Re: kinit without dns
On Wed, Jan 24, 2024 at 4:27 PM Sam Hartman wrote: > > > "Michael" == Michael B Allen writes: > > Michael> Hi Ken, > > Michael> Indeed. Unfortunately my stock packages on CentOS 9 Stream > Michael> are 1.21 but the KRB5_TRACE feature was introduced in 1.9. > > Last time I checked, 1.21 > 1.9. Good point and, after some fiddling, it does indeed work and would have revealed the issue: $ KRB5_TRACE=trace.txt kinit -k -t java31.keytab 'java31$@GOGO.LOCO' kinit: Pre-authentication failed: Invalid argument while getting initial credentials $ cat trace.txt 850878: Matching java31$@GOGO.LOCO in collection with result: 0/Success 850879: Getting initial credentials for java31$@GOGO.LOCO 850880: Found entries for java31$@GOGO.LOCO in keytab: aes128-cts 850882: Sending unauthenticated request 850883: Sending request (189 bytes) to GOGO.LOCO 850884: Resolving hostname dc1.gogo.loco 850885: Sending initial UDP request to dgram 10.11.12.22:88 850886: Received answer (185 bytes) from dgram 10.11.12.22:88 850887: Response was from primary KDC 850888: Received error from KDC: -1765328359/Additional pre-authentication required 850891: Preauthenticating using KDC method data 850892: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2) 850893: Selected etype info: etype aes256-cts, salt "GOGO.LOCOhostjava31.gogo.loco", params "" 850894: PKINIT client has no configured identity; giving up 850895: PKINIT client has no configured identity; giving up 850896: Preauth module pkinit (16) (real) returned: 22/Invalid argument 850897: Retrieving java31$@GOGO.LOCO from FILE:java31.keytab (vno 0, enctype aes256-cts) with result: -1765328203/No key table entry found for java31$@GOGO.LOCO 850898: Preauth module encrypted_timestamp (2) (real) returned: -1765328203/No key table entry found for java31$@GOGO.LOCO Second to last line is pretty clear. Kinit was looking for an aes256-cts key but the keytab only had an aes128-cts entry. Mike -- Michael B Allen Java AD DS Integration https://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kinit without dns
> "Michael" == Michael B Allen writes: Michael> Hi Ken, Michael> Indeed. Unfortunately my stock packages on CentOS 9 Stream Michael> are 1.21 but the KRB5_TRACE feature was introduced in 1.9. Last time I checked, 1.21 > 1.9. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kinit without dns
>Indeed. Unfortunately my stock packages on CentOS 9 Stream are 1.21 >but the KRB5_TRACE feature was introduced in 1.9. Ummm ... 21 > 9, I think? :-) >At any rate, of course I figured out the problem right after posting this ... Glad you figured it out. --Ken Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kinit without dns
On Wed, Jan 24, 2024 at 3:34 PM Ken Hornstein wrote: > > You MIGHT be better served by turning on Kerberos tracing to see what the > library is doing. Prefixing that kinit with: > > env KRB5_TRACE=/dev/stdout > > would be useful. Hi Ken, Indeed. Unfortunately my stock packages on CentOS 9 Stream are 1.21 but the KRB5_TRACE feature was introduced in 1.9. At any rate, of course I figured out the problem right after posting this ... Even though the following AD account attribute was set to: msDS-SupportedEncryptionTypes: 0x8 (AES128_CTS_HMAC_SHA1_96) apparently this is not applicable to getting a TGT. I noticed the AP-REQ KRB5KDC_ERR_PREAUTH_REQUIRED PA-DATA listed AES256 as the etype. My keytab only had an AES128 key. Changing the key to AES256 fixed the issue and kinit now runs successfully (without modifying DNS since dc1.gogo.loco is listed in router DNS proxy local tables). ^^^TLDR So I guess the "Invalid argument" was that there was no key matching the desired etype. It probably didn't help that there was obviously an AES256 key on the account and it's only because I'm screwing around with that msDS-SupportedEncryptionTypes attr trying to pin AES128 that I'm dancing outside the lines of sanity at this point. Really glad to see KRB5_TRACE was added. Thanks for your support. Mike -- Michael B Allen Java AD DS Integration https://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kinit without dns
You MIGHT be better served by turning on Kerberos tracing to see what the library is doing. Prefixing that kinit with: env KRB5_TRACE=/dev/stdout would be useful. However, assuming these are in order ... >ProtocolLength Info >DNS 80 Standard query 0xd8af A dc1.gogo.loco >DNS 96 Standard query response 0xd8af A dc1.gogo.loco A 10.15.15.22 >KRB5221 AS-REQ >KRB5234 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED This looks like the basic exchange with the KDC did not do any DNS lookups (other than the hostname). >DNS 79 Standard query 0x314d URI _kerberos.GOGO.LOCO >DNS 154 Standard query response 0x314d No such name URI >_kerberos.GOGO.LOCO SOA a.root-servers.net >DNS 91 Standard query 0xfc89 SRV _kerberos-master._udp.GOGO.LOCO >DNS 166 Standard query response 0xfc89 No such name SRV >_kerberos-master._udp.GOGO.LOCO SOA a.root-servers.net This looks like it is trying to find the name of the primary KDC. You could put a line "master_kdc = dc1.gogo.logo" under the [realms] stanza and I believe it would suppress these lookups (the preferred relation name was changed to "primary_kdc" in 1.19 but it is still supposed to fall back to the older name). I think that should get rid of all of the lookups I see (I believe the PREAUTH_REQUIRED error makes it want to find the primary KDC). --Ken Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos