On Wed, Jan 07, 2015 at 01:22:36PM -0500, Brad House wrote: > I have a need to 'kinit' from within a cygwin environment in order to > perform an svn checkout over ssh. However, I can't figure out how to > get this to work properly with FreeIPA. We had a MIT kerberos/ > OpenLDAP authentication system prior to using FreeIPA and we had it > working there. > > The windows machine itself is kerberized as per > http://www.freeipa.org/page/Windows_authentication_against_FreeIPA > so I can log in using the kerberos user via the standard windows login, > however I don't believe that is relevant to cygwin since it uses its own > config. > > Next, I generated an /etc/krb5.conf file within cygwin as appropriate > for my domain (DNS SRV records don't appear to work so I had to fully > configure it with my ipa servers listed, etc ... which is basically > an identical config just with some new URLs to what was previously > working). It was derived originally from here: > http://computing.fnal.gov/authentication/krb5conf/Windows/krb5.conf > Also, the cygwin /etc/krb5.keytab is what was generated via ipa-getkeytab > from the FreeIPA windows config docs (linked earlier). > > Initially I received these errors: > Jan 07 11:42:45 ipa1.XXXX krb5kdc[31975](info): AS_REQ (2 etypes {3 1}) > 10.100.10.112: BAD_ENCRYPTION_TYPE: bhouse@XXXX for krbtgt/XXXX@XXXX, KDC has > no support for encryption type > > It appeared the kerberos within cygwin is only advertising des encryption > types even though stronger ones are configured in my krb5.conf. > > Ok, so I allowed weak crypto to the krb5kdc on the freeipa server following > the same procedure as from this mailing list entry (which was for a different > purpose): > https://www.redhat.com/archives/freeipa-users/2014-November/msg00246.html > Which appears similar to the NFS workarounds but also includes modifications > for krb5kdc.conf: > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/kerb-nfs.html > > Now I'm receiving these errors in the logs: > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32006](info): AS_REQ (2 > etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse@XXXX for > krbtgt/XXXX@XXXX, Additional pre-authentication required > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): AS_REQ (2 > etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse@XXXX for > krbtgt/XXXX@XXXX, Additional pre-authentication required > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: > repeated (retransmitted?) request from 10.100.10.112, resending previous > response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: > repeated (retransmitted?) request from 10.100.10.112, resending previous > response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: > repeated (retransmitted?) request from 10.100.10.112, resending previous > response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: > repeated (retransmitted?) request from 10.100.10.112, resending previous > response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: > repeated (retransmitted?) request from 10.100.10.112, resending previous > response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: > repeated (retransmitted?) request from 10.100.10.112, resending previous > response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: > repeated (retransmitted?) request from 10.100.10.112, resending previous > response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: > repeated (retransmitted?) request from 10.100.10.112, resending previous > response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: > repeated (retransmitted?) request from 10.100.10.112, resending previous > response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: > repeated (retransmitted?) request from 10.100.10.112, resending previous > response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: > repeated (retransmitted?) request from 10.100.10.112, resending previous > response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): AS_REQ (2 > etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse@XXXX for > krbtgt/XXXX@XXXX, Additional pre-authentication required > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: > repeated (retransmitted?) request from 10.100.10.112, resending previous > response > Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: > repeated (retransmitted?) request from 10.100.10.112, resending previous > response > Jan 07 12:39:30 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: > repeated (retransmitted?) request from 10.100.10.112, resending previous > response
looks like the client is resending as AS_REQ without proper pre-auth data. Which version of cygwin are you using? Can you check with 'klist -V' which Kerberos version is used? bye, Sumit > > And on the cygwin console I get: > $ kinit bhouse > Password for bhouse@XXXX: > kinit: Looping detected inside krb5_get_in_tkt while getting initial > credentials > > So I think this is _better_, however I don't know where to go from here. > > Any help would be greatly appreciated, I'm not finding anything when trying > to research > cygwin with FreeIPA. > > Thanks! > -Brad > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project