[38099] in Kerberos
OTP/FAST: MIT KDC <--> heimdal client integration
daemon@ATHENA.MIT.EDU (Oleksandr Yermolenko)
Thu Nov 2 05:07:17 2017
Date: Thu, 2 Nov 2017 11:06:39 +0200
From: Oleksandr Yermolenko <aae@sumix.com>
To: kerberos@mit.edu
Message-ID: <20171102110206.51fc5a49@aae-stu.taras.crp>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
I have a strange (for me?) situation using MIT KDC together with
Heimdal client. PKINIT/FAST scenario.
STEP 1:
client side:
kinit --anonymous
klist -v
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Cache version: 4
Server: krbtgt/IDM.CRP@IDM.CRP
Client: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 273
Auth time: Nov 2 10:30:45 2017
End time: Nov 3 10:30:45 2017
Ticket flags: anonymous, enc-pa-rep, pre-authent, initial, forwardable
Addresses: addressless
MIT KDC side log krb5kdc.log:
Nov 02 09:43:41 ipa31.idm.crp krb5kdc[1932](info): AS_REQ (6 etypes {18
17 20 19 16 23}) 2001:67c:2X70:20X0:d5de:47fa:4de1:b0e7: ISSUE:
authtime 1509612221, etypes {rep=18 tkt=18 ses=18},
WELLKNOWN/ANONYMOUS@IDM.CRP for krbtgt/IDM.CRP@IDM.CRP
I guess everything is fine.
STEP 2:
client
kinit --cache=FILE:/tmp/krb5cc_1000 aae@IDM.CRP
aae@IDM.CRP's Password: passwordOTP
kinit: Password incorrect
KDC log:
Nov 02 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth
(encrypted_timestamp) verify failure: Preauthentication failed Nov 02
09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth
... <cut 6 rows with the same content>
(encrypted_timestamp) verify failure: Preauthentication failed Nov 02
09:45:56 ipa31.idm.crp krb5kdc[1932](info): AS_REQ (6 etypes {18 17 20
19 16 23}) 2001:67c:2370:2080:d5de:47fa:4de1:b0e7: PREAUTH_FAILED:
aae@IDM.CRP for krbtgt/IDM.CRP@IDM.CRP, Preauthentication failed
my thoughts: ...
something wrong with etypes, DH size or ....
- set pkinit_dh_min_bits = 1024 on the server/client because of heimdal
can't use defaults from MIT 2048 DH
- tried allow_weak_crypto without success
pkgs' versions: MIT 1.15.1 (centos7, freeipa 4.5.0 bundle), heimdal 7.1.0
debian9 based, also was trying 7.4 with the same result
MIT KDC and MIT client in the same environment work enough good
thanks a lot for your time reading my big message and possible ideas.
Oleksandr Yermolenko
network/systems engineer
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
