From Newsgroup: comp.protocols.kerberos

Hello,

I use linux almost exclusively for everything.
DNS points to my Internet router.
However, I also have VMs running AD and various Windows instances just
for testing my software.
All of these test hosts use AD for DNS which forwards to said Internet router.

If I use the following krb5.conf with MIT krb5 packages on CentOS:

[libdefaults]
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt

[realms]
GOGO.LOCO = {
kdc = dc1.gogo.loco
}

where dc1.gogo.loco is AD, trying to run kinit fails:

$ kinit -k -t java31.keytab 'java31$@GOGO.LOCO'
kinit: Pre-authentication failed: Invalid argument while getting
initial credentials

Looking at the network shows:

Protocol Length Info
DNS 80 Standard query 0xd8af A dc1.gogo.loco
DNS 96 Standard query response 0xd8af A dc1.gogo.loco A 10.15.15.22
KRB5 221 AS-REQ
KRB5 234 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
DNS 79 Standard query 0x314d URI _kerberos.GOGO.LOCO
DNS 154 Standard query response 0x314d No such name URI
_kerberos.GOGO.LOCO SOA a.root-servers.net
DNS 91 Standard query 0xfc89 SRV _kerberos-master._udp.GOGO.LOCO
DNS 166 Standard query response 0xfc89 No such name SRV _kerberos-master._udp.GOGO.LOCO SOA a.root-servers.net
DNS 91 Standard query 0xe601 SRV _kerberos-master._tcp.GOGO.LOCO
DNS 166 Standard query response 0xe601 No such name SRV _kerberos-master._tcp.GOGO.LOCO SOA a.root-servers.net
DNS 79 Standard query 0x37d8 URI _kerberos.GOGO.LOCO
DNS 154 Standard query response 0x37d8 No such name URI
_kerberos.GOGO.LOCO SOA a.root-servers.net
DNS 91 Standard query 0x54e2 SRV _kerberos-master._udp.GOGO.LOCO
DNS 166 Standard query response 0x54e2 No such name SRV _kerberos-master._udp.GOGO.LOCO SOA a.root-servers.net
DNS 91 Standard query 0xc1d3 SRV _kerberos-master._tcp.GOGO.LOCO
DNS 166 Standard query response 0xc1d3 No such name SRV _kerberos-master._tcp.GOGO.LOCO SOA a.root-servers.net

As you can see, kinit successfully communicates with the KDC but then
fails over to querying DNS to find one.

Is there any way to get kinit to work without DNS?

Temporarily hacking my prod machines to use DNS for test machines is not ideal.

Ideas?

Mike
--
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.protocols.kerberos

You MIGHT be better served by turning on Kerberos tracing to see what the library is doing. Prefixing that kinit with:

env KRB5_TRACE=/dev/stdout

would be useful. However, assuming these are in order ...

Protocol Length Info
DNS 80 Standard query 0xd8af A dc1.gogo.loco
DNS 96 Standard query response 0xd8af A dc1.gogo.loco A 10.15.15.22
KRB5 221 AS-REQ
KRB5 234 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED

This looks like the basic exchange with the KDC did not do any DNS lookups (other than the hostname).

DNS 79 Standard query 0x314d URI _kerberos.GOGO.LOCO
DNS 154 Standard query response 0x314d No such name URI
_kerberos.GOGO.LOCO SOA a.root-servers.net
DNS 91 Standard query 0xfc89 SRV _kerberos-master._udp.GOGO.LOCO
DNS 166 Standard query response 0xfc89 No such name SRV >_kerberos-master._udp.GOGO.LOCO SOA a.root-servers.net

This looks like it is trying to find the name of the primary KDC. You could put a line "master_kdc = dc1.gogo.logo" under the [realms] stanza and I
believe it would suppress these lookups (the preferred relation name was changed to "primary_kdc" in 1.19 but it is still supposed to fall back
to the older name). I think that should get rid of all of the lookups
I see (I believe the PREAUTH_REQUIRED error makes it want to find the primary KDC).

--Ken
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.protocols.kerberos

On Wed, Jan 24, 2024 at 3:34rC>PM Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:

You MIGHT be better served by turning on Kerberos tracing to see what the library is doing. Prefixing that kinit with:

env KRB5_TRACE=/dev/stdout

would be useful.

