Skip Menu |
 

Date: Wed, 4 Dec 2013 16:54:01 +0100
From: Sumit Bose <sbose@redhat.com>
To: krb5-bugs@mit.edu
Subject: S4U2Self fails with Windows 2008
Download (untitled) / with headers
text/plain 4.4KiB
Hi,

when I try S4U2Self from a Linux box joined in an AD domain with Windows
2008 servers I see the
following, with Windows 2012 everything is working as expected:

# kdestroy -A
[root@winbind-client gssapi]# kinit -k 'WINBIND-CLIENT$@AD18.IPA18.DEVEL'
(reverse-i-search)`': ^C
[root@winbind-client gssapi]# KRB5_TRACE=/dev/stdout kvno -U 'Administrator@AD18.IPA18.DEVEL' 'WINBIND-CLIENT$@AD18.IPA18.DEVEL'
[22588] 1386169036.438500: Getting credentials Administrator\@AD18.IPA18.DEVEL@AD18.IPA18.DEVEL -> WINBIND-CLIENT$@AD18.IPA18.DEVEL using ccache DIR::/run/user/0/krb5cc/tkt
[22588] 1386169036.439111: Retrieving Administrator\@AD18.IPA18.DEVEL@AD18.IPA18.DEVEL -> WINBIND-CLIENT$@AD18.IPA18.DEVEL from DIR::/run/user/0/krb5cc/tkt with result: -1765328243/Matching credential not found
[22588] 1386169036.439333: Getting initial credentials for Administrator\@AD18.IPA18.DEVEL@AD18.IPA18.DEVEL
[22588] 1386169036.439946: Processing preauth types: 130
[22588] 1386169036.440146: Produced preauth for next request: (empty)
[22588] 1386169036.440353: Sending request (200 bytes) to AD18.IPA18.DEVEL
[22588] 1386169036.442854: Resolving hostname win-kps47i803u9.ad18.ipa18.devel.
[22588] 1386169036.447148: Sending initial UDP request to dgram 192.168.122.99:88
[22588] 1386169036.449229: Received answer (205 bytes) from dgram 192.168.122.99:88
[22588] 1386169036.450399: Response was not from master KDC
[22588] 1386169036.450694: Received error from KDC: -1765328359/Additional pre-authentication required
[22588] 1386169036.450980: Processing preauth types: 16, 15, 19, 2
[22588] 1386169036.451240: Selected etype info: etype aes256-cts, salt "AD18.IPA18.DEVELAdministrator", params ""
[22588] 1386169036.451458: Preauth module encrypted_timestamp (2) (real) returned: -1765328174/Generic preauthentication failure
[22588] 1386169036.451641: Getting credentials Administrator\@AD18.IPA18.DEVEL@AD18.IPA18.DEVEL -> WINBIND-CLIENT$@AD18.IPA18.DEVEL using ccache DIR::/run/user/0/krb5cc/tkt
[22588] 1386169036.451990: Retrieving Administrator\@AD18.IPA18.DEVEL@AD18.IPA18.DEVEL -> WINBIND-CLIENT$@AD18.IPA18.DEVEL from DIR::/run/user/0/krb5cc/tkt with result: -1765328243/Matching credential not found
[22588] 1386169036.452193: Getting credentials WINBIND-CLIENT$@AD18.IPA18.DEVEL -> krbtgt/AD18.IPA18.DEVEL@AD18.IPA18.DEVEL using ccache DIR::/run/user/0/krb5cc/tkt
[22588] 1386169036.452516: Retrieving WINBIND-CLIENT$@AD18.IPA18.DEVEL -> krbtgt/AD18.IPA18.DEVEL@AD18.IPA18.DEVEL from DIR::/run/user/0/krb5cc/tkt with result: 0/Success
[22588] 1386169036.452754: Get cred via TGT krbtgt/AD18.IPA18.DEVEL@AD18.IPA18.DEVEL after requesting WINBIND-CLIENT$@AD18.IPA18.DEVEL (canonicalize on)
[22588] 1386169036.452951: Generated subkey for TGS request: aes256-cts/5640
[22588] 1386169036.453247: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[22588] 1386169036.453584: Encoding request body and padata into FAST request
[22588] 1386169036.453882: Sending request (1967 bytes) to AD18.IPA18.DEVEL
[22588] 1386169036.455546: Resolving hostname win-kps47i803u9.ad18.ipa18.devel.
[22588] 1386169036.458828: Resolving hostname win-kps47i803u9.ad18.ipa18.devel.
[22588] 1386169036.460741: Initiating TCP connection to stream 192.168.122.99:88
[22588] 1386169036.461407: Sending TCP request to stream 192.168.122.99:88
[22588] 1386169036.464099: Received answer (1430 bytes) from stream 192.168.122.99:88
[22588] 1386169036.466031: Response was not from master KDC
[22588] 1386169036.466305: Decoding FAST response
[22588] 1386169036.466679: Got cred; -1765328368/KDC has no support for padata type
kvno: KDC has no support for padata type while getting credentials for WINBIND-CLIENT$@AD18.IPA18.DEVEL


If I patch krb5int_fast_prep_req() to not do any FAST encoding, e.g.

--- krb5-1.11.3/src/lib/krb5/krb/fast.c.orig 2013-11-22 12:58:07.000000000 +0100
+++ krb5-1.11.3/src/lib/krb5/krb/fast.c 2013-11-22 12:58:17.696000000 +0100
@@ -247,9 +247,9 @@
assert(state != NULL);
assert(state->fast_outer_request.padata == NULL);
memset(pa_array, 0, sizeof(pa_array));
- if (state->armor_key == NULL) {
+ //if (state->armor_key == NULL) {
return encoder(request, encoded_request);
- }
+ //}

TRACE_FAST_ENCODE(context);
state->nonce = request->nonce;


Everything is working as expected. I'm not sure which part of the FAST
encoding Windows 2008 does not like here. If you need more information
to debug this please let me know.

bye,
Sumit
I can reproduce this by breaking FAST recognition in the MIT KDC. We also
have a report that it fails with Heimdal, which is FAST-unaware.

When we encode the FAST TGS request, we move the S4U2Self padata into the
FAST inner body. A FAST-unaware KDC only sees the outer body and
interprets the request as a regular TGS request, and issues a ticket for
server -> server. gc_via_tkt.c detects this at line 269 and bombs out
with a locally generated KRB5KDC_ERR_PADATA_TYPE_NOSUPP.

I have asked Sam for advice on the best fix.
Date: Thu, 5 Dec 2013 18:52:54 +0100
From: Sumit Bose <sbose@redhat.com>
To: Greg Hudson via RT <rt-comment@krbdev.mit.edu>
Subject: Re: [krbdev.mit.edu #7791] S4U2Self fails with Windows 2008
RT-Send-Cc:
On Thu, Dec 05, 2013 at 12:33:47PM -0500, Greg Hudson via RT wrote:
Show quoted text
> I can reproduce this by breaking FAST recognition in the MIT KDC. We also
> have a report that it fails with Heimdal, which is FAST-unaware.
>
> When we encode the FAST TGS request, we move the S4U2Self padata into the
> FAST inner body. A FAST-unaware KDC only sees the outer body and
> interprets the request as a regular TGS request, and issues a ticket for
> server -> server. gc_via_tkt.c detects this at line 269 and bombs out
> with a locally generated KRB5KDC_ERR_PADATA_TYPE_NOSUPP.

Thank you for looking into this. I checked with wireshark and can
confirm that with Windows 2008 I see exactly what you described above.

bye,
Sumit

Show quoted text
>
> I have asked Sam for advice on the best fix.
From: ghudson@mit.edu
Subject: git commit

Fix S4U2Self against non-FAST KDCs

When we added FAST TGS support in 1.11, we broke S4U2Self against KDCs
which don't support FAST, because the S4U2Self padata is only present
within the FAST request. For now, duplicate that padata in the outer
request so that both FAST and non-FAST KDCs can see it.

https://github.com/krb5/krb5/commit/55c3a5f69919c2b5435bac0cb48ab09b11be869c
Author: Greg Hudson <ghudson@mit.edu>
Commit: 55c3a5f69919c2b5435bac0cb48ab09b11be869c
Branch: master
src/lib/krb5/krb/fast.c | 39 ++++++++++++++++++++++++++++++++++-----
1 files changed, 34 insertions(+), 5 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Fix S4U2Self against non-FAST KDCs

When we added FAST TGS support in 1.11, we broke S4U2Self against KDCs
which don't support FAST, because the S4U2Self padata is only present
within the FAST request. For now, duplicate that padata in the outer
request so that both FAST and non-FAST KDCs can see it.

(cherry picked from commit 55c3a5f69919c2b5435bac0cb48ab09b11be869c)

https://github.com/krb5/krb5/commit/590b690483e7924186a5bd4b8cd40267bc6e6795
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 590b690483e7924186a5bd4b8cd40267bc6e6795
Branch: krb5-1.12
src/lib/krb5/krb/fast.c | 39 ++++++++++++++++++++++++++++++++++-----
1 files changed, 34 insertions(+), 5 deletions(-)