfs/[email protected]                    
  2  des3-cbc-sha1            nfs/[email protected]                    
  2  arcfour-hmac-md5         nfs/[email protected]                    
  2  des-cbc-md5              nfs/[email protected]                    
  2  des-cbc-crc              nfs/[email protected]                    
  2  aes256-cts-hmac-sha1-96  nfs/[email protected]   
  2  aes128-cts-hmac-sha1-96  nfs/[email protected]   
  2  des3-cbc-sha1            nfs/[email protected]   
  2  arcfour-hmac-md5         nfs/[email protected]   
  2  des-cbc-md5              nfs/[email protected]   
  2  des-cbc-crc              nfs/[email protected]   
  2  aes256-cts-hmac-sha1-96  http/[email protected]                   
  2  aes128-cts-hmac-sha1-96  http/[email protected]                   
  2  des3-cbc-sha1            http/[email protected]                   
  2  arcfour-hmac-md5         http/[email protected]                   
  2  des-cbc-md5              http/[email protected]                   
  2  des-cbc-crc              http/[email protected]                   
  2  aes256-cts-hmac-sha1-96  http/[email protected]
  2  aes128-cts-hmac-sha1-96  http/[email protected]  
  2  des3-cbc-sha1            http/[email protected]  
  2  arcfour-hmac-md5         http/[email protected]  
  2  des-cbc-md5              http/[email protected]  
  2  des-cbc-crc              http/[email protected]  
  2  aes256-cts-hmac-sha1-96  ftp/[email protected]                    
  2  aes128-cts-hmac-sha1-96  ftp/[email protected]                    
  2  des3-cbc-sha1            ftp/[email protected]                    
  2  arcfour-hmac-md5         ftp/[email protected]                    
  2  des-cbc-md5              ftp/[email protected]                    
  2  des-cbc-crc              ftp/[email protected]                    
  2  aes256-cts-hmac-sha1-96  ftp/[email protected]   
  2  aes128-cts-hmac-sha1-96  ftp/[email protected]   
  2  des3-cbc-sha1            ftp/[email protected]   
  2  arcfour-hmac-md5         ftp/[email protected]   
  2  des-cbc-md5              ftp/[email protected]   
  2  des-cbc-crc              ftp/[email protected]   
  2  aes256-cts-hmac-sha1-96  cifs/[email protected]                   
  2  aes128-cts-hmac-sha1-96  cifs/[email protected]                   
  2  des3-cbc-sha1            cifs/[email protected]                   
  2  arcfour-hmac-md5         cifs/[email protected]                   
  2  des-cbc-md5              cifs/[email protected]                   
  2  des-cbc-crc              cifs/[email protected]                   
  2  aes256-cts-hmac-sha1-96  cifs/[email protected]  
  2  aes128-cts-hmac-sha1-96  cifs/[email protected]  
  2  des3-cbc-sha1            cifs/[email protected]  
  2  arcfour-hmac-md5         cifs/[email protected]  
  2  des-cbc-md5              cifs/[email protected]  
  2  des-cbc-crc              cifs/[email protected]

However, attempts to login with GSSAPI-authentication from other hosts fails. Running sshd with the -d option, I see the following error-message:

Failed to find host/[email protected](kvno 10) in keytab FILE:/etc/krb5.keytab (aes256-cts-hmac-sha1-96)

Why is it looking for kvno 10 instead of 2?

Mikhail T.
  • 2,338
  • 1
  • 24
  • 55
  • Just a quick comment as I'm on mobile at the moment. Are you running samba or win bind that actively refresh the Kerberos keys and/or regularly reset the AD computer account password? Because that would increase the KVNO in AD. On other hosts a service ticket would be optioned from AD with only the most recent KVNO 10 where your key tab file hasn't been updated with those. – HBruijn Jun 24 '16 at 06:50
  • No, not running Samba or anything here. The keytab listed in my question was recently generated using [adcli](https://www.freedesktop.org/software/realmd/adcli/adcli.html). Thanks! – Mikhail T. Jun 24 '16 at 14:42

0 Answers0