MIT Kerberos usage notes. Heimdal is an alternative implementation of Kerberos.
Do not use the Kerberos IV protocol; the supported cipher is weak, and the protocol has known security flaws. Kerberos IV can be disabled by compiling MIT Kerberos using the --without-krb4 option to configure.
Notes on authenticating Windows to Unix Kerberos servers and configuring Kerberos support in Samba.
Encryption Type Problems
Older Massachusetts Institute of Technology (MIT) Kerberos 1.2 installs will have problems if unsupported encryption types are present in the /etc/krb5.keytab file. For example, if a arcfour-hmac encrypted host principal is present, Kerberos will fail ungracefully:
# ktutil
ktutil: read_kt /etc/krb5.keytab
ktutil: list -e
list: Invalid argument While converting enctype to string
Old RedHat Linux systems use MIT Kerberos 1.2, and may emit the following pam_krb5 error via syslog(3) if an unsupported encryption type is present in the keytab file.
<auth.crit> client.example.org sudo[2591]: pam_krb5: error↵
reading keys for host/client.example.org from /etc/krb5.keytab:↵
Bad encryption type
Solutions include upgrading Kerberos to at least version 1.3, or generating principals with a specific list of supported encryption types, or extracting only the supported encryption types when generating the krb5.keytab file.
Another way to show the encryption types in a key is with the kadmin command.
$ kadmin -p user/admin -q 'getprinc host/server.example.org'
Authenticating as principal user/admin@EXAMPLE.ORG with password.
Principal: host/server.example.org@EXAMPLE.ORG
Expiration date: [never]
Last password change: Tue Jul 06 16:50:36 PDT 2004
Password expiration date: [none]
Maximum ticket life: 0 days 12:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Jul 06 16:50:36 PDT 2004 (user/admin@EXAMPLE.ORG)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 3
Key: vno 3, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 3, DES cbc mode with CRC-32, no salt
Key: vno 3, ArcFour with HMAC/md5, no salt
Attributes:
Policy: [none]
Daemon Startup Problems
On Redhat Linux, the kadmind service init script will not work should the /var/kerberos/krb5kdc/kpropd.acl file exist on the Kerberos master server. The file must exist on the Kerberos slave servers. Therefore, ensure the file exists on all slave servers, but delete it should the the slave be converted into a master server, for example with CFEngine:
classes:
role_kerberos_master = ( kerberos1 )
role_kerberos_slave = ( kerberos2 kerberos3 kerberos4 )
copy:
redhat.role_kerberos_slave::
${masterfiles}/role/kerberos/slave/kpropd.acl
dest=/var/kerberos/krb5kdc/kpropd.acl
backup=false
owner=root group=root mode=0444
server=${policyhost}
type=checksum
tidy:
redhat.role_kerberos_master::
# kadmin startup script fails if this is present. Required on slaves.
/var/kerberos/krb5kdc pattern=kpropd.acl age=0 r=1
Troublesome Policy Settings
If user passwords always expire, check for Kerberos policies that could have invalid date settings. The following example shows a case where the maximum password life has a negative value, which always invalidates the principal.
kadmin: getprinc fookey
Principal: fookey@EXAMPLE.ORG
Expiration date: [never]
Last password change: Fri Aug 05 16:32:29 PDT 2005
Password expiration date: Sun Jan 25 00:11:54 PST 1970
…
kadmin: getpol default
Policy: default
Maximum password life: -1121181635
Minimum password life: 0
Minimum password length: 6
Minimum number of password character classes: 3
Number of old keys kept: 5
Reference count: 40
kadmin: modpol -maxlife "5 years" default
kadmin: getpol default
Policy: default
Maximum password life: 157766400
Minimum password life: 0
Minimum password length: 6
Minimum number of password character classes: 3
Number of old keys kept: 5
Reference count: 40