Skip Menu |
 

Date: Thu, 30 May 2013 13:03:34 +0200
From: Sumit Bose <sbose@redhat.com>
To: krb5-bugs@mit.edu
Subject: Issue following client referral from AD
Download (untitled) / with headers
text/plain 5.5KiB
Hi,

I have two AD forests DOM1.FOO and DOM2.BAR. Besides DOM2.BAR there is
also the domain SUBDOM.SUB in the second forest. From a client joind to
domain DOM1.FOO I would like to get a TGT for a user from SUBDOM.SUB.

$ KRB5_TRACE=/dev/stdout KRB5_CONFIG=./krb5.conf KRB5CCNAME=FILE:./bla.ccfile kinit -C -E Administrator@SUBDOM.SUB
[22572] 1369910390.283695: Getting initial credentials for Administrator\@SUBDOM.SUB@DOM1.FOO
[22572] 1369910390.283983: Sending request (210 bytes) to DOM1.FOO
[22572] 1369910390.284096: Resolving hostname 10.34.47.82
[22572] 1369910390.284314: Sending initial UDP request to dgram 10.34.47.82:88
[22572] 1369910390.373825: Received answer from dgram 10.34.47.82:88
[22572] 1369910390.373883: Response was from master KDC
[22572] 1369910390.373927: Received error from KDC: -1765328316/Realm not local to KDC
[22572] 1369910390.373939: Following referral to realm dom2.bar
[22572] 1369910390.373997: Sending request (210 bytes) to dom2.bar (master)
kinit: Cannot resolve servers for KDC in realm "dom2.bar" while getting initial credentials

$ dig SRV _kerberos._udp.dom2.bar

; <<>> DiG 9.9.2-rl.028.23-P2-RedHat-9.9.2-7.P2.fc17 <<>> SRV _kerberos._udp.dom2.bar
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39100
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_kerberos._udp.dom2.bar. IN SRV

;; ANSWER SECTION:
_kerberos._udp.dom2.bar. 516 IN SRV 0 100 88 ad2.dom2.bar.

;; ADDITIONAL SECTION:
ad2.dom2.bar. 3516 IN A 10.34.47.47

;; Query time: 84 msec
;; SERVER: 10.34.47.82#53(10.34.47.82)
;; WHEN: Thu May 30 12:50:44 2013
;; MSG SIZE rcvd: 100


AD does not care much about the case of the realm and returns it lower case in
the 'Realm not local to KDC' response. This wouldn't be a problem because
'dns_lookup_kdc = true' in krb5.conf and DNS does not care about the case
either.

But for some reason the master KDC is looked up and AD DNS does not define
service records for_kerberos-master._udp or _kerberos-master._tcp. Is there a
reason why a master KDC is required here or can if be replaced by a plain KDC
lookup?

If I add a section for the dom2.bar realm (and for SUBDOM.SUB in my case) to
krb5.conf include a master_kdc then everything works as expected:

$ KRB5_TRACE=/dev/stdout KRB5_CONFIG=./krb5.conf KRB5CCNAME=FILE:./bla.ccfile kinit -C -E Administrator@SUBDOM.SUB
[24304] 1369911570.127327: Getting initial credentials for Administrator\@SUBDOM.SUB@DOM1.FOO
[24304] 1369911570.127578: Sending request (210 bytes) to DOM1.FOO
[24304] 1369911570.366902: Resolving hostname ad1.dom1.foo.
[24304] 1369911570.462220: Sending initial UDP request to dgram 10.34.47.82:88
[24304] 1369911570.549903: Received answer from dgram 10.34.47.82:88
[24304] 1369911570.627685: Response was not from master KDC
[24304] 1369911570.627717: Received error from KDC: -1765328316/Realm not local to KDC
[24304] 1369911570.627725: Following referral to realm dom2.bar
[24304] 1369911570.627768: Sending request (210 bytes) to dom2.bar
[24304] 1369911570.627793: Resolving hostname 10.34.47.47
[24304] 1369911570.627936: Sending initial UDP request to dgram 10.34.47.47:88
[24304] 1369911570.715623: Received answer from dgram 10.34.47.47:88
[24304] 1369911570.715667: Response was from master KDC
[24304] 1369911570.715687: Received error from KDC: -1765328316/Realm not local to KDC
[24304] 1369911570.715694: Following referral to realm SUBDOM.SUB
[24304] 1369911570.715745: Sending request (214 bytes) to SUBDOM.SUB (master)
[24304] 1369911570.715760: Resolving hostname 10.34.47.53
[24304] 1369911570.715940: Sending initial UDP request to dgram 10.34.47.53:88
[24304] 1369911570.802514: Received answer from dgram 10.34.47.53:88
[24304] 1369911570.802549: Received error from KDC: -1765328359/Additional pre-authentication required
[24304] 1369911570.802589: Processing preauth types: 16, 15, 19, 2
[24304] 1369911570.802606: Selected etype info: etype rc4-hmac, salt "(null)", params ""
Password for Administrator\@SUBDOM.SUB@DOM1.FOO:
[24304] 1369911575.606320: AS key obtained for encrypted timestamp: rc4-hmac/A4BB
[24304] 1369911575.606376: Encrypted timestamp (for 1369911575.606329): plain 301AA011180F32303133303533303130353933355AA1050203094079, encrypted B5539C54568D309820C9FEB5080E873529C3FE88CD182311A7CF701A3E35A862071540C31612703A7C2C9E874A4369883DB51F08
[24304] 1369911575.606405: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Erfolg
[24304] 1369911575.606410: Produced preauth for next request: 2
[24304] 1369911575.606428: Sending request (290 bytes) to SUBDOM.SUB (master)
[24304] 1369911575.606462: Resolving hostname 10.34.47.53
[24304] 1369911575.606679: Sending initial UDP request to dgram 10.34.47.53:88
[24304] 1369911575.713066: Received answer from dgram 10.34.47.53:88
[24304] 1369911575.713118: Salt derived from principal: SUBDOM.SUBAdministrator
[24304] 1369911575.713131: AS key determined by preauth: rc4-hmac/A4BB
[24304] 1369911575.713170: Decrypted AS reply; session key is: aes256-cts/1BA3
[24304] 1369911575.713174: FAST negotiation: unavailable
[24304] 1369911575.713202: Initializing FILE:./bla.ccfile with default princ Administrator@SUBDOM.SUB
[24304] 1369911575.731159: Removing Administrator@SUBDOM.SUB -> krbtgt/SUBDOM.SUB@SUBDOM.SUB from FILE:./bla.ccfile
[24304] 1369911575.731181: Storing Administrator@SUBDOM.SUB -> krbtgt/SUBDOM.SUB@SUBDOM.SUB in FILE:./bla.ccfile



To summarize, can the master KDC lookup be replace by a simple KDC lookup while
following client referrals?

Thank you.

bye,
Sumit
This is what we get for using in-out parameters. Please test
https://github.com/greghudson/krb5/commits/usemaster (just the top
commit) to see if it solves your problem. It's not easy for me to test
since we don't natively generate AS referrals.
Date: Fri, 31 May 2013 09:09:40 +0200
From: Sumit Bose <sbose@redhat.com>
To: Greg Hudson via RT <rt-comment@krbdev.mit.edu>
Subject: Re: [krbdev.mit.edu #7650] Issue following client referral from AD
RT-Send-Cc:
Download (untitled) / with headers
text/plain 3.5KiB
On Thu, May 30, 2013 at 11:42:24AM -0400, Greg Hudson via RT wrote:
Show quoted text
> This is what we get for using in-out parameters. Please test
> https://github.com/greghudson/krb5/commits/usemaster (just the top
> commit) to see if it solves your problem. It's not easy for me to test
> since we don't natively generate AS referrals.

Thanks Greg, works like a charm:

