To: | krb5-bugs@MIT.EDU |
Subject: | [Russ Allbery] Bug#528729: libkrb5-3: cannot obtain cross-realm tickets with Windows 2003 AD |
From: | Sam Hartman <hartmans@debian.org> |
Date: | Mon, 18 May 2009 09:03:30 -0400 |
There seems to be a problem with multi-hop cross-realm involving AD.
Return-Path: <debbugs@rietz.debian.org>
Received: from localhost ([unix socket])
by mail.suchdamage.org (Cyrus v2.2.13-Debian-2.2.13-10) with LMTPA;
Thu, 14 May 2009 20:53:52 -0400
X-Sieve: CMU Sieve 2.2
Received: from south-station-annex.mit.edu (SOUTH-STATION-ANNEX.MIT.EDU
[18.72.1.2])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by mail.suchdamage.org (Postfix) with ESMTP id F1032202E8
for <hartmans@suchdamage.org>; Thu, 14 May 2009 20:53:42 -0400 (EDT)
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by south-station-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
n4F0nFNa001693
for <hartmans@suchdamage.org>; Thu, 14 May 2009 20:49:15 -0400 (EDT)
Received: from mit.edu (W92-130-BARRACUDA-2.MIT.EDU [18.7.21.223])
by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
n4F0n5xE002955
for <hartmans@mit.edu>; Thu, 14 May 2009 20:49:06 -0400 (EDT)
Received: from rietz.debian.org (localhost [127.0.0.1])
by mit.edu (Spam Firewall) with ESMTP id 25A221B61A21
for <hartmans@mit.edu>; Thu, 14 May 2009 20:49:04 -0400 (EDT)
Received: from rietz.debian.org (rietz.debian.org [140.211.166.43]) by mit.edu
with ESMTP id RZHQDBHC8vfC9jYp for <hartmans@mit.edu>;
Thu, 14 May 2009 20:49:04 -0400 (EDT)
Received: from debbugs by rietz.debian.org with local (Exim 4.63)
(envelope-from <debbugs@rietz.debian.org>)
id 1M4lam-0001NX-1t; Fri, 15 May 2009 00:48:04 +0000
X-Loop: owner@bugs.debian.org
Subject: Bug#528729: libkrb5-3: cannot obtain cross-realm tickets with Windows
2003 AD
Reply-To: Russ Allbery <rra@debian.org>, 528729@bugs.debian.org
Resent-From: Russ Allbery <rra@debian.org>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-Cc: Sam Hartman <hartmans@debian.org>
Resent-Date: Fri, 15 May 2009 00:48:01 +0000
Resent-Message-ID: <handler.528729.B.12423483103716@bugs.debian.org>
X-Debian-PR-Message: report 528729
X-Debian-PR-Package: libkrb5-3
X-Debian-PR-Keywords:
X-Debian-PR-Source: krb5
Received: via spool by submit@bugs.debian.org id=B.12423483103716
(code B ref -1); Fri, 15 May 2009 00:48:01 +0000
Received: (at submit) by bugs.debian.org; 15 May 2009 00:45:10 +0000
X-Spam-Checker-Version: SpamAssassin 3.2.3-bugs.debian.org_2005_01_02
(2007-08-08) on rietz.debian.org
X-Spam-Level: ***** (5.01)
X-Spam-Bayes: score:0.0000 Tokens: new, 77; hammy, 151; neutral, 158; spammy,
0. spammytokens: hammytokens:0.000-+--H*M:reportbug,
0.000-+--H*MI:reportbug,
0.000-+--H*x:reportbug, 0.000-+--H*UA:reportbug, 0.000-+--en_US.UTF-8
X-Spam-Status: No, score=-9.6 required=4.0 tests=AWL,BAYES_00,FOURLA,
FROMDEVELOPER, HAS_PACKAGE, IMPRONONCABLE_1, IMPRONONCABLE_2,
MURPHY_WRONG_WORD2,
RCVD_IN_DNSWL_MED,XMAILER_REPORTBUG autolearn=ham
version=3.2.3-bugs.debian.org_2005_01_02
Received: from smtp2.stanford.edu ([171.67.219.82])
by rietz.debian.org with esmtp (Exim 4.63)
(envelope-from <rra@debian.org>) id 1M4lXy-0000uL-7x
for submit@bugs.debian.org; Fri, 15 May 2009 00:45:10 +0000
Received: from smtp2.stanford.edu (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id 9156F170379;
Thu, 14 May 2009 17:45:04 -0700 (PDT)
Received: from windlord.stanford.edu (windlord.Stanford.EDU [171.67.225.134])
by smtp2.stanford.edu (Postfix) with ESMTP id 540DB17031E;
Thu, 14 May 2009 17:45:04 -0700 (PDT)
Received: by windlord.stanford.edu (Postfix, from userid 1000)
id EF1B4E7935; Thu, 14 May 2009 17:45:03 -0700 (PDT)
From: Russ Allbery <rra@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Message-ID: <20090515004503.23403.91684.reportbug@windlord.stanford.edu>
X-Mailer: reportbug 4.2
Date: Thu, 14 May 2009 17:45:03 -0700
Delivered-To: submit@bugs.debian.org
Resent-Sender: Debian BTS <debbugs@rietz.debian.org>
Resent-Date: Fri, 15 May 2009 00:48:04 +0000
X-Spam-Score: 5.01
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-DSPAM-Result: Whitelisted
X-DSPAM-Processed: Thu May 14 20:53:52 2009
X-DSPAM-Confidence: 0.5514
X-DSPAM-Probability: 0.0000
X-DSPAM-Signature: 8042,4a0cbd20161561389219069
X-DSPAM-Factors: 27, From*Russ Allbery <rra@debian.org>, 0.00010,
Received*with+local, 0.00484, Received*local+(Exim, 0.00494,
Received*local, 0.00501, Received*2009+00, 0.99430,
Received*2009+00, 0.99430, Received*via, 0.00588,
Received*May+2009, 0.99247, Received*May+2009, 0.99247,
Received*[127.0.0.1]), 0.00769,
Received*[127.0.0.1]), 0.00769, Date*May+2009, 0.99126,
Received*esmtp+(Exim, 0.00920, Received*TLSv1, 0.00961,
Received*TLSv1+with, 0.00961, Received*(using+TLSv1, 0.00961,
Received*with+cipher, 0.00962, Received*(No+client, 0.00971,
Received*requested), 0.00971, Received*certificate, 0.00971,
Received*(No, 0.00971, Received*userid+1000), 0.00995,
With+a, 0.99000, Received*49+04, 0.99000,
relationship, 0.99000, rra, 0.99000, rra, 0.99000
MIME-Version: 1.0
Package: libkrb5-3
Version: 1.7dfsg~beta1-3
Severity: normal
Negotiate-Auth with SPNEGO via a cross-realm trust relationship to an IIS
server worked properly in 1.6.dfsg.4~beta1-13 but fails in 1.7dfsg~beta1-3
and later. (Unfortunately, it wasn't something that changed between
beta1 and beta2.)
With a successful authentication with 1.6.dfsg.4~beta1-13, I see the
following in my ticket cache after authentication:
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: rra@stanford.edu
Valid starting Expires Service principal
05/14/09 17:35:01 05/15/09 17:34:57 krbtgt/stanford.edu@stanford.edu
05/14/09 17:35:06 05/15/09 17:34:57 krbtgt/WIN.STANFORD.EDU@stanford.edu
05/14/09 17:35:55 05/15/09 17:34:57 krbtgt/IT.WIN.STANFORD.EDU@WIN.STANFORD.EDU
05/14/09 17:36:44 05/15/09 17:34:57 HTTP/infraappprod.stanford.edu@IT.WIN.STANFORD.EDU
With the unsuccessful authentication with 1.7dfsg~beta1-3 and later, I
see:
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: rra@stanford.edu
Valid starting Expires Service principal
05/14/09 17:36:46 05/15/09 17:36:44 krbtgt/stanford.edu@stanford.edu
05/14/09 17:36:51 05/15/09 17:36:44 krbtgt/WIN.STANFORD.EDU@stanford.edu
05/14/09 17:37:41 05/15/09 17:36:44 krbtgt/IT.WIN.STANFORD.EDU@WIN.STANFORD.EDU
so the obtaining of the last hop of the ticket doesn't work, or Firefox
somehow fails before that point. Indeed, it looks like the problem is
below the GSSAPI layer and has something to do with the cross-realm trust.
With 1.7beta2:
wanderer:~> kvno HTTP/infraappprod.stanford.edu@IT.WIN.STANFORD.EDU
kvno: Message stream modified while getting credentials for HTTP/ifraappprod.stanford.edu@IT.WIN.STANFORD.EDU
Note that I get this same error even if I request a ticket for a
principal that doesn't exist in IT.WIN.STANFORD.EDU.
Compare to 1.6.4beta1:
windlord:~> kvno HTTP/infraappprod.stanford.edu@IT.WIN.STANFORD.EDU
HTTP/infraappprod.stanford.edu@IT.WIN.STANFORD.EDU: kvno = 43
klist with encryption types:
Ticket cache: FILE:/tmp/krb5cc_1000_EGNcc23095
Default principal: rra@stanford.edu
Valid starting Expires Service principal
05/14/09 17:23:11 05/15/09 17:23:05 krbtgt/stanford.edu@stanford.edu
Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, Triple DES cbc mode with HMAC/sha1
05/14/09 17:23:11 05/15/09 17:23:05 afs/ir.stanford.edu@stanford.edu
Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32
05/14/09 17:42:41 05/15/09 17:23:05 krbtgt/WIN.STANFORD.EDU@stanford.edu
Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32
05/14/09 17:43:30 05/15/09 17:23:05 krbtgt/IT.WIN.STANFORD.EDU@WIN.STANFORD.EDU
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
05/14/09 17:43:37 05/15/09 17:23:05 HTTP/infraappprod.stanford.edu@IT.WIN.STANFORD.EDU
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libgssapi-krb5-2 depends on:
ii libc6 2.9-4 GNU C Library: Shared libraries
ii libcomerr2 1.41.3-1 common error description library
ii libk5crypto3 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries - C
ii libkeyutils1 1.2-10 Linux Key Management Utilities (li
ii libkrb5-3 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries
ii libkrb5support0 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries - S
libgssapi-krb5-2 recommends no packages.
Versions of packages libgssapi-krb5-2 suggests:
ii krb5-doc 1.6.dfsg.4~beta1-13 Documentation for MIT Kerberos
ii krb5-user 1.6.dfsg.4~beta1-13 Basic programs to authenticate usi
-- no debconf information
Received: from localhost ([unix socket])
by mail.suchdamage.org (Cyrus v2.2.13-Debian-2.2.13-10) with LMTPA;
Thu, 14 May 2009 20:53:52 -0400
X-Sieve: CMU Sieve 2.2
Received: from south-station-annex.mit.edu (SOUTH-STATION-ANNEX.MIT.EDU
[18.72.1.2])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by mail.suchdamage.org (Postfix) with ESMTP id F1032202E8
for <hartmans@suchdamage.org>; Thu, 14 May 2009 20:53:42 -0400 (EDT)
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by south-station-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
n4F0nFNa001693
for <hartmans@suchdamage.org>; Thu, 14 May 2009 20:49:15 -0400 (EDT)
Received: from mit.edu (W92-130-BARRACUDA-2.MIT.EDU [18.7.21.223])
by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
n4F0n5xE002955
for <hartmans@mit.edu>; Thu, 14 May 2009 20:49:06 -0400 (EDT)
Received: from rietz.debian.org (localhost [127.0.0.1])
by mit.edu (Spam Firewall) with ESMTP id 25A221B61A21
for <hartmans@mit.edu>; Thu, 14 May 2009 20:49:04 -0400 (EDT)
Received: from rietz.debian.org (rietz.debian.org [140.211.166.43]) by mit.edu
with ESMTP id RZHQDBHC8vfC9jYp for <hartmans@mit.edu>;
Thu, 14 May 2009 20:49:04 -0400 (EDT)
Received: from debbugs by rietz.debian.org with local (Exim 4.63)
(envelope-from <debbugs@rietz.debian.org>)
id 1M4lam-0001NX-1t; Fri, 15 May 2009 00:48:04 +0000
X-Loop: owner@bugs.debian.org
Subject: Bug#528729: libkrb5-3: cannot obtain cross-realm tickets with Windows
2003 AD
Reply-To: Russ Allbery <rra@debian.org>, 528729@bugs.debian.org
Resent-From: Russ Allbery <rra@debian.org>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-Cc: Sam Hartman <hartmans@debian.org>
Resent-Date: Fri, 15 May 2009 00:48:01 +0000
Resent-Message-ID: <handler.528729.B.12423483103716@bugs.debian.org>
X-Debian-PR-Message: report 528729
X-Debian-PR-Package: libkrb5-3
X-Debian-PR-Keywords:
X-Debian-PR-Source: krb5
Received: via spool by submit@bugs.debian.org id=B.12423483103716
(code B ref -1); Fri, 15 May 2009 00:48:01 +0000
Received: (at submit) by bugs.debian.org; 15 May 2009 00:45:10 +0000
X-Spam-Checker-Version: SpamAssassin 3.2.3-bugs.debian.org_2005_01_02
(2007-08-08) on rietz.debian.org
X-Spam-Level: ***** (5.01)
X-Spam-Bayes: score:0.0000 Tokens: new, 77; hammy, 151; neutral, 158; spammy,
0. spammytokens: hammytokens:0.000-+--H*M:reportbug,
0.000-+--H*MI:reportbug,
0.000-+--H*x:reportbug, 0.000-+--H*UA:reportbug, 0.000-+--en_US.UTF-8
X-Spam-Status: No, score=-9.6 required=4.0 tests=AWL,BAYES_00,FOURLA,
FROMDEVELOPER, HAS_PACKAGE, IMPRONONCABLE_1, IMPRONONCABLE_2,
MURPHY_WRONG_WORD2,
RCVD_IN_DNSWL_MED,XMAILER_REPORTBUG autolearn=ham
version=3.2.3-bugs.debian.org_2005_01_02
Received: from smtp2.stanford.edu ([171.67.219.82])
by rietz.debian.org with esmtp (Exim 4.63)
(envelope-from <rra@debian.org>) id 1M4lXy-0000uL-7x
for submit@bugs.debian.org; Fri, 15 May 2009 00:45:10 +0000
Received: from smtp2.stanford.edu (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id 9156F170379;
Thu, 14 May 2009 17:45:04 -0700 (PDT)
Received: from windlord.stanford.edu (windlord.Stanford.EDU [171.67.225.134])
by smtp2.stanford.edu (Postfix) with ESMTP id 540DB17031E;
Thu, 14 May 2009 17:45:04 -0700 (PDT)
Received: by windlord.stanford.edu (Postfix, from userid 1000)
id EF1B4E7935; Thu, 14 May 2009 17:45:03 -0700 (PDT)
From: Russ Allbery <rra@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Message-ID: <20090515004503.23403.91684.reportbug@windlord.stanford.edu>
X-Mailer: reportbug 4.2
Date: Thu, 14 May 2009 17:45:03 -0700
Delivered-To: submit@bugs.debian.org
Resent-Sender: Debian BTS <debbugs@rietz.debian.org>
Resent-Date: Fri, 15 May 2009 00:48:04 +0000
X-Spam-Score: 5.01
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-DSPAM-Result: Whitelisted
X-DSPAM-Processed: Thu May 14 20:53:52 2009
X-DSPAM-Confidence: 0.5514
X-DSPAM-Probability: 0.0000
X-DSPAM-Signature: 8042,4a0cbd20161561389219069
X-DSPAM-Factors: 27, From*Russ Allbery <rra@debian.org>, 0.00010,
Received*with+local, 0.00484, Received*local+(Exim, 0.00494,
Received*local, 0.00501, Received*2009+00, 0.99430,
Received*2009+00, 0.99430, Received*via, 0.00588,
Received*May+2009, 0.99247, Received*May+2009, 0.99247,
Received*[127.0.0.1]), 0.00769,
Received*[127.0.0.1]), 0.00769, Date*May+2009, 0.99126,
Received*esmtp+(Exim, 0.00920, Received*TLSv1, 0.00961,
Received*TLSv1+with, 0.00961, Received*(using+TLSv1, 0.00961,
Received*with+cipher, 0.00962, Received*(No+client, 0.00971,
Received*requested), 0.00971, Received*certificate, 0.00971,
Received*(No, 0.00971, Received*userid+1000), 0.00995,
With+a, 0.99000, Received*49+04, 0.99000,
relationship, 0.99000, rra, 0.99000, rra, 0.99000
MIME-Version: 1.0
Package: libkrb5-3
Version: 1.7dfsg~beta1-3
Severity: normal
Negotiate-Auth with SPNEGO via a cross-realm trust relationship to an IIS
server worked properly in 1.6.dfsg.4~beta1-13 but fails in 1.7dfsg~beta1-3
and later. (Unfortunately, it wasn't something that changed between
beta1 and beta2.)
