Skip Menu |
 

To: krb5-bugs@MIT.EDU
Subject: PKINIT should allow missing DH param Q
From: Tom Yu <tlyu@MIT.EDU>
Date: Thu, 28 Mar 2013 15:13:24 -0400
PKINIT should allow the Diffie-Hellman parameters to omit the Q value
if the P value is the modulus of a well-known group. As noted in

http://www.rfc-editor.org/errata_search.php?eid=3157

the Q values for the well-known Oakley MODP group numbers 2, 14, and
16 are (P-1)/2.

The DomainParameters ASN.1 type [RFC3279] requires a "q" value, but
Windows 7 (at least) appears to omit it, causing a decode failure in
pkinit_decode_dh_params(). pkinit_check_dh_params() should probably
allow a null "q1" value if everything else checks out.
server_check_dh() might also need similar changes, but it seems to
only be used for draft9 requests.

Found during interop testing, but Reinhard Kugler <rekuread@gmail.com>
also made a separate report.
To: rt@krbdev.MIT.EDU
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Tom Yu <tlyu@MIT.EDU>
Date: Thu, 28 Mar 2013 19:18:50 -0400
RT-Send-Cc:
Please try the patch linked below; I don't have an easy way to test it.

https://github.com/tlyu/krb5/commit/c12dcd46510fb8466586c936dc0c434fe0861473
Date: Fri, 29 Mar 2013 10:08:02 +0100
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Reinhard Kugler <rekuread@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.3KiB
thank you!
I applied the patch to the krb-1.11.1 source, compiled pkinit and installed it.
Unfortunately the test was not successful
The client shows the error 0x41 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
But the log output of krbkdc changed:

crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
p is not well-known group 2 dhparameter
bad group 2 q dhparameter
p is not well-known group 2 dhparameter
bad dh parameters
pkinit_verify_padata failed: creating e-data
pkinit_create_edata: creating edata for error -1765328319 (Key
parameters not accepted)
pkinit_fini_kdc_req_context: freeing reqctx at 0xd5ce50
pkinit_fini_req_crypto: freeing ctx at 0xd560e0
pkinit_fini_identity_crypto: freeing ctx at 0xd40640
pkinit_fini_plg_crypto: freeing context at 0xd3ee70
pkinit_server_plugin_fini: freeing context at 0xd2a220


On Fri, Mar 29, 2013 at 12:18 AM, Tom Yu via RT
<rt-comment@krbdev.mit.edu> wrote:
Show quoted text
> Please try the patch linked below; I don't have an easy way to test it.
>
> https://github.com/tlyu/krb5/commit/c12dcd46510fb8466586c936dc0c434fe0861473
>
Date: Fri, 29 Mar 2013 10:08:02 +0100
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Reinhard Kugler <rekuread@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.3KiB
thank you!
I applied the patch to the krb-1.11.1 source, compiled pkinit and installed it.
Unfortunately the test was not successful
The client shows the error 0x41 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
But the log output of krbkdc changed:

crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
p is not well-known group 2 dhparameter
bad group 2 q dhparameter
p is not well-known group 2 dhparameter
bad dh parameters
pkinit_verify_padata failed: creating e-data
pkinit_create_edata: creating edata for error -1765328319 (Key
parameters not accepted)
pkinit_fini_kdc_req_context: freeing reqctx at 0xd5ce50
pkinit_fini_req_crypto: freeing ctx at 0xd560e0
pkinit_fini_identity_crypto: freeing ctx at 0xd40640
pkinit_fini_plg_crypto: freeing context at 0xd3ee70
pkinit_server_plugin_fini: freeing context at 0xd2a220


On Fri, Mar 29, 2013 at 12:18 AM, Tom Yu via RT
<rt-comment@krbdev.mit.edu> wrote:
Show quoted text
> Please try the patch linked below; I don't have an easy way to test it.
>
> https://github.com/tlyu/krb5/commit/c12dcd46510fb8466586c936dc0c434fe0861473
>
To: rt@krbdev.MIT.EDU
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Tom Yu <tlyu@MIT.EDU>
Date: Fri, 29 Mar 2013 10:03:28 -0400
RT-Send-Cc:
"Reinhard Kugler via RT" <rt-comment@krbdev.mit.edu> writes:

Show quoted text
> thank you!
> I applied the patch to the krb-1.11.1 source, compiled pkinit and installed it.
> Unfortunately the test was not successful
> The client shows the error 0x41 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
> But the log output of krbkdc changed:
>
> crypto_check_cert_eku: found eku info in the cert
> crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
> crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
> crypto_check_cert_eku: found digitalSignature KU
> crypto_check_cert_eku: returning retval 0, valid_eku 1
> verify_client_eku: returning retval 0, eku_accepted 1
> p is not well-known group 2 dhparameter
> bad group 2 q dhparameter

Interesting. Maybe try putting "aip = NULL;" right before the call to
M_ASN1_D2I_get_opt()?
To: rt@krbdev.MIT.EDU
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Tom Yu <tlyu@MIT.EDU>
Date: Fri, 29 Mar 2013 18:39:48 -0400
RT-Send-Cc:
"Tom Yu via RT" <rt-comment@krbdev.mit.edu> writes:

Show quoted text
> Interesting. Maybe try putting "aip = NULL;" right before the call to
> M_ASN1_D2I_get_opt()?

Ignore the above; it's probably wrong. Instead, please try this patch
in place of my previous patch:

https://github.com/tlyu/krb5/commit/dd93f6f41d98c31705cd081f5a11ffcd43da3540
Date: Sat, 30 Mar 2013 08:10:52 +0100
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Reinhard Kugler <rekuread@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 4.4KiB
Show quoted text
> Ignore the above; it's probably wrong. Instead, please try this patch
> in place of my previous patch:
>
> https://github.com/tlyu/krb5/commit/dd93f6f41d98c31705cd081f5a11ffcd43da3540

now the pkinit phase looks good, but I still get "bad username or
password" on the windows client.
Eventvwr shows this error:
A Kerberos Error Message was received:
on logon session p130@kerberos.3ve.bmlv.at
Client Time: 20:11:58.0000 10/17/2022 Z
Server Time: 6:56:57.0000 3/30/2013 Z
Error Code: 0x41 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
Extended Error:
Client Realm: kerberos.3ve.bmlv.at
Client Name: p130
Server Realm: kerberos.3ve.bmlv.at
Server Name: krbtgt/kerberos.3ve.bmlv.at
Target Name: krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at
Error Text: PREAUTH_FAILED
File: e
Line: 9fe
Error Data is in record data.

"Client Time" looks wrong, but the system time is set to 30.03.2013 08:10 UTC+1

On the network I see
AS-REQ
KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
AS-REQ
KRB Error: KDC_ERR_KEY_TOO_WEAK
AS-REQ
AS-REP

krbkdc -n:

pkinit_init_req_crypto: returning ctx at 0x1e2e2c0
pkinit_init_kdc_req_context: returning reqctx at 0x1e27010
processing KRB5_PADATA_PK_AS_REQ
CMS Verification successful
#0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
#1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
crypto_retrieve_X509_sans: looking for SANs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
crypto_retrieve_X509_sans: SAN type = 1 expecting 0
verify_client_san: Checking pkinit sans
verify_client_san: no pkinit san match found
verify_client_san: Checking upn sans
verify_client_san: upn san match found
verify_client_san: returning retval 0, valid_san 1
crypto_check_cert_eku: looking for EKUs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
client sent dh params with 1024 bits, we require 2048
bad dh parameters
pkinit_verify_padata failed: creating e-data
pkinit_create_edata: creating edata for error -1765328319 (Key
parameters not accepted)
pkinit_fini_kdc_req_context: freeing reqctx at 0x1e27010
pkinit_fini_req_crypto: freeing ctx at 0x1e2e2c0
pkinit_verify_padata: entered!
pkinit_find_realm_context: returning context at 0x1df1790 for realm
'kerberos.3ve.bmlv.at'
pkinit_init_req_crypto: returning ctx at 0x1e2e7a0
pkinit_init_kdc_req_context: returning reqctx at 0x1e2ca90
processing KRB5_PADATA_PK_AS_REQ
CMS Verification successful
#0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
#1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
crypto_retrieve_X509_sans: looking for SANs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
crypto_retrieve_X509_sans: SAN type = 1 expecting 0
verify_client_san: Checking pkinit sans
verify_client_san: no pkinit san match found
verify_client_san: Checking upn sans
verify_client_san: upn san match found
verify_client_san: returning retval 0, valid_san 1
crypto_check_cert_eku: looking for EKUs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
p is not well-known group 2 dhparameter
good 2048 dhparams
pkinit_find_realm_context: returning context at 0x1df1790 for realm
'kerberos.3ve.bmlv.at'
pkinit_return_padata: entered!
KDC picked etype = 18
received DH key delivery AS REQ
building certificate chain
size of certificate chain = 2
cert #0: /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=dc.kerberos.3ve.bmlv.at
mech = FS
pkinit_fini_kdc_req_context: freeing reqctx at 0x1e2ca90
pkinit_fini_req_crypto: freeing ctx at 0x1e2e7a0
^Cpkinit_fini_identity_crypto: freeing ctx at 0x1e07640
pkinit_fini_plg_crypto: freeing context at 0x1e05e70
pkinit_server_plugin_fini: freeing context at 0x1df1220
Date: Sat, 30 Mar 2013 08:10:52 +0100
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Reinhard Kugler <rekuread@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 4.4KiB
Show quoted text
> Ignore the above; it's probably wrong. Instead, please try this patch
> in place of my previous patch:
>
> https://github.com/tlyu/krb5/commit/dd93f6f41d98c31705cd081f5a11ffcd43da3540

now the pkinit phase looks good, but I still get "bad username or
password" on the windows client.
Eventvwr shows this error:
A Kerberos Error Message was received:
on logon session p130@kerberos.3ve.bmlv.at
Client Time: 20:11:58.0000 10/17/2022 Z
Server Time: 6:56:57.0000 3/30/2013 Z
Error Code: 0x41 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
Extended Error:
Client Realm: kerberos.3ve.bmlv.at
Client Name: p130
Server Realm: kerberos.3ve.bmlv.at
Server Name: krbtgt/kerberos.3ve.bmlv.at
Target Name: krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at
Error Text: PREAUTH_FAILED
File: e
Line: 9fe
Error Data is in record data.

"Client Time" looks wrong, but the system time is set to 30.03.2013 08:10 UTC+1

On the network I see
AS-REQ
KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
AS-REQ
KRB Error: KDC_ERR_KEY_TOO_WEAK
AS-REQ
AS-REP

krbkdc -n:

pkinit_init_req_crypto: returning ctx at 0x1e2e2c0
pkinit_init_kdc_req_context: returning reqctx at 0x1e27010
processing KRB5_PADATA_PK_AS_REQ
CMS Verification successful
#0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
#1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
crypto_retrieve_X509_sans: looking for SANs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
crypto_retrieve_X509_sans: SAN type = 1 expecting 0
verify_client_san: Checking pkinit sans
verify_client_san: no pkinit san match found
verify_client_san: Checking upn sans
verify_client_san: upn san match found
verify_client_san: returning retval 0, valid_san 1
crypto_check_cert_eku: looking for EKUs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
client sent dh params with 1024 bits, we require 2048
bad dh parameters
pkinit_verify_padata failed: creating e-data
pkinit_create_edata: creating edata for error -1765328319 (Key
parameters not accepted)
pkinit_fini_kdc_req_context: freeing reqctx at 0x1e27010
pkinit_fini_req_crypto: freeing ctx at 0x1e2e2c0
pkinit_verify_padata: entered!
pkinit_find_realm_context: returning context at 0x1df1790 for realm
'kerberos.3ve.bmlv.at'
pkinit_init_req_crypto: returning ctx at 0x1e2e7a0
pkinit_init_kdc_req_context: returning reqctx at 0x1e2ca90
processing KRB5_PADATA_PK_AS_REQ
CMS Verification successful
#0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
#1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
crypto_retrieve_X509_sans: looking for SANs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
crypto_retrieve_X509_sans: SAN type = 1 expecting 0
verify_client_san: Checking pkinit sans
verify_client_san: no pkinit san match found
verify_client_san: Checking upn sans
verify_client_san: upn san match found
verify_client_san: returning retval 0, valid_san 1
crypto_check_cert_eku: looking for EKUs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
p is not well-known group 2 dhparameter
good 2048 dhparams
pkinit_find_realm_context: returning context at 0x1df1790 for realm
'kerberos.3ve.bmlv.at'
pkinit_return_padata: entered!
KDC picked etype = 18
received DH key delivery AS REQ
building certificate chain
size of certificate chain = 2
cert #0: /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=dc.kerberos.3ve.bmlv.at
mech = FS
pkinit_fini_kdc_req_context: freeing reqctx at 0x1e2ca90
pkinit_fini_req_crypto: freeing ctx at 0x1e2e7a0
^Cpkinit_fini_identity_crypto: freeing ctx at 0x1e07640
pkinit_fini_plg_crypto: freeing context at 0x1e05e70
pkinit_server_plugin_fini: freeing context at 0x1df1220
Date: Sat, 30 Mar 2013 11:09:27 +0100
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Reinhard Kugler <rekuread@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.9KiB
The pkinit succeeds on the KDC, but Windows seems to get confused with
the "Key parameters not accepted" error.

Authentication with Windows 7 + Smartcard:

Mar 30 08:30:37 kerberos.example.org krb5kdc[2584](info): AS_REQ (7
etypes {18 17 23 3 1 24 -135}) 192.168.56.101: NEEDED_PREAUTH:
p130@kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at, Additional
pre-authentication required
Mar 30 08:30:39 kerberos.example.org krb5kdc[2584](info): preauth
(pkinit) verify failure: Key parameters not accepted
Mar 30 08:30:39 kerberos.example.org krb5kdc[2584](info): AS_REQ (9
etypes {12 15 18 17 23 3 1 24 -135}) 192.168.56.101: PREAUTH_FAILED:
p130@kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at, Key parameters not
accepted
Mar 30 08:30:40 kerberos.example.org krb5kdc[2584](info): AS_REQ (9
etypes {12 15 18 17 23 3 1 24 -135}) 192.168.56.101: ISSUE: authtime
1364628640, etypes {rep=18 tkt=18 ses=18}, p130@kerberos.3ve.bmlv.at
for krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at
Mar 30 08:30:41 kerberos.example.org krb5kdc[2584](info): AS_REQ (9
etypes {12 15 18 17 23 3 1 24 -135}) 192.168.56.101: NEEDED_PREAUTH:
p130@kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at, Additional
pre-authentication required

Authentication of Linux + Certificate
kinit -V -X X509_user_identity=FILE:///home/catmin/Desktop/exampleca/client.pem,/home/catmin/Desktop/exampleca/clientkey.pem
p130@kerberos.3ve.bmlv.at

Mar 30 08:31:31 kerberos.example.org krb5kdc[2584](info): AS_REQ (4
etypes {18 17 16 23}) 192.168.56.1: NEEDED_PREAUTH:
p130@kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at, Additional
pre-authentication required
Mar 30 08:31:31 kerberos.example.org krb5kdc[2584](info): AS_REQ (4
etypes {18 17 16 23}) 192.168.56.1: ISSUE: authtime 1364628691, etypes
{rep=18 tkt=18 ses=18}, p130@kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at
Mar 30 08:31:31 kerberos.example.org krb5kdc[2584](info): closing down fd 12
Date: Sat, 30 Mar 2013 11:09:27 +0100
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Reinhard Kugler <rekuread@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.9KiB
The pkinit succeeds on the KDC, but Windows seems to get confused with
the "Key parameters not accepted" error.

Authentication with Windows 7 + Smartcard:

Mar 30 08:30:37 kerberos.example.org krb5kdc[2584](info): AS_REQ (7
etypes {18 17 23 3 1 24 -135}) 192.168.56.101: NEEDED_PREAUTH:
p130@kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at, Additional
pre-authentication required
Mar 30 08:30:39 kerberos.example.org krb5kdc[2584](info): preauth
(pkinit) verify failure: Key parameters not accepted
Mar 30 08:30:39 kerberos.example.org krb5kdc[2584](info): AS_REQ (9
etypes {12 15 18 17 23 3 1 24 -135}) 192.168.56.101: PREAUTH_FAILED:
p130@kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at, Key parameters not
accepted
Mar 30 08:30:40 kerberos.example.org krb5kdc[2584](info): AS_REQ (9
etypes {12 15 18 17 23 3 1 24 -135}) 192.168.56.101: ISSUE: authtime
1364628640, etypes {rep=18 tkt=18 ses=18}, p130@kerberos.3ve.bmlv.at
for krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at
Mar 30 08:30:41 kerberos.example.org krb5kdc[2584](info): AS_REQ (9
etypes {12 15 18 17 23 3 1 24 -135}) 192.168.56.101: NEEDED_PREAUTH:
p130@kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at, Additional
pre-authentication required

Authentication of Linux + Certificate
kinit -V -X X509_user_identity=FILE:///home/catmin/Desktop/exampleca/client.pem,/home/catmin/Desktop/exampleca/clientkey.pem
p130@kerberos.3ve.bmlv.at

Mar 30 08:31:31 kerberos.example.org krb5kdc[2584](info): AS_REQ (4
etypes {18 17 16 23}) 192.168.56.1: NEEDED_PREAUTH:
p130@kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at, Additional
pre-authentication required
Mar 30 08:31:31 kerberos.example.org krb5kdc[2584](info): AS_REQ (4
etypes {18 17 16 23}) 192.168.56.1: ISSUE: authtime 1364628691, etypes
{rep=18 tkt=18 ses=18}, p130@kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at
Mar 30 08:31:31 kerberos.example.org krb5kdc[2584](info): closing down fd 12
To: rt@krbdev.MIT.EDU
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Tom Yu <tlyu@MIT.EDU>
Date: Mon, 01 Apr 2013 17:27:50 -0400
RT-Send-Cc:
Download (untitled) / with headers
text/plain 3.2KiB
"Reinhard Kugler via RT" <rt-comment@krbdev.mit.edu> writes:

Show quoted text
> pkinit_init_req_crypto: returning ctx at 0x1e2e2c0
> pkinit_init_kdc_req_context: returning reqctx at 0x1e27010
> processing KRB5_PADATA_PK_AS_REQ
> CMS Verification successful
> #0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> #1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
> crypto_retrieve_X509_sans: looking for SANs in cert =
> /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
> crypto_retrieve_X509_sans: SAN type = 1 expecting 0
> verify_client_san: Checking pkinit sans
> verify_client_san: no pkinit san match found
> verify_client_san: Checking upn sans
> verify_client_san: upn san match found
> verify_client_san: returning retval 0, valid_san 1
> crypto_check_cert_eku: looking for EKUs in cert =
> /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> crypto_check_cert_eku: found eku info in the cert
> crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
> crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
> crypto_check_cert_eku: found digitalSignature KU
> crypto_check_cert_eku: returning retval 0, valid_eku 1
> verify_client_eku: returning retval 0, eku_accepted 1
> client sent dh params with 1024 bits, we require 2048

The above looks like a possible configuration problem. For some
reason, the Windows 7 client is sending 1024 bits, while the KDC
requires 2048 bits.

Show quoted text
> bad dh parameters
> pkinit_verify_padata failed: creating e-data
> pkinit_create_edata: creating edata for error -1765328319 (Key
> parameters not accepted)
> pkinit_fini_kdc_req_context: freeing reqctx at 0x1e27010
> pkinit_fini_req_crypto: freeing ctx at 0x1e2e2c0
> pkinit_verify_padata: entered!
> pkinit_find_realm_context: returning context at 0x1df1790 for realm
> 'kerberos.3ve.bmlv.at'
> pkinit_init_req_crypto: returning ctx at 0x1e2e7a0
> pkinit_init_kdc_req_context: returning reqctx at 0x1e2ca90
> processing KRB5_PADATA_PK_AS_REQ
> CMS Verification successful
> #0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> #1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
> crypto_retrieve_X509_sans: looking for SANs in cert =
> /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
> crypto_retrieve_X509_sans: SAN type = 1 expecting 0
> verify_client_san: Checking pkinit sans
> verify_client_san: no pkinit san match found
> verify_client_san: Checking upn sans
> verify_client_san: upn san match found
> verify_client_san: returning retval 0, valid_san 1
> crypto_check_cert_eku: looking for EKUs in cert =
> /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> crypto_check_cert_eku: found eku info in the cert
> crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
> crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
> crypto_check_cert_eku: found digitalSignature KU
> crypto_check_cert_eku: returning retval 0, valid_eku 1
> verify_client_eku: returning retval 0, eku_accepted 1
> p is not well-known group 2 dhparameter
> good 2048 dhparams

Is the above also from the same Windows 7 client during the same
authentication attempt?
Date: Tue, 2 Apr 2013 12:50:41 +0200
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Reinhard Kugler <rekuread@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 10.7KiB
Download (untitled) / with headers
text/html 18.9KiB

On Mon, Apr 1, 2013 at 11:27 PM, Tom Yu via RT <rt-comment@krbdev.mit.edu> wrote:
Show quoted text
"Reinhard Kugler via RT" <rt-comment@krbdev.mit.edu> writes:

> pkinit_init_req_crypto: returning ctx at 0x1e2e2c0
> pkinit_init_kdc_req_context: returning reqctx at 0x1e27010
> processing KRB5_PADATA_PK_AS_REQ
> CMS Verification successful
> #0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> #1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
> crypto_retrieve_X509_sans: looking for SANs in cert =
> /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
> crypto_retrieve_X509_sans: SAN type = 1 expecting 0
> verify_client_san: Checking pkinit sans
> verify_client_san: no pkinit san match found
> verify_client_san: Checking upn sans
> verify_client_san: upn san match found
> verify_client_san: returning retval 0, valid_san 1
> crypto_check_cert_eku: looking for EKUs in cert =
> /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> crypto_check_cert_eku: found eku info in the cert
> crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
> crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
> crypto_check_cert_eku: found digitalSignature KU
> crypto_check_cert_eku: returning retval 0, valid_eku 1
> verify_client_eku: returning retval 0, eku_accepted 1
> client sent dh params with 1024 bits, we require 2048

The above looks like a possible configuration problem.  For some
reason, the Windows 7 client is sending 1024 bits, while the KDC
requires 2048 bits.

I didn't find how to change the dh key length on the Windows 7
I added "pkinit_dh_min_bits = 1024" to the /etc/krb5.conf
But this seens to have no effact on the behavior of the kdc.

Show quoted text
> bad dh parameters
> pkinit_verify_padata failed: creating e-data
> pkinit_create_edata: creating edata for error -1765328319 (Key
> parameters not accepted)
> pkinit_fini_kdc_req_context: freeing   reqctx at 0x1e27010
> pkinit_fini_req_crypto: freeing   ctx at 0x1e2e2c0
> pkinit_verify_padata: entered!
> pkinit_find_realm_context: returning context at 0x1df1790 for realm
> 'kerberos.3ve.bmlv.at'
> pkinit_init_req_crypto: returning ctx at 0x1e2e7a0
> pkinit_init_kdc_req_context: returning reqctx at 0x1e2ca90
> processing KRB5_PADATA_PK_AS_REQ
> CMS Verification successful
> #0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> #1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
> crypto_retrieve_X509_sans: looking for SANs in cert =
> /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
> crypto_retrieve_X509_sans: SAN type = 1 expecting 0
> verify_client_san: Checking pkinit sans
> verify_client_san: no pkinit san match found
> verify_client_san: Checking upn sans
> verify_client_san: upn san match found
> verify_client_san: returning retval 0, valid_san 1
> crypto_check_cert_eku: looking for EKUs in cert =
> /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> crypto_check_cert_eku: found eku info in the cert
> crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
> crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
> crypto_check_cert_eku: found digitalSignature KU
> crypto_check_cert_eku: returning retval 0, valid_eku 1
> verify_client_eku: returning retval 0, eku_accepted 1
> p is not well-known group 2 dhparameter
> good 2048 dhparams

Is the above also from the same Windows 7 client during the same
authentication attempt?
 
yes
I looks like the windows 7 client does two attempts before giving up.
The first is quit with "bad dh parameters" and KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
The second seems to succeed, but is not accepted by the windows 7 client.

I repeated the test:
- start kdc
- do a single authentication via "runas /smartcard cmd"
same result

[root@kerberos ~]# /usr/local/sbin/krb5kdc -n
pkinit_server_plugin_init: processing realm 'kerberos.3ve.bmlv.at'
pkinit_server_plugin_init_realm: initializing context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_init_plg_crypto: initializing openssl crypto context at 0x1d53f00
pkinit_init_identity_crypto: returning ctx at 0x1d556d0
pkinit_init_kdc_profile: entered for realm kerberos.3ve.bmlv.at
pkinit_init_kdc_profile: invalid value (1024) for pkinit_dh_min_bits, using default value (2048) instead
pkinit_identity_initialize: 0x1d38200 0x1d55840 0x1d556d0
process_option_identity: processing value 'FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem'
process_option_identity: idtype is FILE
process_option_ca_crl: processing catype ANCHORS, value 'FILE:/var/kerberos/krb5kdc/ca.pem'
crypto_load_cas_and_crls: called with idtype FILE and catype ANCHORS
pkinit_server_plugin_init_realm: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_server_plugin_init: returning context at 0x1d3f2b0
krb5kdc: starting...
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_verify_padata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_init_req_crypto: returning ctx at 0x1d6ce70
pkinit_init_kdc_req_context: returning reqctx at 0x1d6cce0
processing KRB5_PADATA_PK_AS_REQ
CMS Verification successful
#0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
#1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
crypto_retrieve_X509_sans: looking for SANs in cert = /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
crypto_retrieve_X509_sans: SAN type = 1 expecting 0
verify_client_san: Checking pkinit sans
verify_client_san: no pkinit san match found
verify_client_san: Checking upn sans
verify_client_san: upn san match found
verify_client_san: returning retval 0, valid_san 1
crypto_check_cert_eku: looking for EKUs in cert = /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
client sent dh params with 1024 bits, we require 2048
bad dh parameters
pkinit_verify_padata failed: creating e-data
pkinit_create_edata: creating edata for error -1765328319 (Key parameters not accepted)
pkinit_fini_kdc_req_context: freeing   reqctx at 0x1d6cce0
pkinit_fini_req_crypto: freeing   ctx at 0x1d6ce70
pkinit_verify_padata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_init_req_crypto: returning ctx at 0x1d6ada0
pkinit_init_kdc_req_context: returning reqctx at 0x1d71ae0
processing KRB5_PADATA_PK_AS_REQ
CMS Verification successful
#0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
#1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
crypto_retrieve_X509_sans: looking for SANs in cert = /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
crypto_retrieve_X509_sans: SAN type = 1 expecting 0
verify_client_san: Checking pkinit sans
verify_client_san: no pkinit san match found
verify_client_san: Checking upn sans
verify_client_san: upn san match found
verify_client_san: returning retval 0, valid_san 1
crypto_check_cert_eku: looking for EKUs in cert = /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
p is not well-known group 2 dhparameter
good 2048 dhparams
pkinit_find_realm_context: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_return_padata: entered!
KDC picked etype = 18
received DH key delivery AS REQ
building certificate chain
size of certificate chain = 2
cert #0: /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=dc.kerberos.3ve.bmlv.at
mech = FS
pkinit_fini_kdc_req_context: freeing   reqctx at 0x1d71ae0
pkinit_fini_req_crypto: freeing   ctx at 0x1d6ada0
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'


krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 debug = true
 default_realm = kerberos.3ve.bmlv.at
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 1h
 forwardable = true
 allow_weak_crypto = true

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[domain_realm]

[realms]
 admin_server = dc.kerberos.3ve.bmlv.at:749
 default_domain = kerberos.3ve.bmlv.at
 kadmind_port = 749
 max_life = 2h 0m 0s
 max_renewable_life = 0d 1h 0m 0s
 master_key_type = aes128-cts
 acl_file = /var/kerberos/krb5kdc/3ve-kadm5.acl
 dict_file = /usr/share/dict/words
 admin_keytab = /var/kerberos/krb5kdc/3ve-kadm5.keytab
 supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal arcfour-hmac-md5:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem
 pkinit_anchors = FILE:/var/kerberos/krb5kdc/ca.pem
 #pkinit_eku_checking = none
 pkinit_dh_min_bits = 1024
 pkinit_allow_upn = true
 #allow_weak_crypto = true
}



Date: Tue, 2 Apr 2013 12:50:41 +0200
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Reinhard Kugler <rekuread@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 10.7KiB
Download (untitled) / with headers
text/html 18.9KiB

On Mon, Apr 1, 2013 at 11:27 PM, Tom Yu via RT <rt-comment@krbdev.mit.edu> wrote:
Show quoted text
"Reinhard Kugler via RT" <rt-comment@krbdev.mit.edu> writes:

> pkinit_init_req_crypto: returning ctx at 0x1e2e2c0
> pkinit_init_kdc_req_context: returning reqctx at 0x1e27010
> processing KRB5_PADATA_PK_AS_REQ
> CMS Verification successful
> #0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> #1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
> crypto_retrieve_X509_sans: looking for SANs in cert =
> /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
> crypto_retrieve_X509_sans: SAN type = 1 expecting 0
> verify_client_san: Checking pkinit sans
> verify_client_san: no pkinit san match found
> verify_client_san: Checking upn sans
> verify_client_san: upn san match found
> verify_client_san: returning retval 0, valid_san 1
> crypto_check_cert_eku: looking for EKUs in cert =
> /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> crypto_check_cert_eku: found eku info in the cert
> crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
> crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
> crypto_check_cert_eku: found digitalSignature KU
> crypto_check_cert_eku: returning retval 0, valid_eku 1
> verify_client_eku: returning retval 0, eku_accepted 1
> client sent dh params with 1024 bits, we require 2048

The above looks like a possible configuration problem.  For some
reason, the Windows 7 client is sending 1024 bits, while the KDC
requires 2048 bits.

I didn't find how to change the dh key length on the Windows 7
I added "pkinit_dh_min_bits = 1024" to the /etc/krb5.conf
But this seens to have no effact on the behavior of the kdc.

Show quoted text
> bad dh parameters
> pkinit_verify_padata failed: creating e-data
> pkinit_create_edata: creating edata for error -1765328319 (Key
> parameters not accepted)
> pkinit_fini_kdc_req_context: freeing   reqctx at 0x1e27010
> pkinit_fini_req_crypto: freeing   ctx at 0x1e2e2c0
> pkinit_verify_padata: entered!
> pkinit_find_realm_context: returning context at 0x1df1790 for realm
> 'kerberos.3ve.bmlv.at'
> pkinit_init_req_crypto: returning ctx at 0x1e2e7a0
> pkinit_init_kdc_req_context: returning reqctx at 0x1e2ca90
> processing KRB5_PADATA_PK_AS_REQ
> CMS Verification successful
> #0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> #1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
> crypto_retrieve_X509_sans: looking for SANs in cert =
> /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
> crypto_retrieve_X509_sans: SAN type = 1 expecting 0
> verify_client_san: Checking pkinit sans
> verify_client_san: no pkinit san match found
> verify_client_san: Checking upn sans
> verify_client_san: upn san match found
> verify_client_san: returning retval 0, valid_san 1
> crypto_check_cert_eku: looking for EKUs in cert =
> /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> crypto_check_cert_eku: found eku info in the cert
> crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
> crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
> crypto_check_cert_eku: found digitalSignature KU
> crypto_check_cert_eku: returning retval 0, valid_eku 1
> verify_client_eku: returning retval 0, eku_accepted 1
> p is not well-known group 2 dhparameter
> good 2048 dhparams

Is the above also from the same Windows 7 client during the same
authentication attempt?
 
yes
I looks like the windows 7 client does two attempts before giving up.
The first is quit with "bad dh parameters" and KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
The second seems to succeed, but is not accepted by the windows 7 client.

I repeated the test:
- start kdc
- do a single authentication via "runas /smartcard cmd"
same result

[root@kerberos ~]# /usr/local/sbin/krb5kdc -n
pkinit_server_plugin_init: processing realm 'kerberos.3ve.bmlv.at'
pkinit_server_plugin_init_realm: initializing context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_init_plg_crypto: initializing openssl crypto context at 0x1d53f00
pkinit_init_identity_crypto: returning ctx at 0x1d556d0
pkinit_init_kdc_profile: entered for realm kerberos.3ve.bmlv.at
pkinit_init_kdc_profile: invalid value (1024) for pkinit_dh_min_bits, using default value (2048) instead
pkinit_identity_initialize: 0x1d38200 0x1d55840 0x1d556d0
process_option_identity: processing value 'FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem'
process_option_identity: idtype is FILE
process_option_ca_crl: processing catype ANCHORS, value 'FILE:/var/kerberos/krb5kdc/ca.pem'
crypto_load_cas_and_crls: called with idtype FILE and catype ANCHORS
pkinit_server_plugin_init_realm: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_server_plugin_init: returning context at 0x1d3f2b0
krb5kdc: starting...
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_verify_padata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_init_req_crypto: returning ctx at 0x1d6ce70
pkinit_init_kdc_req_context: returning reqctx at 0x1d6cce0
processing KRB5_PADATA_PK_AS_REQ
CMS Verification successful
#0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
#1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
crypto_retrieve_X509_sans: looking for SANs in cert = /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
crypto_retrieve_X509_sans: SAN type = 1 expecting 0
verify_client_san: Checking pkinit sans
verify_client_san: no pkinit san match found
verify_client_san: Checking upn sans
verify_client_san: upn san match found
verify_client_san: returning retval 0, valid_san 1
crypto_check_cert_eku: looking for EKUs in cert = /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
client sent dh params with 1024 bits, we require 2048
bad dh parameters
pkinit_verify_padata failed: creating e-data
pkinit_create_edata: creating edata for error -1765328319 (Key parameters not accepted)
pkinit_fini_kdc_req_context: freeing   reqctx at 0x1d6cce0
pkinit_fini_req_crypto: freeing   ctx at 0x1d6ce70
pkinit_verify_padata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_init_req_crypto: returning ctx at 0x1d6ada0
pkinit_init_kdc_req_context: returning reqctx at 0x1d71ae0
processing KRB5_PADATA_PK_AS_REQ
CMS Verification successful
#0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
#1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
crypto_retrieve_X509_sans: looking for SANs in cert = /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
crypto_retrieve_X509_sans: SAN type = 1 expecting 0
verify_client_san: Checking pkinit sans
verify_client_san: no pkinit san match found
verify_client_san: Checking upn sans
verify_client_san: upn san match found
verify_client_san: returning retval 0, valid_san 1
crypto_check_cert_eku: looking for EKUs in cert = /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
p is not well-known group 2 dhparameter
good 2048 dhparams
pkinit_find_realm_context: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_return_padata: entered!
KDC picked etype = 18
received DH key delivery AS REQ
building certificate chain
size of certificate chain = 2
cert #0: /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=dc.kerberos.3ve.bmlv.at
mech = FS
pkinit_fini_kdc_req_context: freeing   reqctx at 0x1d71ae0
pkinit_fini_req_crypto: freeing   ctx at 0x1d6ada0
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm 'kerberos.3ve.bmlv.at'


krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 debug = true
 default_realm = kerberos.3ve.bmlv.at
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 1h
 forwardable = true
 allow_weak_crypto = true