# KRB5_TRACE=/dev/stdout KRB5_CONFIG=./krb5.conf KRB5CCNAME=FILE:./bla.ccfile kinit -C -E Administrator@SUBDOM.SUB
[3265] 1369983085.77137: Getting initial credentials for Administrator\@SUBDOM.SUB@DOM1.FOO
[3265] 1369983085.77752: Sending request (210 bytes) to DOM1.FOO
[3265] 1369983085.80773: Resolving hostname ad1.dom1.foo.
[3265] 1369983085.83679: Sending initial UDP request to dgram 10.34.47.82:88
[3265] 1369983085.85482: Received answer from dgram 10.34.47.82:88
[3265] 1369983085.86999: Response was not from master KDC
[3265] 1369983085.87134: Received error from KDC: -1765328316/Realm not local to KDC
[3265] 1369983085.87217: Following referral to realm dom2.bar
[3265] 1369983085.87334: Sending request (210 bytes) to dom2.bar
[3265] 1369983085.88944: Resolving hostname ad2.dom2.bar.
[3265] 1369983085.98131: Sending initial UDP request to dgram 10.34.47.47:88
[3265] 1369983085.99132: Received answer from dgram 10.34.47.47:88
[3265] 1369983085.99970: Response was not from master KDC
[3265] 1369983085.100094: Received error from KDC: -1765328316/Realm not local to KDC
[3265] 1369983085.100165: Following referral to realm SUBDOM.SUB
[3265] 1369983085.100282: Sending request (214 bytes) to SUBDOM.SUB
[3265] 1369983085.102557: Resolving hostname adsub2.subdom.sub.
[3265] 1369983085.104183: Sending initial UDP request to dgram 10.34.47.53:88
[3265] 1369983085.106733: Received answer from dgram 10.34.47.53:88
[3265] 1369983085.112464: Response was not from master KDC
[3265] 1369983085.112584: Received error from KDC: -1765328359/Additional pre-authentication required
[3265] 1369983085.112695: Processing preauth types: 16, 15, 19, 2
[3265] 1369983085.112788: Selected etype info: etype rc4-hmac, salt "(null)", params ""
Password for Administrator\@SUBDOM.SUB@DOM1.FOO:
[3265] 1369983091.646357: AS key obtained for encrypted timestamp: rc4-hmac/A4BB
[3265] 1369983091.646437: Encrypted timestamp (for 1369983091.646369): plain 301AA011180F32303133303533313036353133315AA105020309DCE1, encrypted E7518311C1387B2A152A40E6ECCB3E43F439383CFA1CFEF3F5EC3D5D55AAA34046237B41E4A64D0A29AE790F2F56EBDD38B5F2FE
[3265] 1369983091.646484: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Erfolg
[3265] 1369983091.646511: Produced preauth for next request: 2
[3265] 1369983091.646545: Sending request (290 bytes) to SUBDOM.SUB
[3265] 1369983091.648411: Resolving hostname adsub2.subdom.sub.
[3265] 1369983091.649530: Sending initial UDP request to dgram 10.34.47.53:88
[3265] 1369983091.651150: Received answer from dgram 10.34.47.53:88
[3265] 1369983091.652045: Response was not from master KDC
[3265] 1369983091.652150: Salt derived from principal: SUBDOM.SUBAdministrator
[3265] 1369983091.652240: AS key determined by preauth: rc4-hmac/A4BB
[3265] 1369983091.652358: Decrypted AS reply; session key is: aes256-cts/B3A4
[3265] 1369983091.652429: FAST negotiation: unavailable
[3265] 1369983091.652526: Initializing FILE:./bla.ccfile with default princ Administrator@SUBDOM.SUB
[3265] 1369983091.656741: Removing Administrator@SUBDOM.SUB -> krbtgt/SUBDOM.SUB@SUBDOM.SUB from FILE:./bla.ccfile
[3265] 1369983091.656833: Storing Administrator@SUBDOM.SUB -> krbtgt/SUBDOM.SUB@SUBDOM.SUB in FILE:./bla.ccfile


bye,
Sumit
From: ghudson@mit.edu
Subject: git commit

Properly handle use_master in k5_init_creds_get

If we make multiple requests in an initial creds exchange, the
krb5_sendto_kdc call in k5_init_creds_get may flip the use_master
value from 0 to 1 if it detects that the response was from a master
KDC. Don't turn this into a requirement for future requests during
the same exchange, or we may have trouble following AS referrals.
Reported by Sumit Bose.

https://github.com/krb5/krb5/commit/a12a5ddb9b932061bad7b83df058c7c6e2e4b044
Author: Greg Hudson <ghudson@mit.edu>
Commit: a12a5ddb9b932061bad7b83df058c7c6e2e4b044
Branch: master
src/lib/krb5/krb/get_in_tkt.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Properly handle use_master in k5_init_creds_get

If we make multiple requests in an initial creds exchange, the
krb5_sendto_kdc call in k5_init_creds_get may flip the use_master
value from 0 to 1 if it detects that the response was from a master
KDC. Don't turn this into a requirement for future requests during
the same exchange, or we may have trouble following AS referrals.
Reported by Sumit Bose.

(cherry picked from commit a12a5ddb9b932061bad7b83df058c7c6e2e4b044)

https://github.com/krb5/krb5/commit/7f235b82dfc9305975c6c04f008495c2a3aa7979
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 7f235b82dfc9305975c6c04f008495c2a3aa7979
Branch: krb5-1.11
src/lib/krb5/krb/get_in_tkt.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)