[Freeipa-devel] [PATCHES] Fix getkeytab operation

Wed Nov 19 13:05:34 UTC 2014

On Wed, 19 Nov 2014 12:53:01 +0200
Alexander Bokovoy <abokovoy at redhat.com> wrote:

> On Tue, 18 Nov 2014, Simo Sorce wrote:
> >On Tue, 18 Nov 2014 15:01:15 -0500
> >Nathaniel McCallum <npmccallum at redhat.com> wrote:
> >
> >> As I see it, we're setting out a new precedent. All new ASN.1 code
> >> will take this route (which is, indeed, better). So while it is
> >> small now, it won't stay small forever. Being that we are in the
> >> business of routinely handling ASN.1 stuff, this seems to me like
> >> a sensible architecture for the future.
> >
> >Ok, I think I should have fixed all the issues you brought up.
> >
> >And my tests still work fine :)
> Works fine. However, I'm getting wrong TGT enctype back from the KDC
> when I try to obtain TGT with des-cbc-crc key:
> 
> [root at master ~]# ipa host-add --force f21test.f21.test
> -----------------------------
> Added host "f21test.f21.test"
> -----------------------------
>   Host name: f21test.f21.test
>   Principal name: host/f21test.f21.test at F21.TEST
>   Password: False
>   Keytab: False
>   Managed by: f21test.f21.test
> [root at master ~]# ipa service-add --force afs/f21test
> ------------------------------------
> Added service "afs/f21test at F21.TEST"
> ------------------------------------
>   Principal: afs/f21test at F21.TEST
>   Managed by: f21test.f21.test
> [root at master ~]# ipa-getkeytab -s `hostname` -p afs/f21test
> -k /tmp/afs.keytab -e des-cbc-crc:v4 -P New Principal Password: 
> Verify Principal Password: 
> Keytab successfully retrieved and stored in: /tmp/afs.keytab
> [root at master ~]# klist -kt /tmp/afs.keytab  -K -e
> Keytab name: FILE:/tmp/afs.keytab
> KVNO Timestamp         Principal
> ---- -----------------
> -------------------------------------------------------- 1 11/19/14
> 12:13:01 afs/f21test at F21.TEST (des-cbc-crc) (0xea1a0b29152cb383)

The key is des-cbc-crc

> 
> [root at master ~]# KRB5_TRACE=/dev/stderr KRB5CCNAME=/tmp/afs.ccache
> kinit -kt /tmp/afs.keytab afs/f21test [28636] 1416392072.862773:
> Getting initial credentials for afs/f21test at F21.TEST [28636]
> 1416392072.864408: Looked up etypes in keytab: des-cbc-crc [28636]
> 1416392072.864522: Sending request (175 bytes) to F21.TEST [28636]
> 1416392072.865127: Sending initial UDP request to dgram
> 192.168.5.169:88 [28636] 1416392072.866958: Received answer (283
> bytes) from dgram 192.168.5.169:88 [28636] 1416392072.867028:
> Response was from master KDC [28636] 1416392072.867088: Received
> error from KDC: -1765328359/Additional pre-authentication required
> [28636] 1416392072.867140: Processing preauth types: 136, 19, 2, 133
> [28636] 1416392072.867175: Selected etype info: etype des-cbc-crc,
> salt "F21.TESTafsf21test", params "" [28636] 1416392072.867193:
> Received cookie: MIT [28636] 1416392072.867234: Retrieving
> afs/f21test at F21.TEST from FILE:/tmp/afs.keytab (vno 0, enctype
> des-cbc-crc) with result: 0/Success [28636] 1416392072.867264: AS key
> obtained for encrypted timestamp: des-cbc-crc/0BE8 [28636]
> 1416392072.867304: Encrypted timestamp (for 1416392072.867050): plain
> 301AA011180F32303134313131393130313433325AA10502030D3AEA, encrypted
> 1C567557D395C0639CB417EE90C08CD41E4829D910166D62ACEDCC2168C23BAD8C70DFE4CD533A81
> [28636] 1416392072.867331: Preauth module encrypted_timestamp (2)
> (real) returned: 0/Success [28636] 1416392072.867349: Produced
> preauth for next request: 133, 2 [28636] 1416392072.867372: Sending
> request (252 bytes) to F21.TEST [28636] 1416392072.867416: Sending
> initial UDP request to dgram 192.168.5.169:88 [28636]
> 1416392072.946260: Received answer (649 bytes) from dgram
> 192.168.5.169:88 [28636] 1416392072.946391: Response was from master
> KDC [28636] 1416392072.946485: Processing preauth types: 19 [28636]
> 1416392072.946542: Selected etype info: etype des-cbc-crc, salt
> "F21.TESTafsf21test", params "" [28636] 1416392072.946593: Produced
> preauth for next request: (empty) [28636] 1416392072.946626: AS key
> determined by preauth: des-cbc-crc/0BE8 [28636] 1416392072.946688:
> Decrypted AS reply; session key is: des-cbc-crc/9B41 [28636]
> 1416392072.946727: FAST negotiation: available [28636]
> 1416392072.946793: Initializing FILE:/tmp/afs.ccache with default
> princ afs/f21test at F21.TEST [28636] 1416392072.947118: Removing
> afs/f21test at F21.TEST -> krbtgt/F21.TEST at F21.TEST from
> FILE:/tmp/afs.ccache [28636] 1416392072.947146: Storing
> afs/f21test at F21.TEST -> krbtgt/F21.TEST at F21.TEST in
> FILE:/tmp/afs.ccache [28636] 1416392072.947187: Storing config in
> FILE:/tmp/afs.ccache for krbtgt/F21.TEST at F21.TEST: fast_avail: yes
> [28636] 1416392072.947219: Removing afs/f21test at F21.TEST ->
> krb5_ccache_conf_data/fast_avail/krbtgt\/F21.TEST\@F21.TEST at X-CACHECONF:
> from FILE:/tmp/afs.ccache [28636] 1416392072.947240: Storing
> afs/f21test at F21.TEST ->
> krb5_ccache_conf_data/fast_avail/krbtgt\/F21.TEST\@F21.TEST at X-CACHECONF:
> in FILE:/tmp/afs.ccache [28636] 1416392072.947419: Storing config in
> FILE:/tmp/afs.ccache for krbtgt/F21.TEST at F21.TEST: pa_type: 2 [28636]
> 1416392072.947458: Removing afs/f21test at F21.TEST ->
> krb5_ccache_conf_data/pa_type/krbtgt\/F21.TEST\@F21.TEST at X-CACHECONF:
> from FILE:/tmp/afs.ccache [28636] 1416392072.947480: Storing
> afs/f21test at F21.TEST ->
> krb5_ccache_conf_data/pa_type/krbtgt\/F21.TEST\@F21.TEST at X-CACHECONF:
> in FILE:/tmp/afs.ccache [root at master ~]# KRB5_TRACE=/dev/stderr
> KRB5CCNAME=/tmp/afs.ccache klist -edf Ticket cache:
> FILE:/tmp/afs.ccache Default principal: afs/f21test at F21.TEST
> 
> Valid starting     Expires            Service principal
> 11/19/14 12:14:32  11/20/14 12:14:32  krbtgt/F21.TEST at F21.TEST
> 	Flags: FIA, Etype (skey, tkt): des-cbc-crc,
> aes256-cts-hmac-sha1-96 

Look carefully, you got des-cbc-crc just fine, the tkt enctype is
aes256-cts-hmac-sha1-96 and that does not depend on how getkeytab work,
as it is negotiated at runtime by the KDC.

I.E. if it is a problem it is not one of getkeytab, but we'll have to
look elsewhere.

> KDC logs show this:
> Nov 19 12:25:57 master.f21.test krb5kdc[28713](info): AS_REQ (9
> etypes {1 18 17 16 23 25 26 3 2}) 192.168.5.169: NEEDED_PREAUTH:
> afs/f21test at F21.TEST for krbtgt/F21.TEST at F21.TEST, Additional
> pre-authentication required Nov 19 12:25:57 master.f21.test
> krb5kdc[28713](info): AS_REQ (9 etypes {1 18 17 16 23 25 26 3 2})
> 192.168.5.169: ISSUE: authtime 1416392757, etypes {rep=1 tkt=18
> ses=1}, afs/f21test at F21.TEST for krbtgt/F21.TEST at F21.TEST
> 
> My /etc/krb5.conf has
> [libdefaults]
>  allow_weak_crypto = true
>  permitted_enctypes = DEFAULT +des
>  supported_enctypes = DEFAULT +des
> 
> We can handle weak types' response TGT after F21 release, this is
> certainly not limiting.
> 
> I've tried with older ipa-getkeytab and it fell back to the pre-4.0
> method as expected.
> 
> Regarding the patchset itself:
> 
> Patch 0001: fix 'wuld' in the commit message. The rest is fine.
> 
> Patch 0002:
>  - ticket number is missing in the commit message

Well this commit does not solve any ticket in itself, it just add the
library, it is the next one that uses it, but I guess I can repeat the
numbers in both commits.

>  - perhaps, an instruction how to regenerate asn1 code can be made a
>    Makefile target? We don't need to call it ourselves but this would
>    simplify things in future

I had put it in the README, will see to put it in Makefile I guess

>  - I'm little uncomfortable how ASN_DEBUG() output goes explicitly to
>    stderr but I guess this is something we currently cannot override
>    with DS-specific log printing, so no big deal right now

Yeah, there may be a way to override, but I had no time to look
carefully into it.

>  - any specific need to get asn1/compile committed? We don't commit it
>    in the client code (ipa-client/compile).

Uh, no I committed this one in error, thanks for spotting it.

> Patch 0003: OK

Will provide another round soon.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York