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[domain_realm]

[realms]
 admin_server = dc.kerberos.3ve.bmlv.at:749
 default_domain = kerberos.3ve.bmlv.at
 kadmind_port = 749
 max_life = 2h 0m 0s
 max_renewable_life = 0d 1h 0m 0s
 master_key_type = aes128-cts
 acl_file = /var/kerberos/krb5kdc/3ve-kadm5.acl
 dict_file = /usr/share/dict/words
 admin_keytab = /var/kerberos/krb5kdc/3ve-kadm5.keytab
 supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal arcfour-hmac-md5:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem
 pkinit_anchors = FILE:/var/kerberos/krb5kdc/ca.pem
 #pkinit_eku_checking = none
 pkinit_dh_min_bits = 1024
 pkinit_allow_upn = true
 #allow_weak_crypto = true
}



Date: Wed, 3 Apr 2013 12:05:08 +0200
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Reinhard Kugler <rekuread@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
I temporarily removed the check of the dh key length in pkinit_crypto_openssl.c

    /* KDC SHOULD check to see if the key parameters satisfy its policy */
    dh_prime_bits = BN_num_bits(dh->p);
    /*if (minbits && dh_prime_bits < minbits) {
        pkiDebug("client sent dh params with %d bits, we require %d\n",
                 dh_prime_bits, minbits);
        goto cleanup;
    }*/

pkinit succeeded and windows was able to acquire a TGT


Date: Wed, 3 Apr 2013 12:05:08 +0200
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Reinhard Kugler <rekuread@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
I temporarily removed the check of the dh key length in pkinit_crypto_openssl.c

    /* KDC SHOULD check to see if the key parameters satisfy its policy */
    dh_prime_bits = BN_num_bits(dh->p);
    /*if (minbits && dh_prime_bits < minbits) {
        pkiDebug("client sent dh params with %d bits, we require %d\n",
                 dh_prime_bits, minbits);
        goto cleanup;
    }*/

pkinit succeeded and windows was able to acquire a TGT


To: rt@krbdev.MIT.EDU
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Tom Yu <tlyu@MIT.EDU>
Date: Wed, 03 Apr 2013 10:13:36 -0400
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.7KiB
"Reinhard Kugler via RT" <rt-comment@krbdev.mit.edu> writes:

Show quoted text
> I temporarily removed the check of the dh key length
> in pkinit_crypto_openssl.c
>
> /* KDC SHOULD check to see if the key parameters satisfy its policy */
> dh_prime_bits = BN_num_bits(dh->p);
> /*if (minbits && dh_prime_bits < minbits) {
> pkiDebug("client sent dh params with %d bits, we require %d\n",
> dh_prime_bits, minbits);
> goto cleanup;
> }*/
>
> pkinit succeeded and windows was able to acquire a TGT

Thanks for the additional information. Based on your previous logs,
it looks like the Windows client makes the following requests:

1. AS-REQ, no preauth -> KRB-ERROR, additional preauth needed

2. AS-REQ, PKINIT, 1024-bit DH -> KRB-ERROR, bad key params

3. AS-REQ, PKINIT, 2048-bit DH -> AS-REP

4. AS-REQ, no preauth or unknown preauth -> KRB-ERROR, additional
preauth needed

Windows is possibly failing to handle the DH parameter negotiation
correctly. Interestingly, Windows is including the PKINIT special
enctypes on request #4, but probably omitting the actual PKINIT
preauth.

Also, it seems that the compile-time constant that establishes the
default DH modulus size serves as a lower bound on the configurable DH
modulus size, so the configuration setting "pkinit_dh_min_bits = 1024"
has no effect because the compiled-time constant is 2048:

pkinit_init_kdc_profile: invalid value (1024) for
pkinit_dh_min_bits, using default value (2048) instead

This happens in pkinit_srv.c:pkinit_init_kdc_profile().

Getting more detailed trace information from the Windows client would
be useful, but I think Windows 7 might have made that more difficult
(changed trace logging to a proprietary binary format?). I will look
around to see what I can find on this topic.
From: tlyu@mit.edu
Subject: git commit

Ignore missing Q in dh_params

Some implementations don't send the required Q value in dh_params, so
allow it to be absent.

https://github.com/krb5/krb5/commit/ed77a25c53ed6afd41372838f205a98a561a89fb
Author: Tom Yu <tlyu@mit.edu>
Commit: ed77a25c53ed6afd41372838f205a98a561a89fb
Branch: master
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Ignore missing Q in dh_params

Some implementations don't send the required Q value in dh_params, so
allow it to be absent.

(cherry picked from commit ed77a25c53ed6afd41372838f205a98a561a89fb)

https://github.com/krb5/krb5/commit/5d2c49df555fbf56d3b15a9096cad729525c5f74
Author: Tom Yu <tlyu@mit.edu>
Commit: 5d2c49df555fbf56d3b15a9096cad729525c5f74
Branch: krb5-1.11
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)