On Tue, 18 Nov 2014, Simo Sorce wrote:
On Tue, 18 Nov 2014 15:01:15 -0500
Nathaniel McCallum <npmccal...@redhat.com> wrote:
As I see it, we're setting out a new precedent. All new ASN.1 code
will take this route (which is, indeed, better). So while it is small
now, it won't stay small forever. Being that we are in the business
of routinely handling ASN.1 stuff, this seems to me like a sensible
architecture for the future.
Ok, I think I should have fixed all the issues you brought up.
And my tests still work fine :)
Works fine. However, I'm getting wrong TGT enctype back from the KDC when I
try to obtain TGT with des-cbc-crc key:
[root@master ~]# ipa host-add --force f21test.f21.test
-----------------------------
Added host "f21test.f21.test"
-----------------------------
Host name: f21test.f21.test
Principal name: host/f21test.f21.t...@f21.test
Password: False
Keytab: False
Managed by: f21test.f21.test
[root@master ~]# ipa service-add --force afs/f21test
------------------------------------
Added service "afs/f21t...@f21.test"
------------------------------------
Principal: afs/f21t...@f21.test
Managed by: f21test.f21.test
[root@master ~]# ipa-getkeytab -s `hostname` -p afs/f21test -k
/tmp/afs.keytab -e des-cbc-crc:v4 -P
New Principal Password:
Verify Principal Password:
Keytab successfully retrieved and stored in: /tmp/afs.keytab
[root@master ~]# klist -kt /tmp/afs.keytab -K -e
Keytab name: FILE:/tmp/afs.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 11/19/14 12:13:01 afs/f21t...@f21.test (des-cbc-crc) (0xea1a0b29152cb383)
[root@master ~]# KRB5_TRACE=/dev/stderr KRB5CCNAME=/tmp/afs.ccache kinit -kt
/tmp/afs.keytab afs/f21test
[28636] 1416392072.862773: Getting initial credentials for afs/f21t...@f21.test
[28636] 1416392072.864408: Looked up etypes in keytab: des-cbc-crc
[28636] 1416392072.864522: Sending request (175 bytes) to F21.TEST
[28636] 1416392072.865127: Sending initial UDP request to dgram 192.168.5.169:88
[28636] 1416392072.866958: Received answer (283 bytes) from dgram
192.168.5.169:88
[28636] 1416392072.867028: Response was from master KDC
[28636] 1416392072.867088: Received error from KDC: -1765328359/Additional
pre-authentication required
[28636] 1416392072.867140: Processing preauth types: 136, 19, 2, 133
[28636] 1416392072.867175: Selected etype info: etype des-cbc-crc, salt
"F21.TESTafsf21test", params ""
[28636] 1416392072.867193: Received cookie: MIT
[28636] 1416392072.867234: Retrieving afs/f21t...@f21.test from
FILE:/tmp/afs.keytab (vno 0, enctype des-cbc-crc) with result: 0/Success
[28636] 1416392072.867264: AS key obtained for encrypted timestamp:
des-cbc-crc/0BE8
[28636] 1416392072.867304: Encrypted timestamp (for 1416392072.867050): plain
301AA011180F32303134313131393130313433325AA10502030D3AEA, encrypted
1C567557D395C0639CB417EE90C08CD41E4829D910166D62ACEDCC2168C23BAD8C70DFE4CD533A81
[28636] 1416392072.867331: Preauth module encrypted_timestamp (2) (real)
returned: 0/Success
[28636] 1416392072.867349: Produced preauth for next request: 133, 2
[28636] 1416392072.867372: Sending request (252 bytes) to F21.TEST
[28636] 1416392072.867416: Sending initial UDP request to dgram 192.168.5.169:88
[28636] 1416392072.946260: Received answer (649 bytes) from dgram
192.168.5.169:88
[28636] 1416392072.946391: Response was from master KDC
[28636] 1416392072.946485: Processing preauth types: 19
