Re: [Freeipa-devel] [PATCHES] Fix getkeytab operation

Wed, 19 Nov 2014 02:54:08 -0800 

On Tue, 18 Nov 2014, Simo Sorce wrote:

On Tue, 18 Nov 2014 15:01:15 -0500
Nathaniel McCallum <npmccal...@redhat.com> wrote:


As I see it, we're setting out a new precedent. All new ASN.1 code
will take this route (which is, indeed, better). So while it is small
now, it won't stay small forever. Being that we are in the business
of routinely handling ASN.1 stuff, this seems to me like a sensible
architecture for the future.


Ok, I think I should have fixed all the issues you brought up.

And my tests still work fine :)

Works fine. However, I'm getting wrong TGT enctype back from the KDC when I
try to obtain TGT with des-cbc-crc key:

[root@master ~]# ipa host-add --force f21test.f21.test
-----------------------------
Added host "f21test.f21.test"
-----------------------------
 Host name: f21test.f21.test
 Principal name: host/f21test.f21.t...@f21.test
 Password: False
 Keytab: False
 Managed by: f21test.f21.test
[root@master ~]# ipa service-add --force afs/f21test
------------------------------------
Added service "afs/f21t...@f21.test"
------------------------------------
 Principal: afs/f21t...@f21.test
 Managed by: f21test.f21.test
[root@master ~]# ipa-getkeytab -s `hostname` -p afs/f21test   -k 
/tmp/afs.keytab -e des-cbc-crc:v4 -P
New Principal Password: Verify Principal Password: Keytab successfully retrieved and stored in: /tmp/afs.keytab 
[root@master ~]# klist -kt /tmp/afs.keytab  -K -e
Keytab name: FILE:/tmp/afs.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
  1 11/19/14 12:13:01 afs/f21t...@f21.test (des-cbc-crc) (0xea1a0b29152cb383)

[root@master ~]# KRB5_TRACE=/dev/stderr KRB5CCNAME=/tmp/afs.ccache kinit -kt 
/tmp/afs.keytab afs/f21test
[28636] 1416392072.862773: Getting initial credentials for afs/f21t...@f21.test
[28636] 1416392072.864408: Looked up etypes in keytab: des-cbc-crc
[28636] 1416392072.864522: Sending request (175 bytes) to F21.TEST
[28636] 1416392072.865127: Sending initial UDP request to dgram 192.168.5.169:88
[28636] 1416392072.866958: Received answer (283 bytes) from dgram 
192.168.5.169:88
[28636] 1416392072.867028: Response was from master KDC
[28636] 1416392072.867088: Received error from KDC: -1765328359/Additional 
pre-authentication required
[28636] 1416392072.867140: Processing preauth types: 136, 19, 2, 133
[28636] 1416392072.867175: Selected etype info: etype des-cbc-crc, salt 
"F21.TESTafsf21test", params ""
[28636] 1416392072.867193: Received cookie: MIT
[28636] 1416392072.867234: Retrieving afs/f21t...@f21.test from 
FILE:/tmp/afs.keytab (vno 0, enctype des-cbc-crc) with result: 0/Success
[28636] 1416392072.867264: AS key obtained for encrypted timestamp: 
des-cbc-crc/0BE8
[28636] 1416392072.867304: Encrypted timestamp (for 1416392072.867050): plain 
301AA011180F32303134313131393130313433325AA10502030D3AEA, encrypted 
1C567557D395C0639CB417EE90C08CD41E4829D910166D62ACEDCC2168C23BAD8C70DFE4CD533A81
[28636] 1416392072.867331: Preauth module encrypted_timestamp (2) (real) 
returned: 0/Success
[28636] 1416392072.867349: Produced preauth for next request: 133, 2
[28636] 1416392072.867372: Sending request (252 bytes) to F21.TEST
[28636] 1416392072.867416: Sending initial UDP request to dgram 192.168.5.169:88
[28636] 1416392072.946260: Received answer (649 bytes) from dgram 
192.168.5.169:88
[28636] 1416392072.946391: Response was from master KDC
[28636] 1416392072.946485: Processing preauth types: 19
[28636] 1416392072.946542: Selected etype info: etype des-cbc-crc, salt 
"F21.TESTafsf21test", params ""
[28636] 1416392072.946593: Produced preauth for next request: (empty)
[28636] 1416392072.946626: AS key determined by preauth: des-cbc-crc/0BE8
[28636] 1416392072.946688: Decrypted AS reply; session key is: des-cbc-crc/9B41
[28636] 1416392072.946727: FAST negotiation: available
[28636] 1416392072.946793: Initializing FILE:/tmp/afs.ccache with default princ 
afs/f21t...@f21.test
[28636] 1416392072.947118: Removing afs/f21t...@f21.test -> 
krbtgt/f21.t...@f21.test from FILE:/tmp/afs.ccache
[28636] 1416392072.947146: Storing afs/f21t...@f21.test -> 
krbtgt/f21.t...@f21.test in FILE:/tmp/afs.ccache
[28636] 1416392072.947187: Storing config in FILE:/tmp/afs.ccache for 
krbtgt/f21.t...@f21.test: fast_avail: yes
[28636] 1416392072.947219: Removing afs/f21t...@f21.test -> 
krb5_ccache_conf_data/fast_avail/krbtgt\/F21.TEST\@F21.TEST@X-CACHECONF: from 
FILE:/tmp/afs.ccache
[28636] 1416392072.947240: Storing afs/f21t...@f21.test -> 
krb5_ccache_conf_data/fast_avail/krbtgt\/F21.TEST\@F21.TEST@X-CACHECONF: in 
FILE:/tmp/afs.ccache
[28636] 1416392072.947419: Storing config in FILE:/tmp/afs.ccache for 
krbtgt/f21.t...@f21.test: pa_type: 2
[28636] 1416392072.947458: Removing afs/f21t...@f21.test -> 
krb5_ccache_conf_data/pa_type/krbtgt\/F21.TEST\@F21.TEST@X-CACHECONF: from 
FILE:/tmp/afs.ccache
[28636] 1416392072.947480: Storing afs/f21t...@f21.test -> 
krb5_ccache_conf_data/pa_type/krbtgt\/F21.TEST\@F21.TEST@X-CACHECONF: in 
FILE:/tmp/afs.ccache
[root@master ~]# KRB5_TRACE=/dev/stderr KRB5CCNAME=/tmp/afs.ccache klist -edf Ticket cache: FILE:/tmp/afs.ccache 
Default principal: afs/f21t...@f21.test

