Skip Menu |
 

Date: Wed, 02 Apr 2008 12:59:40 +0400
From: Igor Mammedov <niallain@gmail.com>
To: krb5-bugs@mit.edu
Subject: "Key table entry not found while getting initial credentials" + KRB5KDC_ERR_PREAUTH_REQUIRED
CC: krbdev@mit.edu
Download (untitled) / with headers
text/plain 2.6KiB
Hi folks,
Maybe I've found a bug in krb5 libs code.
Here is the thing:
When we store user password in keytab with des-cbc-md5 encryption

with "addent -password -p TESTUSERNAME -k 1 -e des-cbc-md5"

we receive error KRB5KDC_ERR_PREAUTH_REQUIRED from the server and
kinit says "Key table entry not found while getting initial credentials".

Also note that in the dump of the client-server conversation there is no
field "padata" in the request.

Show quoted text
-------------- Incorrect case --------------------
User Datagram Protocol, Src Port: 46944 (46944), Dst Port: kerberos (88)
Kerberos AS-REQ
Pvno: 5
MSG Type: AS-REQ (10)
KDC_REQ_BODY
Padding: 0
KDCOptions: 40000010 (Forwardable, Renewable OK)
Client Name (Principal): TESTUSERNAME
Realm: MY.TEST.REALM
Server Name (Unknown): krbtgt/MY.TEST.REALM
from: 2008-04-02 07:56:30 (Z)
till: 2008-04-03 07:56:30 (Z)
Nonce: 1207122990
Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

User Datagram Protocol, Src Port: kerberos (88), Dst Port: 46944 (46944)
Kerberos KRB-ERROR
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2008-04-02 07:55:18 (Z)
susec: 502936
error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
Realm: MY.TEST.REALM
Server Name (Unknown): krbtgt/MY.TEST.REALM
e-data

However if we add entry into keytab this way:

"addent -password -p TESTUSERNAME -k 1 -e rc4-hmac"

Then client sends "padata" in the request and the server replies with a valid TGT.

So this is probably a bug in the client code (kinit or krb5 libs), if it is not then
could someone clarify why it works this way?

------------- Normal case --------------------------

User Datagram Protocol, Src Port: 41142 (41142), Dst Port: kerberos (88)
Kerberos AS-REQ
Pvno: 5
MSG Type: AS-REQ (10)
padata: PA-ENC-TIMESTAMP
Type: PA-ENC-TIMESTAMP (2)
Value: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX... rc4-hmac
KDC_REQ_BODY
Padding: 0
KDCOptions: 40000010 (Forwardable, Renewable OK)
Client Name (Principal): TESTUSERNAME
Realm: MY.TEST.REALM
Server Name (Unknown): krbtgt/MY.TEST.REALM
from: 2008-04-02 08:05:01 (Z)
till: 2008-04-03 08:05:01 (Z)
Nonce: 1207123501
Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

User Datagram Protocol, Src Port: kerberos (88), Dst Port: 41142 (41142)
Kerberos AS-REP
Pvno: 5
MSG Type: AS-REP (11)
Client Realm: MY.TEST.REALM
Client Name (Principal): TESTUSERNAME
Ticket
enc-part rc4-hmac




--

Best regards,

-------------------------
Igor Mammedov,
niallain "at" gmail.com