[16367] in Kerberos-V5-bugs
[krbdev.mit.edu #8837] kprop replication does not work due to wrong
daemon@ATHENA.MIT.EDU (Ingo via RT)
Wed Oct 2 13:49:46 2019
From: "Ingo via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <6c56e0de-8d72-5b83-eb8e-4a0d924daa5f@Hoeft-online.de>
Message-ID: <rt-4.4.4-9685-1570038556-1659.8837-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #8837":;
Content-Type: multipart/mixed; boundary="----------=_1570038556-9685-0"
Date: Wed, 02 Oct 2019 13:49:16 -0400
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
Errors-To: krb5-bugs-bounces@mit.edu
------------=_1570038556-9685-0
Content-Type: text/plain; charset="utf-8"
Wed Oct 02 13:49:16 2019: Request 8837 was acted upon.
Transaction: Ticket created by Ingo@Hoeft-online.de
Queue: krb5
Subject: kprop replication does not work due to wrong DNS domain handling
Owner: Nobody
Requestors: Ingo@Hoeft-online.de
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8837 >
Hello,
it seems I encountered a bug with krb5-1.17 using replication with kprop, or I do not understand what's going on. I followed the setup given at https://web.mit.edu/kerberos/krb5-latest/doc/admin/install_kdc.html on Raspbian Buster (flavor of Debian 10, compiled for ARM processor). If I try to initial replicate the database I get the error message:
/usr/sbin/kprop: Key table entry not found while getting initial credentials
I have checked it of course:
~$ sudo klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
6 host/kdc10-1.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
6 host/kdc10-1.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
Using trace logging I get:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kprop -d -f replica_datatrans kdc10-2.example.com
[1994] 1570019063.835325: Getting initial credentials for host/kdc10-1@EXAMPLE.COM
[1994] 1570019063.835326: Setting initial creds service to host/kdc10-2.example.com
[1994] 1570019063.835327: Looked up etypes in keytab: (empty)
[1994] 1570019063.835328: Getting initial credentials for host/kdc10-1@EXAMPLE.COM
[1994] 1570019063.835329: Setting initial creds service to host/kdc10-2.example.com
[1994] 1570019063.835330: Looked up etypes in keytab: (empty)
/usr/sbin/kprop: Key table entry not found while getting initial credentials
The problem I see is in the first line:
Getting initial credentials for host/kdc10-1@EXAMPLE.COM
There is the DNS domain 'example.com' missed.
I verified it on my old installation with krb5-1.10:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kprop -d -f replica_datatrans kdc10-2.example.com
[21367] 1570019913.30940: Initializing FILE:/tmp/kproptkteNiiOa with default princ host/kdc-old.example.com@EXAMPLE.COM
[21367] 1570019913.35969: Getting initial credentials for host/kdc-old.example.com@EXAMPLE.COM
[21367] 1570019913.37953: Setting initial creds service to host/kdc10-2.example.com@EXAMPLE.COM
[21367] 1570019913.38957: Sending request (235 bytes) to EXAMPLE.COM
[21367] 1570019913.39829: Resolving hostname kdc-old.example.com
[21367] 1570019913.40982: Sending initial UDP request to dgram 127.0.1.1:88
[21367] 1570019913.42912: Received answer from dgram 127.0.1.1:88
[21367] 1570019913.46078: Response was not from master KDC
[21367] 1570019913.46888: Received error from KDC: -1765328378/Client not found in Kerberos database
/usr/sbin/kprop: Client not found in Kerberos database while getting initial ticket
[21367] 1570019913.50158: Destroying ccache FILE:/tmp/kproptkteNiiOa
Of course the environment does not match but as seen in the second line I get settings with domain part:
Getting initial credentials for host/kdc-old.example.com@EXAMPLE.COM
I have tried many options in /etc/krb5.conf but wasn't able to force kprop to ask for initial credentials with DNS domain. Therefore I added the host without DNS domain to '/etc/krb5.keytab':
~$ sudo klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/kdc10-1@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 host/kdc10-1@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
6 host/kdc10-1.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
6 host/kdc10-1.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
Now I get:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kprop -d -f replica_datatrans kdc10-2.example.com
[2074] 1570021982.74607: Getting initial credentials for host/kdc10-1@EXAMPLE.COM
[2074] 1570021982.74608: Setting initial creds service to host/kdc10-2.example.com
[2074] 1570021982.74609: Looked up etypes in keytab: aes256-cts, aes128-cts
[2074] 1570021982.74611: Sending unauthenticated request
[2074] 1570021982.74612: Sending request (215 bytes) to EXAMPLE.COM
[2074] 1570021982.74613: Resolving hostname kdc10-1.example.com
[2074] 1570021982.74614: Sending initial UDP request to dgram 192.168.10.9:88
[2074] 1570021982.74615: Received answer (291 bytes) from dgram 192.168.10.9:88
[2074] 1570021982.74616: Response was from master KDC
[2074] 1570021982.74617: Received error from KDC: -1765328359/Additional pre-authentication required
[2074] 1570021982.74620: Preauthenticating using KDC method data
--- snip ---
[2074] 1570021982.74641: Creating authenticator for host/kdc10-1@EXAMPLE.COM -> host/kdc10-2.example.com@EXAMPLE.COM, seqnum 1056356820, subkey (null), session key aes256-cts/AB97
/usr/sbin/kprop: Server rejected authentication (during sendauth exchange) while authenticating to server
/usr/sbin/kprop: Service key not available signalled from server
Error text from server: Service key not available
On the replica KDC I get:
~$ sudo klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 host/kdc10-2.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
4 host/kdc10-2.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kpropd -d
ready
waiting for a kprop connection
Connection from kdc10-1.example.com
krb5_recvauth(5, kprop5_01, host/kdc10-2@EXAMPLE.COM, ...)
