Date: | Wed, 4 Dec 2013 16:54:01 +0100 |
From: | Sumit Bose <sbose@redhat.com> |
To: | krb5-bugs@mit.edu |
Subject: | S4U2Self fails with Windows 2008 |
Hi,
when I try S4U2Self from a Linux box joined in an AD domain with Windows
2008 servers I see the
following, with Windows 2012 everything is working as expected:
# kdestroy -A
[root@winbind-client gssapi]# kinit -k 'WINBIND-CLIENT$@AD18.IPA18.DEVEL'
(reverse-i-search)`': ^C
[root@winbind-client gssapi]# KRB5_TRACE=/dev/stdout kvno -U 'Administrator@AD18.IPA18.DEVEL' 'WINBIND-CLIENT$@AD18.IPA18.DEVEL'
[22588] 1386169036.438500: Getting credentials Administrator\@AD18.IPA18.DEVEL@AD18.IPA18.DEVEL -> WINBIND-CLIENT$@AD18.IPA18.DEVEL using ccache DIR::/run/user/0/krb5cc/tkt
[22588] 1386169036.439111: Retrieving Administrator\@AD18.IPA18.DEVEL@AD18.IPA18.DEVEL -> WINBIND-CLIENT$@AD18.IPA18.DEVEL from DIR::/run/user/0/krb5cc/tkt with result: -1765328243/Matching credential not found
[22588] 1386169036.439333: Getting initial credentials for Administrator\@AD18.IPA18.DEVEL@AD18.IPA18.DEVEL
[22588] 1386169036.439946: Processing preauth types: 130
[22588] 1386169036.440146: Produced preauth for next request: (empty)
[22588] 1386169036.440353: Sending request (200 bytes) to AD18.IPA18.DEVEL
[22588] 1386169036.442854: Resolving hostname win-kps47i803u9.ad18.ipa18.devel.
[22588] 1386169036.447148: Sending initial UDP request to dgram 192.168.122.99:88
[22588] 1386169036.449229: Received answer (205 bytes) from dgram 192.168.122.99:88
[22588] 1386169036.450399: Response was not from master KDC
[22588] 1386169036.450694: Received error from KDC: -1765328359/Additional pre-authentication required
[22588] 1386169036.450980: Processing preauth types: 16, 15, 19, 2
[22588] 1386169036.451240: Selected etype info: etype aes256-cts, salt "AD18.IPA18.DEVELAdministrator", params ""
[22588] 1386169036.451458: Preauth module encrypted_timestamp (2) (real) returned: -1765328174/Generic preauthentication failure
[22588] 1386169036.451641: Getting credentials Administrator\@AD18.IPA18.DEVEL@AD18.IPA18.DEVEL -> WINBIND-CLIENT$@AD18.IPA18.DEVEL using ccache DIR::/run/user/0/krb5cc/tkt
[22588] 1386169036.451990: Retrieving Administrator\@AD18.IPA18.DEVEL@AD18.IPA18.DEVEL -> WINBIND-CLIENT$@AD18.IPA18.DEVEL from DIR::/run/user/0/krb5cc/tkt with result: -1765328243/Matching credential not found
[22588] 1386169036.452193: Getting credentials WINBIND-CLIENT$@AD18.IPA18.DEVEL -> krbtgt/AD18.IPA18.DEVEL@AD18.IPA18.DEVEL using ccache DIR::/run/user/0/krb5cc/tkt
[22588] 1386169036.452516: Retrieving WINBIND-CLIENT$@AD18.IPA18.DEVEL -> krbtgt/AD18.IPA18.DEVEL@AD18.IPA18.DEVEL from DIR::/run/user/0/krb5cc/tkt with result: 0/Success
[22588] 1386169036.452754: Get cred via TGT krbtgt/AD18.IPA18.DEVEL@AD18.IPA18.DEVEL after requesting WINBIND-CLIENT$@AD18.IPA18.DEVEL (canonicalize on)
[22588] 1386169036.452951: Generated subkey for TGS request: aes256-cts/5640
[22588] 1386169036.453247: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[22588] 1386169036.453584: Encoding request body and padata into FAST request
[22588] 1386169036.453882: Sending request (1967 bytes) to AD18.IPA18.DEVEL
[22588] 1386169036.455546: Resolving hostname win-kps47i803u9.ad18.ipa18.devel.
