Latest LQ Deal: Latest LQ Deals
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 12-23-2010, 06:58 PM   #1
LQ Newbie
Registered: Sep 2009
Posts: 8

Rep: Reputation: 0
Acceptable kerberos encryption

I am building an active directory and using BIND9 as my DNS. To allow for secure dynamic updates from the domain, I am enabling GSS-TSIG as detailed here and here. Unfortunately, some of the commands and configurations used here seem to be depreciated, at least in the newer versions that I'm using.

My issue is one of keytab encryption. I generated a keytab using ktpass.exe on the Windows Server 2008 domain controller. I have tried DES/MD5, AES128/SHA1 and AES256/SHA1, each have been turned down by ktutil on the kerberos server (FreeBSD). Each time, it outputs the following error:

ktutil: AES256/SHA1*: encryption type AES256/SHA1* not supported

*Respective to encryption used.

I cannot find a list of suitable encryption schemes that ktutil will accept. The FreeBSD handbook details a means of producing a keytab file, but I'm not sure how to configure the Domain Controller to use the keytab.

Any direction you guys can give me?

Last edited by ryeguy146; 12-24-2010 at 01:38 AM. Reason: Solved it.
Old 12-24-2010, 01:37 AM   #2
LQ Newbie
Registered: Sep 2009
Posts: 8

Original Poster
Rep: Reputation: 0
Firstly, let me say that the manuals available for ktutil that describe its shell-like environment are outdated. ktutil no longer runs as such (at least the newest ports version in FreeBSD). Instead, I used the FreeBSD man pages and found the correct help, though it still didn't specify any encryption schemes that were acceptable.. I used #ktutil add and was asked to specify encryption. At this point, I cross referenced ktpass's help file to discern what encryption schemes it has available. After entering each into ktutil, only one was listed as acceptable, des-cbc-md5, so I made a keytab on the Domain Controller and moved it to the Kerberos server and ktutil accepted it. #ktutil list did indeed list the keyfile. Later, I noticed that the previously linked page's suggested configuration did indeed list the proper encryption scheme as des-cbc-md5, though offered depreciated commands.


I suppose I'm on my way to secure dynamic update across my domain. Thanks anyway everyone. I'm sure that my cross platform adventures will bring be back shortly with more problems to mull over.

Last edited by ryeguy146; 12-24-2010 at 01:44 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux password encryption and data encryption Tux-Slack Programming 4 06-20-2007 06:46 AM
No acceptable C compiler? admart35 SUSE / openSUSE 2 11-23-2005 06:06 AM
no acceptable cc Alucardx Fedora 4 06-23-2004 01:17 AM
Mandrake 9.0 Wireless Works without encryption.. does not with encryption topcat Linux - Wireless Networking 3 05-04-2003 08:47 PM
Acceptable Errors? Phat420 Linux - Networking 1 03-11-2003 10:00 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:38 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration