| Date: | Wed, 2 Oct 2019 17:46:51 +0200 |
| Subject: | kprop replication does not work due to wrong DNS domain handling |
| To: | krb5-bugs@mit.edu |
| From: | "Ingo" <Ingo@Hoeft-online.de> |
| Subject: | kprop replication does not work due to wrong DNS domain handling |
| From: | "Ingo" <Ingo@Hoeft-online.de> |
| To: | krb5-bugs@mit.edu |
Hello,
it seems I encountered a bug with krb5-1.17 using replication with kprop, or I do not understand what's going on. I followed the setup given at https://web.mit.edu/kerberos/krb5-latest/doc/admin/install_kdc.html on Raspbian Buster (flavor of Debian 10, compiled for ARM processor). If I try to initial replicate the database I get the error message:
/usr/sbin/kprop: Key table entry not found while getting initial credentials
I have checked it of course:
~$ sudo klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
6 host/kdc10-1.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
6 host/kdc10-1.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
Using trace logging I get:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kprop -d -f replica_datatrans kdc10-2.example.com
[1994] 1570019063.835325: Getting initial credentials for host/kdc10-1@EXAMPLE.COM
[1994] 1570019063.835326: Setting initial creds service to host/kdc10-2.example.com
[1994] 1570019063.835327: Looked up etypes in keytab: (empty)
[1994] 1570019063.835328: Getting initial credentials for host/kdc10-1@EXAMPLE.COM
[1994] 1570019063.835329: Setting initial creds service to host/kdc10-2.example.com
[1994] 1570019063.835330: Looked up etypes in keytab: (empty)
/usr/sbin/kprop: Key table entry not found while getting initial credentials
The problem I see is in the first line:
Getting initial credentials for host/kdc10-1@EXAMPLE.COM
There is the DNS domain 'example.com' missed.
I verified it on my old installation with krb5-1.10:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kprop -d -f replica_datatrans kdc10-2.example.com
[21367] 1570019913.30940: Initializing FILE:/tmp/kproptkteNiiOa with default princ host/kdc-old.example.com@EXAMPLE.COM
[21367] 1570019913.35969: Getting initial credentials for host/kdc-old.example.com@EXAMPLE.COM
[21367] 1570019913.37953: Setting initial creds service to host/kdc10-2.example.com@EXAMPLE.COM
[21367] 1570019913.38957: Sending request (235 bytes) to EXAMPLE.COM
[21367] 1570019913.39829: Resolving hostname kdc-old.example.com
[21367] 1570019913.40982: Sending initial UDP request to dgram 127.0.1.1:88
[21367] 1570019913.42912: Received answer from dgram 127.0.1.1:88
[21367] 1570019913.46078: Response was not from master KDC
[21367] 1570019913.46888: Received error from KDC: -1765328378/Client not found in Kerberos database
/usr/sbin/kprop: Client not found in Kerberos database while getting initial ticket
[21367] 1570019913.50158: Destroying ccache FILE:/tmp/kproptkteNiiOa
Of course the environment does not match but as seen in the second line I get settings with domain part:
Getting initial credentials for host/kdc-old.example.com@EXAMPLE.COM
I have tried many options in /etc/krb5.conf but wasn't able to force kprop to ask for initial credentials with DNS domain. Therefore I added the host without DNS domain to '/etc/krb5.keytab':
~$ sudo klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/kdc10-1@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 host/kdc10-1@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
6 host/kdc10-1.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
6 host/kdc10-1.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
Now I get:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kprop -d -f replica_datatrans kdc10-2.example.com
[2074] 1570021982.74607: Getting initial credentials for host/kdc10-1@EXAMPLE.COM
[2074] 1570021982.74608: Setting initial creds service to host/kdc10-2.example.com
[2074] 1570021982.74609: Looked up etypes in keytab: aes256-cts, aes128-cts
[2074] 1570021982.74611: Sending unauthenticated request
[2074] 1570021982.74612: Sending request (215 bytes) to EXAMPLE.COM
[2074] 1570021982.74613: Resolving hostname kdc10-1.example.com
[2074] 1570021982.74614: Sending initial UDP request to dgram 192.168.10.9:88
[2074] 1570021982.74615: Received answer (291 bytes) from dgram 192.168.10.9:88
[2074] 1570021982.74616: Response was from master KDC
[2074] 1570021982.74617: Received error from KDC: -1765328359/Additional pre-authentication required
[2074] 1570021982.74620: Preauthenticating using KDC method data
--- snip ---
[2074] 1570021982.74641: Creating authenticator for host/kdc10-1@EXAMPLE.COM -> host/kdc10-2.example.com@EXAMPLE.COM, seqnum 1056356820, subkey (null), session key aes256-cts/AB97
/usr/sbin/kprop: Server rejected authentication (during sendauth exchange) while authenticating to server
/usr/sbin/kprop: Service key not available signalled from server
Error text from server: Service key not available
On the replica KDC I get:
~$ sudo klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 host/kdc10-2.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
4 host/kdc10-2.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kpropd -d
ready
waiting for a kprop connection
Connection from kdc10-1.example.com
krb5_recvauth(5, kprop5_01, host/kdc10-2@EXAMPLE.COM, ...)
[2284] 1570023908.773042: Retrieving host/kdc10-2@EXAMPLE.COM from FILE:/etc/krb5.keytab (vno 4, enctype aes256-cts) with result: -1765328203/No key table entry found for host/kdc10-2@EXAMPLE.COM
[2284] 1570023908.773043: Failed to decrypt AP-REQ ticket: -1765328339/No key table entry found for host/kdc10-2@EXAMPLE.COM
Database load process for full propagation completed.
waiting for a kprop connection
Same as on the master KDC: no DNS domain for the host. I also added the host credential without domain to '/etc/krb5.keytab' on the replica KDC:
~$ sudo klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 host/kdc10-2.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
4 host/kdc10-2.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 host/kdc10-2@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 host/kdc10-2@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
Now I get on the master KDC:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kprop -d -f replica_datatrans kdc10-2.example.com
[2179] 1570024342.29886: Getting initial credentials for host/kdc10-1@EXAMPLE.COM
[2179] 1570024342.29887: Setting initial creds service to host/kdc10-2.example.com
[2179] 1570024342.29888: Looked up etypes in keytab: aes256-cts, aes128-cts
[2179] 1570024342.29890: Sending unauthenticated request
[2179] 1570024342.29891: Sending request (215 bytes) to EXAMPLE.COM
[2179] 1570024342.29892: Resolving hostname kdc10-1.example.com
[2179] 1570024342.29893: Sending initial UDP request to dgram 192.168.10.9:88
[2179] 1570024342.29894: Received answer (291 bytes) from dgram 192.168.10.9:88
[2179] 1570024342.29895: Response was from master KDC
[2179] 1570024342.29896: Received error from KDC: -1765328359/Additional pre-authentication required
[2179] 1570024342.29899: Preauthenticating using KDC method data
--- snip ---
[2179] 1570024342.29920: Creating authenticator for host/kdc10-1@EXAMPLE.COM -> host/kdc10-2.example.com@EXAMPLE.COM, seqnum 201407404, subkey (null), session key aes256-cts/1D24
/usr/sbin/kprop: Server rejected authentication (during sendauth exchange) while authenticating to server
/usr/sbin/kprop: The ticket isn't for us signalled from server
Error text from server: The ticket isn't for us
And the replica KDC gives me:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kpropd -d
ready
waiting for a kprop connection
Connection from kdc10-1.example.com
krb5_recvauth(5, kprop5_01, host/kdc10-2@EXAMPLE.COM, ...)
[2339] 1570024342.92319: Retrieving host/kdc10-2@EXAMPLE.COM from FILE:/etc/krb5.keytab (vno 4, enctype aes256-cts) with result: -1765328154/Key version number for principal in key table is incorrect
[2339] 1570024342.92320: Failed to decrypt AP-REQ ticket: -1765328349/Cannot find key for host/kdc10-2@EXAMPLE.COM kvno 4 in keytab (request ticket server host/kdc10-2.example.com@EXAMPLE.COM)
Database load process for full propagation completed.
waiting for a kprop connection
Here in find that the replica host is addressed with
host/kdc10-2@EXAMPLE.COM but the ticket is encrypted for
host/kdc10-2.example.com@EXAMPLE.COM
The only workaround I have found is to set in '/etc/krb5.conf':
ignore_acceptor_hostname = true
But I do not want this week configuration. What I have to do to avoid this setting? What I'm missing with the DNS domain name for the hosts? DNS forward and reverse resolution is checked for all hosts.
it seems I encountered a bug with krb5-1.17 using replication with kprop, or I do not understand what's going on. I followed the setup given at https://web.mit.edu/kerberos/krb5-latest/doc/admin/install_kdc.html on Raspbian Buster (flavor of Debian 10, compiled for ARM processor). If I try to initial replicate the database I get the error message:
/usr/sbin/kprop: Key table entry not found while getting initial credentials
I have checked it of course:
~$ sudo klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
6 host/kdc10-1.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
6 host/kdc10-1.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
Using trace logging I get:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kprop -d -f replica_datatrans kdc10-2.example.com
[1994] 1570019063.835325: Getting initial credentials for host/kdc10-1@EXAMPLE.COM
[1994] 1570019063.835326: Setting initial creds service to host/kdc10-2.example.com
[1994] 1570019063.835327: Looked up etypes in keytab: (empty)
[1994] 1570019063.835328: Getting initial credentials for host/kdc10-1@EXAMPLE.COM
[1994] 1570019063.835329: Setting initial creds service to host/kdc10-2.example.com
[1994] 1570019063.835330: Looked up etypes in keytab: (empty)
/usr/sbin/kprop: Key table entry not found while getting initial credentials
The problem I see is in the first line:
Getting initial credentials for host/kdc10-1@EXAMPLE.COM
There is the DNS domain 'example.com' missed.
I verified it on my old installation with krb5-1.10:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kprop -d -f replica_datatrans kdc10-2.example.com
[21367] 1570019913.30940: Initializing FILE:/tmp/kproptkteNiiOa with default princ host/kdc-old.example.com@EXAMPLE.COM
[21367] 1570019913.35969: Getting initial credentials for host/kdc-old.example.com@EXAMPLE.COM
[21367] 1570019913.37953: Setting initial creds service to host/kdc10-2.example.com@EXAMPLE.COM
[21367] 1570019913.38957: Sending request (235 bytes) to EXAMPLE.COM
[21367] 1570019913.39829: Resolving hostname kdc-old.example.com
[21367] 1570019913.40982: Sending initial UDP request to dgram 127.0.1.1:88
[21367] 1570019913.42912: Received answer from dgram 127.0.1.1:88
[21367] 1570019913.46078: Response was not from master KDC
[21367] 1570019913.46888: Received error from KDC: -1765328378/Client not found in Kerberos database
/usr/sbin/kprop: Client not found in Kerberos database while getting initial ticket
[21367] 1570019913.50158: Destroying ccache FILE:/tmp/kproptkteNiiOa
Of course the environment does not match but as seen in the second line I get settings with domain part:
Getting initial credentials for host/kdc-old.example.com@EXAMPLE.COM
I have tried many options in /etc/krb5.conf but wasn't able to force kprop to ask for initial credentials with DNS domain. Therefore I added the host without DNS domain to '/etc/krb5.keytab':
~$ sudo klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/kdc10-1@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 host/kdc10-1@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
6 host/kdc10-1.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
6 host/kdc10-1.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
Now I get:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kprop -d -f replica_datatrans kdc10-2.example.com
[2074] 1570021982.74607: Getting initial credentials for host/kdc10-1@EXAMPLE.COM
[2074] 1570021982.74608: Setting initial creds service to host/kdc10-2.example.com
[2074] 1570021982.74609: Looked up etypes in keytab: aes256-cts, aes128-cts
[2074] 1570021982.74611: Sending unauthenticated request
[2074] 1570021982.74612: Sending request (215 bytes) to EXAMPLE.COM
[2074] 1570021982.74613: Resolving hostname kdc10-1.example.com
[2074] 1570021982.74614: Sending initial UDP request to dgram 192.168.10.9:88
[2074] 1570021982.74615: Received answer (291 bytes) from dgram 192.168.10.9:88
[2074] 1570021982.74616: Response was from master KDC
[2074] 1570021982.74617: Received error from KDC: -1765328359/Additional pre-authentication required
[2074] 1570021982.74620: Preauthenticating using KDC method data
--- snip ---
[2074] 1570021982.74641: Creating authenticator for host/kdc10-1@EXAMPLE.COM -> host/kdc10-2.example.com@EXAMPLE.COM, seqnum 1056356820, subkey (null), session key aes256-cts/AB97
/usr/sbin/kprop: Server rejected authentication (during sendauth exchange) while authenticating to server
/usr/sbin/kprop: Service key not available signalled from server
Error text from server: Service key not available
On the replica KDC I get:
~$ sudo klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 host/kdc10-2.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
4 host/kdc10-2.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kpropd -d
ready
waiting for a kprop connection
Connection from kdc10-1.example.com
krb5_recvauth(5, kprop5_01, host/kdc10-2@EXAMPLE.COM, ...)
[2284] 1570023908.773042: Retrieving host/kdc10-2@EXAMPLE.COM from FILE:/etc/krb5.keytab (vno 4, enctype aes256-cts) with result: -1765328203/No key table entry found for host/kdc10-2@EXAMPLE.COM
[2284] 1570023908.773043: Failed to decrypt AP-REQ ticket: -1765328339/No key table entry found for host/kdc10-2@EXAMPLE.COM
Database load process for full propagation completed.
waiting for a kprop connection
Same as on the master KDC: no DNS domain for the host. I also added the host credential without domain to '/etc/krb5.keytab' on the replica KDC:
~$ sudo klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 host/kdc10-2.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
4 host/kdc10-2.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 host/kdc10-2@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 host/kdc10-2@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
Now I get on the master KDC:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kprop -d -f replica_datatrans kdc10-2.example.com
[2179] 1570024342.29886: Getting initial credentials for host/kdc10-1@EXAMPLE.COM
[2179] 1570024342.29887: Setting initial creds service to host/kdc10-2.example.com
[2179] 1570024342.29888: Looked up etypes in keytab: aes256-cts, aes128-cts
[2179] 1570024342.29890: Sending unauthenticated request
[2179] 1570024342.29891: Sending request (215 bytes) to EXAMPLE.COM
[2179] 1570024342.29892: Resolving hostname kdc10-1.example.com
[2179] 1570024342.29893: Sending initial UDP request to dgram 192.168.10.9:88
[2179] 1570024342.29894: Received answer (291 bytes) from dgram 192.168.10.9:88
[2179] 1570024342.29895: Response was from master KDC
[2179] 1570024342.29896: Received error from KDC: -1765328359/Additional pre-authentication required
[2179] 1570024342.29899: Preauthenticating using KDC method data
--- snip ---
[2179] 1570024342.29920: Creating authenticator for host/kdc10-1@EXAMPLE.COM -> host/kdc10-2.example.com@EXAMPLE.COM, seqnum 201407404, subkey (null), session key aes256-cts/1D24
/usr/sbin/kprop: Server rejected authentication (during sendauth exchange) while authenticating to server
/usr/sbin/kprop: The ticket isn't for us signalled from server
Error text from server: The ticket isn't for us
And the replica KDC gives me:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kpropd -d
ready
waiting for a kprop connection
Connection from kdc10-1.example.com
krb5_recvauth(5, kprop5_01, host/kdc10-2@EXAMPLE.COM, ...)
[2339] 1570024342.92319: Retrieving host/kdc10-2@EXAMPLE.COM from FILE:/etc/krb5.keytab (vno 4, enctype aes256-cts) with result: -1765328154/Key version number for principal in key table is incorrect
[2339] 1570024342.92320: Failed to decrypt AP-REQ ticket: -1765328349/Cannot find key for host/kdc10-2@EXAMPLE.COM kvno 4 in keytab (request ticket server host/kdc10-2.example.com@EXAMPLE.COM)
Database load process for full propagation completed.
waiting for a kprop connection
Here in find that the replica host is addressed with
host/kdc10-2@EXAMPLE.COM but the ticket is encrypted for
host/kdc10-2.example.com@EXAMPLE.COM
The only workaround I have found is to set in '/etc/krb5.conf':
ignore_acceptor_hostname = true
But I do not want this week configuration. What I have to do to avoid this setting? What I'm missing with the DNS domain name for the hosts? DNS forward and reverse resolution is checked for all hosts.
Message body not shown because it is not plain text.