[Freeipa-users] Kerberos Tickets/kinit using Cygwin on Windows
Sumit Bose
sbose at redhat.com
Wed Jan 7 19:21:00 UTC 2015
On Wed, Jan 07, 2015 at 01:22:36PM -0500, Brad House wrote:
> I have a need to 'kinit' from within a cygwin environment in order to
> perform an svn checkout over ssh. However, I can't figure out how to
> get this to work properly with FreeIPA. We had a MIT kerberos/
> OpenLDAP authentication system prior to using FreeIPA and we had it
> working there.
>
> The windows machine itself is kerberized as per
> http://www.freeipa.org/page/Windows_authentication_against_FreeIPA
> so I can log in using the kerberos user via the standard windows login,
> however I don't believe that is relevant to cygwin since it uses its own
> config.
>
> Next, I generated an /etc/krb5.conf file within cygwin as appropriate
> for my domain (DNS SRV records don't appear to work so I had to fully
> configure it with my ipa servers listed, etc ... which is basically
> an identical config just with some new URLs to what was previously
> working). It was derived originally from here:
> http://computing.fnal.gov/authentication/krb5conf/Windows/krb5.conf
> Also, the cygwin /etc/krb5.keytab is what was generated via ipa-getkeytab
> from the FreeIPA windows config docs (linked earlier).
>
> Initially I received these errors:
> Jan 07 11:42:45 ipa1.XXXX krb5kdc[31975](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: BAD_ENCRYPTION_TYPE: bhouse at XXXX for krbtgt/XXXX at XXXX, KDC has no support for encryption type
>
> It appeared the kerberos within cygwin is only advertising des encryption
> types even though stronger ones are configured in my krb5.conf.
>
> Ok, so I allowed weak crypto to the krb5kdc on the freeipa server following
> the same procedure as from this mailing list entry (which was for a different
> purpose):
> https://www.redhat.com/archives/freeipa-users/2014-November/msg00246.html
> Which appears similar to the NFS workarounds but also includes modifications
> for krb5kdc.conf:
> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/kerb-nfs.html
>
> Now I'm receiving these errors in the logs:
> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32006](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse at XXXX for krbtgt/XXXX at XXXX, Additional pre-authentication required
> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse at XXXX for krbtgt/XXXX at XXXX, Additional pre-authentication required
> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse at XXXX for krbtgt/XXXX at XXXX, Additional pre-authentication required
> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
> Jan 07 12:39:30 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
looks like the client is resending as AS_REQ without proper pre-auth
data. Which version of cygwin are you using? Can you check with
'klist -V' which Kerberos version is used?
bye,
Sumit
>
> And on the cygwin console I get:
> $ kinit bhouse
> Password for bhouse at XXXX:
> kinit: Looping detected inside krb5_get_in_tkt while getting initial credentials
>
> So I think this is _better_, however I don't know where to go from here.
>
> Any help would be greatly appreciated, I'm not finding anything when trying to research
> cygwin with FreeIPA.
>
> Thanks!
> -Brad
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list