[2284] 1570023908.773042: Retrieving host/kdc10-2@EXAMPLE.COM from FILE:/etc/krb5.keytab (vno 4, enctype aes256-cts) with result: -1765328203/No key table entry found for host/kdc10-2@EXAMPLE.COM
[2284] 1570023908.773043: Failed to decrypt AP-REQ ticket: -1765328339/No key table entry found for host/kdc10-2@EXAMPLE.COM
Database load process for full propagation completed.
waiting for a kprop connection
Same as on the master KDC: no DNS domain for the host. I also added the host credential without domain to '/etc/krb5.keytab' on the replica KDC:
~$ sudo klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 host/kdc10-2.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
4 host/kdc10-2.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 host/kdc10-2@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 host/kdc10-2@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
Now I get on the master KDC:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kprop -d -f replica_datatrans kdc10-2.example.com
[2179] 1570024342.29886: Getting initial credentials for host/kdc10-1@EXAMPLE.COM
[2179] 1570024342.29887: Setting initial creds service to host/kdc10-2.example.com
[2179] 1570024342.29888: Looked up etypes in keytab: aes256-cts, aes128-cts
[2179] 1570024342.29890: Sending unauthenticated request
[2179] 1570024342.29891: Sending request (215 bytes) to EXAMPLE.COM
[2179] 1570024342.29892: Resolving hostname kdc10-1.example.com
[2179] 1570024342.29893: Sending initial UDP request to dgram 192.168.10.9:88
[2179] 1570024342.29894: Received answer (291 bytes) from dgram 192.168.10.9:88
[2179] 1570024342.29895: Response was from master KDC
[2179] 1570024342.29896: Received error from KDC: -1765328359/Additional pre-authentication required
[2179] 1570024342.29899: Preauthenticating using KDC method data
--- snip ---
[2179] 1570024342.29920: Creating authenticator for host/kdc10-1@EXAMPLE.COM -> host/kdc10-2.example.com@EXAMPLE.COM, seqnum 201407404, subkey (null), session key aes256-cts/1D24
/usr/sbin/kprop: Server rejected authentication (during sendauth exchange) while authenticating to server
/usr/sbin/kprop: The ticket isn't for us signalled from server
Error text from server: The ticket isn't for us
And the replica KDC gives me:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kpropd -d
ready
waiting for a kprop connection
Connection from kdc10-1.example.com
krb5_recvauth(5, kprop5_01, host/kdc10-2@EXAMPLE.COM, ...)
[2339] 1570024342.92319: Retrieving host/kdc10-2@EXAMPLE.COM from FILE:/etc/krb5.keytab (vno 4, enctype aes256-cts) with result: -1765328154/Key version number for principal in key table is incorrect
[2339] 1570024342.92320: Failed to decrypt AP-REQ ticket: -1765328349/Cannot find key for host/kdc10-2@EXAMPLE.COM kvno 4 in keytab (request ticket server host/kdc10-2.example.com@EXAMPLE.COM)
Database load process for full propagation completed.
waiting for a kprop connection
Here in find that the replica host is addressed with
host/kdc10-2@EXAMPLE.COM but the ticket is encrypted for
host/kdc10-2.example.com@EXAMPLE.COM
The only workaround I have found is to set in '/etc/krb5.conf':
ignore_acceptor_hostname = true
But I do not want this week configuration. What I have to do to avoid this setting? What I'm missing with the DNS domain name for the hosts? DNS forward and reverse resolution is checked for all hosts.
------------=_1570038556-9685-0
Content-Type: application/pgp-signature; name="signature.asc"
Content-Disposition: attachment; filename="signature.asc"
Content-Transfer-Encoding: base64
RT-Attachment: 8837/94628/22990
LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRRXpCQUVCQ2dBZEZp
RUVSTTV0TkhwZHA4MUJUTmQ1dmducTkzMzRBMFFGQWwyVXhuWUFDZ2tRdmdu
cTkzMzQKQTBTMlhnZi9SK0l5OUJyeGk1MXJCcWVsanRZZGFrYXNPekgxOGpm
VkwwLzgrcFV4SlFRYzB2SGtGZ2JGMWJOVQpLcTN2ZHJPWlpsRjJLWitVS2RS
b21oaC9OUWltMFFsTFEzb1BoQ29DRUsybURVemlqUi9wR0gzV3QvRi91LzBr
Cm11VEpvbGZnWmtudFZsQ3VTdHgza1ZSejZVUkxxd0daSWNZZjdGWGYrM3Bl
eXhMNGo0MmhEa3RkZlpEWUVEakcKZEdhVUtCVFM3ZnpxME0wVUp2bkJiYjZh
cmRYSG5jbGFNdC91R3RrVGpuWmRvVUZQdi9sUzZndlJYYmMvcW9HMwpLQ2JU
SDVETXViUytJREFiNUh2dzJ4UkFiMVU4dnJ2dFczN3VPckh5MkMycTl5SkZ2
UG5YRjFoc3d3YXc4MWtJCmFmcVNWbjRqSFNMb1NXWDhEUVBFS0EzanpzRThq
UT09Cj1BMGcwCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=
------------=_1570038556-9685-0
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
------------=_1570038556-9685-0--