[28636] 1416392072.946542: Selected etype info: etype des-cbc-crc, salt
"F21.TESTafsf21test", params ""
[28636] 1416392072.946593: Produced preauth for next request: (empty)
[28636] 1416392072.946626: AS key determined by preauth: des-cbc-crc/0BE8
[28636] 1416392072.946688: Decrypted AS reply; session key is: des-cbc-crc/9B41
[28636] 1416392072.946727: FAST negotiation: available
[28636] 1416392072.946793: Initializing FILE:/tmp/afs.ccache with default princ
afs/f21t...@f21.test
[28636] 1416392072.947118: Removing afs/f21t...@f21.test ->
krbtgt/f21.t...@f21.test from FILE:/tmp/afs.ccache
[28636] 1416392072.947146: Storing afs/f21t...@f21.test ->
krbtgt/f21.t...@f21.test in FILE:/tmp/afs.ccache
[28636] 1416392072.947187: Storing config in FILE:/tmp/afs.ccache for
krbtgt/f21.t...@f21.test: fast_avail: yes
[28636] 1416392072.947219: Removing afs/f21t...@f21.test ->
krb5_ccache_conf_data/fast_avail/krbtgt\/F21.TEST\@F21.TEST@X-CACHECONF: from
FILE:/tmp/afs.ccache
[28636] 1416392072.947240: Storing afs/f21t...@f21.test ->
krb5_ccache_conf_data/fast_avail/krbtgt\/F21.TEST\@F21.TEST@X-CACHECONF: in
FILE:/tmp/afs.ccache
[28636] 1416392072.947419: Storing config in FILE:/tmp/afs.ccache for
krbtgt/f21.t...@f21.test: pa_type: 2
[28636] 1416392072.947458: Removing afs/f21t...@f21.test ->
krb5_ccache_conf_data/pa_type/krbtgt\/F21.TEST\@F21.TEST@X-CACHECONF: from
FILE:/tmp/afs.ccache
[28636] 1416392072.947480: Storing afs/f21t...@f21.test ->
krb5_ccache_conf_data/pa_type/krbtgt\/F21.TEST\@F21.TEST@X-CACHECONF: in
FILE:/tmp/afs.ccache
[root@master ~]# KRB5_TRACE=/dev/stderr KRB5CCNAME=/tmp/afs.ccache klist -edf
Ticket cache: FILE:/tmp/afs.ccache
Default principal: afs/f21t...@f21.test
Valid starting Expires Service principal
11/19/14 12:14:32 11/20/14 12:14:32 krbtgt/f21.t...@f21.test
Flags: FIA, Etype (skey, tkt): des-cbc-crc, aes256-cts-hmac-sha1-96
KDC logs show this:
Nov 19 12:25:57 master.f21.test krb5kdc[28713](info): AS_REQ (9 etypes {1 18 17
16 23 25 26 3 2}) 192.168.5.169: NEEDED_PREAUTH: afs/f21t...@f21.test for
krbtgt/f21.t...@f21.test, Additional
pre-authentication required
Nov 19 12:25:57 master.f21.test krb5kdc[28713](info): AS_REQ (9 etypes {1 18 17
16 23 25 26 3 2}) 192.168.5.169: ISSUE: authtime 1416392757, etypes {rep=1
tkt=18 ses=1}, afs/f21t...@f21.test for krbtgt/f21.t...@f21.test
My /etc/krb5.conf has
[libdefaults]
allow_weak_crypto = true
permitted_enctypes = DEFAULT +des
supported_enctypes = DEFAULT +des
We can handle weak types' response TGT after F21 release, this is
certainly not limiting.
I've tried with older ipa-getkeytab and it fell back to the pre-4.0
method as expected.
Regarding the patchset itself:
Patch 0001: fix 'wuld' in the commit message. The rest is fine.
Patch 0002:
- ticket number is missing in the commit message
- perhaps, an instruction how to regenerate asn1 code can be made a
Makefile target? We don't need to call it ourselves but this would
simplify things in future
- I'm little uncomfortable how ASN_DEBUG() output goes explicitly to
stderr but I guess this is something we currently cannot override
with DS-specific log printing, so no big deal right now
- any specific need to get asn1/compile committed? We don't commit it
in the client code (ipa-client/compile).
Patch 0003: OK
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel