[Freeipa-users] Kerberos Tickets/kinit using Cygwin on Windows

[Brad House]

I have a need to 'kinit' from within a cygwin environment in order to
perform an svn checkout over ssh.  However, I can't figure out how to
get this to work properly with FreeIPA.  We had a MIT kerberos/
OpenLDAP authentication system prior to using FreeIPA and we had it
working there.

The windows machine itself is kerberized as per
http://www.freeipa.org/page/Windows_authentication_against_FreeIPA
so I can log in using the kerberos user via the standard windows login,
however I don't believe that is relevant to cygwin since it uses its own
config.

Next, I generated an /etc/krb5.conf file within cygwin as appropriate
for my domain (DNS SRV records don't appear to work so I had to fully
configure it with my ipa servers listed, etc ... which is basically
an identical config just with some new URLs to what was previously
working).  It was derived originally from here:
http://computing.fnal.gov/authentication/krb5conf/Windows/krb5.conf
Also, the cygwin /etc/krb5.keytab is what was generated via ipa-getkeytab
from the FreeIPA windows config docs (linked earlier).

Initially I received these errors:
Jan 07 11:42:45 ipa1.XXXX krb5kdc[31975](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: BAD_ENCRYPTION_TYPE: bhouse at XXXX for krbtgt/XXXX at XXXX, KDC has no support for encryption type

It appeared the kerberos within cygwin is only advertising des encryption
types even though stronger ones are configured in my krb5.conf.

Ok, so I allowed weak crypto to the krb5kdc on the freeipa server following
the same procedure as from this mailing list entry (which was for a different
purpose):
https://www.redhat.com/archives/freeipa-users/2014-November/msg00246.html
Which appears similar to the NFS workarounds but also includes modifications
for krb5kdc.conf:
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/kerb-nfs.html

Now I'm receiving these errors in the logs:
Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32006](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse at XXXX for krbtgt/XXXX at XXXX, Additional pre-authentication required
Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse at XXXX for krbtgt/XXXX at XXXX, Additional pre-authentication required
Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse at XXXX for krbtgt/XXXX at XXXX, Additional pre-authentication required
Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
Jan 07 12:39:30 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response

And on the cygwin console I get:
$ kinit bhouse
Password for bhouse at XXXX:
kinit: Looping detected inside krb5_get_in_tkt while getting initial credentials

So I think this is _better_, however I don't know where to go from here.

Any help would be greatly appreciated, I'm not finding anything when trying to research
cygwin with FreeIPA.

Thanks!
-Brad