[Freeipa-devel] [PATCHES] Fix getkeytab operation

Alexander Bokovoy abokovoy at redhat.com
Wed Nov 19 10:53:01 UTC 2014 

On Tue, 18 Nov 2014, Simo Sorce wrote:
>On Tue, 18 Nov 2014 15:01:15 -0500
>Nathaniel McCallum <npmccallum at redhat.com> wrote:
>
>> As I see it, we're setting out a new precedent. All new ASN.1 code
>> will take this route (which is, indeed, better). So while it is small
>> now, it won't stay small forever. Being that we are in the business
>> of routinely handling ASN.1 stuff, this seems to me like a sensible
>> architecture for the future.
>
>Ok, I think I should have fixed all the issues you brought up.
>
>And my tests still work fine :)
Works fine. However, I'm getting wrong TGT enctype back from the KDC when I
try to obtain TGT with des-cbc-crc key:

[root at master ~]# ipa host-add --force f21test.f21.test
-----------------------------
Added host "f21test.f21.test"
-----------------------------
  Host name: f21test.f21.test
  Principal name: host/f21test.f21.test at F21.TEST
  Password: False
  Keytab: False
  Managed by: f21test.f21.test
[root at master ~]# ipa service-add --force afs/f21test
------------------------------------
Added service "afs/f21test at F21.TEST"
------------------------------------
  Principal: afs/f21test at F21.TEST
  Managed by: f21test.f21.test
[root at master ~]# ipa-getkeytab -s `hostname` -p afs/f21test   -k /tmp/afs.keytab -e des-cbc-crc:v4 -P
New Principal Password: 
Verify Principal Password: 
Keytab successfully retrieved and stored in: /tmp/afs.keytab
[root at master ~]# klist -kt /tmp/afs.keytab  -K -e
Keytab name: FILE:/tmp/afs.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 11/19/14 12:13:01 afs/f21test at F21.TEST (des-cbc-crc) (0xea1a0b29152cb383)

[root at master ~]# KRB5_TRACE=/dev/stderr KRB5CCNAME=/tmp/afs.ccache kinit -kt /tmp/afs.keytab afs/f21test
[28636] 1416392072.862773: Getting initial credentials for afs/f21test at F21.TEST
[28636] 1416392072.864408: Looked up etypes in keytab: des-cbc-crc
[28636] 1416392072.864522: Sending request (175 bytes) to F21.TEST
[28636] 1416392072.865127: Sending initial UDP request to dgram 192.168.5.169:88
[28636] 1416392072.866958: Received answer (283 bytes) from dgram 192.168.5.169:88
[28636] 1416392072.867028: Response was from master KDC
[28636] 1416392072.867088: Received error from KDC: -1765328359/Additional pre-authentication required
[28636] 1416392072.867140: Processing preauth types: 136, 19, 2, 133
[28636] 1416392072.867175: Selected etype info: etype des-cbc-crc, salt "F21.TESTafsf21test", params ""
[28636] 1416392072.867193: Received cookie: MIT
[28636] 1416392072.867234: Retrieving afs/f21test at F21.TEST from FILE:/tmp/afs.keytab (vno 0, enctype des-cbc-crc) with result: 0/Success
[28636] 1416392072.867264: AS key obtained for encrypted timestamp: des-cbc-crc/0BE8
[28636] 1416392072.867304: Encrypted timestamp (for 1416392072.867050): plain 301AA011180F32303134313131393130313433325AA10502030D3AEA, encrypted 1C567557D395C0639CB417EE90C08CD41E4829D910166D62ACEDCC2168C23BAD8C70DFE4CD533A81
[28636] 1416392072.867331: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[28636] 1416392072.867349: Produced preauth for next request: 133, 2
[28636] 1416392072.867372: Sending request (252 bytes) to F21.TEST
[28636] 1416392072.867416: Sending initial UDP request to dgram 192.168.5.169:88
[28636] 1416392072.946260: Received answer (649 bytes) from dgram 192.168.5.169:88
[28636] 1416392072.946391: Response was from master KDC
[28636] 1416392072.946485: Processing preauth types: 19
[28636] 1416392072.946542: Selected etype info: etype des-cbc-crc, salt "F21.TESTafsf21test", params ""
[28636] 1416392072.946593: Produced preauth for next request: (empty)
[28636] 1416392072.946626: AS key determined by preauth: des-cbc-crc/0BE8
[28636] 1416392072.946688: Decrypted AS reply; session key is: des-cbc-crc/9B41
[28636] 1416392072.946727: FAST negotiation: available
[28636] 1416392072.946793: Initializing FILE:/tmp/afs.ccache with default princ afs/f21test at F21.TEST
[28636] 1416392072.947118: Removing afs/f21test at F21.TEST -> krbtgt/F21.TEST at F21.TEST from FILE:/tmp/afs.ccache
[28636] 1416392072.947146: Storing afs/f21test at F21.TEST -> krbtgt/F21.TEST at F21.TEST in FILE:/tmp/afs.ccache
[28636] 1416392072.947187: Storing config in FILE:/tmp/afs.ccache for krbtgt/F21.TEST at F21.TEST: fast_avail: yes
[28636] 1416392072.947219: Removing afs/f21test at F21.TEST -> krb5_ccache_conf_data/fast_avail/krbtgt\/F21.TEST\@F21.TEST at X-CACHECONF: from FILE:/tmp/afs.ccache
[28636] 1416392072.947240: Storing afs/f21test at F21.TEST -> krb5_ccache_conf_data/fast_avail/krbtgt\/F21.TEST\@F21.TEST at X-CACHECONF: in FILE:/tmp/afs.ccache
[28636] 1416392072.947419: Storing config in FILE:/tmp/afs.ccache for krbtgt/F21.TEST at F21.TEST: pa_type: 2
[28636] 1416392072.947458: Removing afs/f21test at F21.TEST -> krb5_ccache_conf_data/pa_type/krbtgt\/F21.TEST\@F21.TEST at X-CACHECONF: from FILE:/tmp/afs.ccache
[28636] 1416392072.947480: Storing afs/f21test at F21.TEST -> krb5_ccache_conf_data/pa_type/krbtgt\/F21.TEST\@F21.TEST at X-CACHECONF: in FILE:/tmp/afs.ccache
[root at master ~]# KRB5_TRACE=/dev/stderr KRB5CCNAME=/tmp/afs.ccache klist -edf                           
Ticket cache: FILE:/tmp/afs.ccache
Default principal: afs/f21test at F21.TEST

Valid starting     Expires            Service principal
11/19/14 12:14:32  11/20/14 12:14:32  krbtgt/F21.TEST at F21.TEST
	Flags: FIA, Etype (skey, tkt): des-cbc-crc, aes256-cts-hmac-sha1-96 

KDC logs show this:
Nov 19 12:25:57 master.f21.test krb5kdc[28713](info): AS_REQ (9 etypes {1 18 17 16 23 25 26 3 2}) 192.168.5.169: NEEDED_PREAUTH: afs/f21test at F21.TEST for krbtgt/F21.TEST at F21.TEST, Additional
pre-authentication required
Nov 19 12:25:57 master.f21.test krb5kdc[28713](info): AS_REQ (9 etypes {1 18 17 16 23 25 26 3 2}) 192.168.5.169: ISSUE: authtime 1416392757, etypes {rep=1 tkt=18 ses=1}, afs/f21test at F21.TEST for krbtgt/F21.TEST at F21.TEST

My /etc/krb5.conf has
[libdefaults]
 allow_weak_crypto = true
 permitted_enctypes = DEFAULT +des
 supported_enctypes = DEFAULT +des

We can handle weak types' response TGT after F21 release, this is
certainly not limiting.

I've tried with older ipa-getkeytab and it fell back to the pre-4.0
method as expected.

Regarding the patchset itself:

Patch 0001: fix 'wuld' in the commit message. The rest is fine.

Patch 0002:
 - ticket number is missing in the commit message
 - perhaps, an instruction how to regenerate asn1 code can be made a
   Makefile target? We don't need to call it ourselves but this would
   simplify things in future
 - I'm little uncomfortable how ASN_DEBUG() output goes explicitly to
   stderr but I guess this is something we currently cannot override
   with DS-specific log printing, so no big deal right now
 - any specific need to get asn1/compile committed? We don't commit it
   in the client code (ipa-client/compile).

Patch 0003: OK


-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list