[Freeipa-users] Kerberos Tickets/kinit using Cygwin on Windows

Brad House brad at monetra.com
Wed Jan 7 20:01:05 UTC 2015 

On 01/07/2015 02:21 PM, Sumit Bose wrote:
> On Wed, Jan 07, 2015 at 01:22:36PM -0500, Brad House wrote:
>> I have a need to 'kinit' from within a cygwin environment in order to
>> perform an svn checkout over ssh.  However, I can't figure out how to
>> get this to work properly with FreeIPA.  We had a MIT kerberos/
>> OpenLDAP authentication system prior to using FreeIPA and we had it
>> working there.
>>
>> The windows machine itself is kerberized as per
>> http://www.freeipa.org/page/Windows_authentication_against_FreeIPA
>> so I can log in using the kerberos user via the standard windows login,
>> however I don't believe that is relevant to cygwin since it uses its own
>> config.
>>
>> Next, I generated an /etc/krb5.conf file within cygwin as appropriate
>> for my domain (DNS SRV records don't appear to work so I had to fully
>> configure it with my ipa servers listed, etc ... which is basically
>> an identical config just with some new URLs to what was previously
>> working).  It was derived originally from here:
>> http://computing.fnal.gov/authentication/krb5conf/Windows/krb5.conf
>> Also, the cygwin /etc/krb5.keytab is what was generated via ipa-getkeytab
>> from the FreeIPA windows config docs (linked earlier).
>>
>> Initially I received these errors:
>> Jan 07 11:42:45 ipa1.XXXX krb5kdc[31975](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: BAD_ENCRYPTION_TYPE: bhouse at XXXX for krbtgt/XXXX at XXXX, KDC has no support for encryption type
>>
>> It appeared the kerberos within cygwin is only advertising des encryption
>> types even though stronger ones are configured in my krb5.conf.
>>
>> Ok, so I allowed weak crypto to the krb5kdc on the freeipa server following
>> the same procedure as from this mailing list entry (which was for a different
>> purpose):
>> https://www.redhat.com/archives/freeipa-users/2014-November/msg00246.html
>> Which appears similar to the NFS workarounds but also includes modifications
>> for krb5kdc.conf:
>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/kerb-nfs.html
>>
>> Now I'm receiving these errors in the logs:
>> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32006](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse at XXXX for krbtgt/XXXX at XXXX, Additional pre-authentication required
>> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse at XXXX for krbtgt/XXXX at XXXX, Additional pre-authentication required
>> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
>> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
>> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
>> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
>> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
>> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
>> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
>> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
>> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
>> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
>> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
>> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse at XXXX for krbtgt/XXXX at XXXX, Additional pre-authentication required
>> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
>> Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
>> Jan 07 12:39:30 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response
>
> looks like the client is resending as AS_REQ without proper pre-auth
> data. Which version of cygwin are you using? Can you check with
> 'klist -V' which Kerberos version is used?
>
> bye,
> Sumit


Thanks for the reply Sumit, you provided me a clue where to look!

klist -V returned 'unknown option -- V'

I didn't even think to check to see if there was another kinit on the system.
It appears my predecessor had installed a private copy of kinit/klist/kdestroy/ssh
in /usr/local/bin that were ancient (and didn't document what he did).  Perhaps
the original version of cygwin didn't support kerberos properly.

After removing those, it works, and DNS SRV records work too. Geez, now I
feel silly.

Thanks!
-Brad


>>
>> And on the cygwin console I get:
>> $ kinit bhouse
>> Password for bhouse at XXXX:
>> kinit: Looping detected inside krb5_get_in_tkt while getting initial credentials
>>
>> So I think this is _better_, however I don't know where to go from here.
>>
>> Any help would be greatly appreciated, I'm not finding anything when trying to research
>> cygwin with FreeIPA.
>>
>> Thanks!
>> -Brad
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>

More information about the Freeipa-users mailing list