Valid starting     Expires            Service principal
11/19/14 12:14:32  11/20/14 12:14:32  krbtgt/f21.t...@f21.test
Flags: FIA, Etype (skey, tkt): des-cbc-crc, aes256-cts-hmac-sha1-96 
KDC logs show this:
Nov 19 12:25:57 master.f21.test krb5kdc[28713](info): AS_REQ (9 etypes {1 18 17 
16 23 25 26 3 2}) 192.168.5.169: NEEDED_PREAUTH: afs/f21t...@f21.test for 
krbtgt/f21.t...@f21.test, Additional
pre-authentication required
Nov 19 12:25:57 master.f21.test krb5kdc[28713](info): AS_REQ (9 etypes {1 18 17 
16 23 25 26 3 2}) 192.168.5.169: ISSUE: authtime 1416392757, etypes {rep=1 
tkt=18 ses=1}, afs/f21t...@f21.test for krbtgt/f21.t...@f21.test

My /etc/krb5.conf has
[libdefaults]
allow_weak_crypto = true
permitted_enctypes = DEFAULT +des
supported_enctypes = DEFAULT +des

We can handle weak types' response TGT after F21 release, this is
certainly not limiting.

I've tried with older ipa-getkeytab and it fell back to the pre-4.0
method as expected.

Regarding the patchset itself:

Patch 0001: fix 'wuld' in the commit message. The rest is fine.

Patch 0002:
- ticket number is missing in the commit message
- perhaps, an instruction how to regenerate asn1 code can be made a
  Makefile target? We don't need to call it ourselves but this would
  simplify things in future
- I'm little uncomfortable how ASN_DEBUG() output goes explicitly to
  stderr but I guess this is something we currently cannot override
  with DS-specific log printing, so no big deal right now
- any specific need to get asn1/compile committed? We don't commit it
  in the client code (ipa-client/compile).

Patch 0003: OK


--
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to