Groups | Search | Server Info | Login | Register

Groups > comp.protocols.kerberos > #5239

Re: kinit without dns

From Michael B Allen <ioplex@gmail.com>
Newsgroups comp.protocols.kerberos
Subject Re: kinit without dns
Date 2024-01-24 19:37 -0500
Organization TNet Consulting
Message-ID <mailman.12.1706143055.2322.kerberos@mit.edu> (permalink)
References <CAGMFw4hwaL50oe4zzxU7F2L9BVZG_DG8CuMG47utmQxQ8CBM0w@mail.gmail.com> <202401242034.40OKYMTT023485@hedwig.cmf.nrl.navy.mil> <CAGMFw4j7kL1HpBDs4GcawuewDChXDE9QfWXpEKM=2ivEuL9T7Q@mail.gmail.com> <tslplxqa0bs.fsf@suchdamage.org> <CAGMFw4hLMjoqS0WetzGvNMCBLCrLXrUGSsni14bZwA3NSRpzAQ@mail.gmail.com>

Show all headers | View raw

On Wed, Jan 24, 2024 at 4:27 PM Sam Hartman <hartmans@debian.org> wrote:
>
> >>>>> "Michael" == Michael B Allen <ioplex@gmail.com> writes:
>
>     Michael> Hi Ken,
>
>     Michael> Indeed. Unfortunately my stock packages on CentOS 9 Stream
>     Michael> are 1.21 but the KRB5_TRACE feature was introduced in 1.9.
>
> Last time I checked, 1.21 > 1.9.

Good point and, after some fiddling, it does indeed work and would
have revealed the issue:

$ KRB5_TRACE=trace.txt kinit -k -t java31.keytab 'java31$@GOGO.LOCO'
kinit: Pre-authentication failed: Invalid argument while getting
initial credentials
$ cat trace.txt
850878: Matching java31$@GOGO.LOCO in collection with result: 0/Success
850879: Getting initial credentials for java31$@GOGO.LOCO
850880: Found entries for java31$@GOGO.LOCO in keytab: aes128-cts
850882: Sending unauthenticated request
850883: Sending request (189 bytes) to GOGO.LOCO
850884: Resolving hostname dc1.gogo.loco
850885: Sending initial UDP request to dgram 10.11.12.22:88
850886: Received answer (185 bytes) from dgram 10.11.12.22:88
850887: Response was from primary KDC
850888: Received error from KDC: -1765328359/Additional
pre-authentication required
850891: Preauthenticating using KDC method data
850892: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD
(15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
850893: Selected etype info: etype aes256-cts, salt
"GOGO.LOCOhostjava31.gogo.loco", params ""
850894: PKINIT client has no configured identity; giving up
850895: PKINIT client has no configured identity; giving up
850896: Preauth module pkinit (16) (real) returned: 22/Invalid argument
850897: Retrieving java31$@GOGO.LOCO from FILE:java31.keytab (vno 0,
enctype aes256-cts) with result: -1765328203/No key table entry found
for java31$@GOGO.LOCO
850898: Preauth module encrypted_timestamp (2) (real) returned:
-1765328203/No key table entry found for java31$@GOGO.LOCO

Second to last line is pretty clear. Kinit was looking for an
aes256-cts key but the keytab only had an aes128-cts entry.

Mike

-- 
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/

Back to comp.protocols.kerberos | Previous | Next | Find similar

Thread

Re: kinit without dns Michael B Allen <ioplex@gmail.com> - 2024-01-24 19:37 -0500

csiph-web