Hi Ken,

Indeed. Unfortunately my stock packages on CentOS 9 Stream are 1.21
but the KRB5_TRACE feature was introduced in 1.9.

At any rate, of course I figured out the problem right after posting this ...

Even though the following AD account attribute was set to:

msDS-SupportedEncryptionTypes: 0x8 (AES128_CTS_HMAC_SHA1_96)

apparently this is not applicable to getting a TGT.
I noticed the AP-REQ KRB5KDC_ERR_PREAUTH_REQUIRED PA-DATA listed
AES256 as the etype.
My keytab only had an AES128 key.
Changing the key to AES256 fixed the issue and kinit now runs
successfully (without modifying DNS since dc1.gogo.loco is listed in
router DNS proxy local tables).
^^^TLDR

So I guess the "Invalid argument" was that there was no key matching
the desired etype.
It probably didn't help that there was obviously an AES256 key on the
account and it's only because I'm screwing around with that msDS-SupportedEncryptionTypes attr trying to pin AES128 that I'm
dancing outside the lines of sanity at this point.

Really glad to see KRB5_TRACE was added.

Thanks for your support.

Mike
--
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.protocols.kerberos

Indeed. Unfortunately my stock packages on CentOS 9 Stream are 1.21
but the KRB5_TRACE feature was introduced in 1.9.

Ummm ... 21 > 9, I think? :-)

At any rate, of course I figured out the problem right after posting this ...

Glad you figured it out.

--Ken
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.protocols.kerberos

"Michael" == Michael B Allen <ioplex@gmail.com> writes:

Michael> Hi Ken,

Michael> Indeed. Unfortunately my stock packages on CentOS 9 Stream
Michael> are 1.21 but the KRB5_TRACE feature was introduced in 1.9.

Last time I checked, 1.21 > 1.9.
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.protocols.kerberos

On Wed, Jan 24, 2024 at 4:27rC>PM Sam Hartman <hartmans@debian.org> wrote:

"Michael" == Michael B Allen <ioplex@gmail.com> writes:

Michael> Hi Ken,

Michael> Indeed. Unfortunately my stock packages on CentOS 9 Stream
Michael> are 1.21 but the KRB5_TRACE feature was introduced in 1.9.

Last time I checked, 1.21 > 1.9.

Good point and, after some fiddling, it does indeed work and would
have revealed the issue:

$ KRB5_TRACE=trace.txt kinit -k -t java31.keytab 'java31$@GOGO.LOCO'
kinit: Pre-authentication failed: Invalid argument while getting
initial credentials
$ cat trace.txt
850878: Matching java31$@GOGO.LOCO in collection with result: 0/Success
850879: Getting initial credentials for java31$@GOGO.LOCO
850880: Found entries for java31$@GOGO.LOCO in keytab: aes128-cts
850882: Sending unauthenticated request
850883: Sending request (189 bytes) to GOGO.LOCO
850884: Resolving hostname dc1.gogo.loco
850885: Sending initial UDP request to dgram 10.11.12.22:88
850886: Received answer (185 bytes) from dgram 10.11.12.22:88
850887: Response was from primary KDC
850888: Received error from KDC: -1765328359/Additional
pre-authentication required
850891: Preauthenticating using KDC method data
850892: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD
(15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
850893: Selected etype info: etype aes256-cts, salt "GOGO.LOCOhostjava31.gogo.loco", params ""
850894: PKINIT client has no configured identity; giving up
850895: PKINIT client has no configured identity; giving up
850896: Preauth module pkinit (16) (real) returned: 22/Invalid argument
850897: Retrieving java31$@GOGO.LOCO from FILE:java31.keytab (vno 0,
enctype aes256-cts) with result: -1765328203/No key table entry found
for java31$@GOGO.LOCO
850898: Preauth module encrypted_timestamp (2) (real) returned:
-1765328203/No key table entry found for java31$@GOGO.LOCO

Second to last line is pretty clear. Kinit was looking for an
aes256-cts key but the keytab only had an aes128-cts entry.

Mike
--
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/

--- Synchronet 3.21d-Linux NewsLink 1.2