With a successful authentication with 1.6.dfsg.4~beta1-13, I see the
following in my ticket cache after authentication:
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: rra@stanford.edu
Valid starting Expires Service principal
05/14/09 17:35:01 05/15/09 17:34:57 krbtgt/stanford.edu@stanford.edu
05/14/09 17:35:06 05/15/09 17:34:57 krbtgt/WIN.STANFORD.EDU@stanford.edu
05/14/09 17:35:55 05/15/09 17:34:57 krbtgt/IT.WIN.STANFORD.EDU@WIN.STANFORD.EDU
05/14/09 17:36:44 05/15/09 17:34:57 HTTP/infraappprod.stanford.edu@IT.WIN.STANFORD.EDU
With the unsuccessful authentication with 1.7dfsg~beta1-3 and later, I
see:
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: rra@stanford.edu
Valid starting Expires Service principal
05/14/09 17:36:46 05/15/09 17:36:44 krbtgt/stanford.edu@stanford.edu
05/14/09 17:36:51 05/15/09 17:36:44 krbtgt/WIN.STANFORD.EDU@stanford.edu
05/14/09 17:37:41 05/15/09 17:36:44 krbtgt/IT.WIN.STANFORD.EDU@WIN.STANFORD.EDU
so the obtaining of the last hop of the ticket doesn't work, or Firefox
somehow fails before that point. Indeed, it looks like the problem is
below the GSSAPI layer and has something to do with the cross-realm trust.
With 1.7beta2:
wanderer:~> kvno HTTP/infraappprod.stanford.edu@IT.WIN.STANFORD.EDU
kvno: Message stream modified while getting credentials for HTTP/ifraappprod.stanford.edu@IT.WIN.STANFORD.EDU
Note that I get this same error even if I request a ticket for a
principal that doesn't exist in IT.WIN.STANFORD.EDU.
Compare to 1.6.4beta1:
windlord:~> kvno HTTP/infraappprod.stanford.edu@IT.WIN.STANFORD.EDU
HTTP/infraappprod.stanford.edu@IT.WIN.STANFORD.EDU: kvno = 43
klist with encryption types:
Ticket cache: FILE:/tmp/krb5cc_1000_EGNcc23095
Default principal: rra@stanford.edu
Valid starting Expires Service principal
05/14/09 17:23:11 05/15/09 17:23:05 krbtgt/stanford.edu@stanford.edu
Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, Triple DES cbc mode with HMAC/sha1
05/14/09 17:23:11 05/15/09 17:23:05 afs/ir.stanford.edu@stanford.edu
Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32
05/14/09 17:42:41 05/15/09 17:23:05 krbtgt/WIN.STANFORD.EDU@stanford.edu
Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32
05/14/09 17:43:30 05/15/09 17:23:05 krbtgt/IT.WIN.STANFORD.EDU@WIN.STANFORD.EDU
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
05/14/09 17:43:37 05/15/09 17:23:05 HTTP/infraappprod.stanford.edu@IT.WIN.STANFORD.EDU
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libgssapi-krb5-2 depends on:
ii libc6 2.9-4 GNU C Library: Shared libraries
ii libcomerr2 1.41.3-1 common error description library
ii libk5crypto3 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries - C
ii libkeyutils1 1.2-10 Linux Key Management Utilities (li
ii libkrb5-3 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries
ii libkrb5support0 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries - S
libgssapi-krb5-2 recommends no packages.
Versions of packages libgssapi-krb5-2 suggests:
ii krb5-doc 1.6.dfsg.4~beta1-13 Documentation for MIT Kerberos
ii krb5-user 1.6.dfsg.4~beta1-13 Basic programs to authenticate usi
-- no debconf information