[22588] 1386169036.458828: Resolving hostname win-kps47i803u9.ad18.ipa18.devel.
[22588] 1386169036.460741: Initiating TCP connection to stream 192.168.122.99:88
[22588] 1386169036.461407: Sending TCP request to stream 192.168.122.99:88
[22588] 1386169036.464099: Received answer (1430 bytes) from stream 192.168.122.99:88
[22588] 1386169036.466031: Response was not from master KDC
[22588] 1386169036.466305: Decoding FAST response
[22588] 1386169036.466679: Got cred; -1765328368/KDC has no support for padata type
kvno: KDC has no support for padata type while getting credentials for WINBIND-CLIENT$@AD18.IPA18.DEVEL
If I patch krb5int_fast_prep_req() to not do any FAST encoding, e.g.
--- krb5-1.11.3/src/lib/krb5/krb/fast.c.orig 2013-11-22 12:58:07.000000000 +0100
+++ krb5-1.11.3/src/lib/krb5/krb/fast.c 2013-11-22 12:58:17.696000000 +0100
@@ -247,9 +247,9 @@
assert(state != NULL);
assert(state->fast_outer_request.padata == NULL);
memset(pa_array, 0, sizeof(pa_array));
- if (state->armor_key == NULL) {
+ //if (state->armor_key == NULL) {
return encoder(request, encoded_request);
- }
+ //}
TRACE_FAST_ENCODE(context);
state->nonce = request->nonce;
Everything is working as expected. I'm not sure which part of the FAST
encoding Windows 2008 does not like here. If you need more information
to debug this please let me know.
bye,
Sumit
when I try S4U2Self from a Linux box joined in an AD domain with Windows
2008 servers I see the
following, with Windows 2012 everything is working as expected:
# kdestroy -A
[root@winbind-client gssapi]# kinit -k 'WINBIND-CLIENT$@AD18.IPA18.DEVEL'
(reverse-i-search)`': ^C
[root@winbind-client gssapi]# KRB5_TRACE=/dev/stdout kvno -U 'Administrator@AD18.IPA18.DEVEL' 'WINBIND-CLIENT$@AD18.IPA18.DEVEL'
[22588] 1386169036.438500: Getting credentials Administrator\@AD18.IPA18.DEVEL@AD18.IPA18.DEVEL -> WINBIND-CLIENT$@AD18.IPA18.DEVEL using ccache DIR::/run/user/0/krb5cc/tkt
[22588] 1386169036.439111: Retrieving Administrator\@AD18.IPA18.DEVEL@AD18.IPA18.DEVEL -> WINBIND-CLIENT$@AD18.IPA18.DEVEL from DIR::/run/user/0/krb5cc/tkt with result: -1765328243/Matching credential not found
[22588] 1386169036.439333: Getting initial credentials for Administrator\@AD18.IPA18.DEVEL@AD18.IPA18.DEVEL
[22588] 1386169036.439946: Processing preauth types: 130
[22588] 1386169036.440146: Produced preauth for next request: (empty)
[22588] 1386169036.440353: Sending request (200 bytes) to AD18.IPA18.DEVEL
[22588] 1386169036.442854: Resolving hostname win-kps47i803u9.ad18.ipa18.devel.
[22588] 1386169036.447148: Sending initial UDP request to dgram 192.168.122.99:88
[22588] 1386169036.449229: Received answer (205 bytes) from dgram 192.168.122.99:88
[22588] 1386169036.450399: Response was not from master KDC
[22588] 1386169036.450694: Received error from KDC: -1765328359/Additional pre-authentication required
[22588] 1386169036.450980: Processing preauth types: 16, 15, 19, 2
[22588] 1386169036.451240: Selected etype info: etype aes256-cts, salt "AD18.IPA18.DEVELAdministrator", params ""
[22588] 1386169036.451458: Preauth module encrypted_timestamp (2) (real) returned: -1765328174/Generic preauthentication failure
[22588] 1386169036.451641: Getting credentials Administrator\@AD18.IPA18.DEVEL@AD18.IPA18.DEVEL -> WINBIND-CLIENT$@AD18.IPA18.DEVEL using ccache DIR::/run/user/0/krb5cc/tkt
[22588] 1386169036.451990: Retrieving Administrator\@AD18.IPA18.DEVEL@AD18.IPA18.DEVEL -> WINBIND-CLIENT$@AD18.IPA18.DEVEL from DIR::/run/user/0/krb5cc/tkt with result: -1765328243/Matching credential not found
[22588] 1386169036.452193: Getting credentials WINBIND-CLIENT$@AD18.IPA18.DEVEL -> krbtgt/AD18.IPA18.DEVEL@AD18.IPA18.DEVEL using ccache DIR::/run/user/0/krb5cc/tkt
[22588] 1386169036.452516: Retrieving WINBIND-CLIENT$@AD18.IPA18.DEVEL -> krbtgt/AD18.IPA18.DEVEL@AD18.IPA18.DEVEL from DIR::/run/user/0/krb5cc/tkt with result: 0/Success
[22588] 1386169036.452754: Get cred via TGT krbtgt/AD18.IPA18.DEVEL@AD18.IPA18.DEVEL after requesting WINBIND-CLIENT$@AD18.IPA18.DEVEL (canonicalize on)
[22588] 1386169036.452951: Generated subkey for TGS request: aes256-cts/5640
[22588] 1386169036.453247: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[22588] 1386169036.453584: Encoding request body and padata into FAST request
[22588] 1386169036.453882: Sending request (1967 bytes) to AD18.IPA18.DEVEL
[22588] 1386169036.455546: Resolving hostname win-kps47i803u9.ad18.ipa18.devel.
[22588] 1386169036.458828: Resolving hostname win-kps47i803u9.ad18.ipa18.devel.
[22588] 1386169036.460741: Initiating TCP connection to stream 192.168.122.99:88
[22588] 1386169036.461407: Sending TCP request to stream 192.168.122.99:88
[22588] 1386169036.464099: Received answer (1430 bytes) from stream 192.168.122.99:88
[22588] 1386169036.466031: Response was not from master KDC
[22588] 1386169036.466305: Decoding FAST response
[22588] 1386169036.466679: Got cred; -1765328368/KDC has no support for padata type
kvno: KDC has no support for padata type while getting credentials for WINBIND-CLIENT$@AD18.IPA18.DEVEL
If I patch krb5int_fast_prep_req() to not do any FAST encoding, e.g.
--- krb5-1.11.3/src/lib/krb5/krb/fast.c.orig 2013-11-22 12:58:07.000000000 +0100
+++ krb5-1.11.3/src/lib/krb5/krb/fast.c 2013-11-22 12:58:17.696000000 +0100
@@ -247,9 +247,9 @@
assert(state != NULL);
assert(state->fast_outer_request.padata == NULL);
memset(pa_array, 0, sizeof(pa_array));
- if (state->armor_key == NULL) {
+ //if (state->armor_key == NULL) {
return encoder(request, encoded_request);
- }
+ //}
TRACE_FAST_ENCODE(context);
state->nonce = request->nonce;
Everything is working as expected. I'm not sure which part of the FAST
encoding Windows 2008 does not like here. If you need more information
to debug this please let me know.
bye,
Sumit