[krbdev.mit.edu #7791] S4U2Self fails with Windows 2008

Sumit Bose via RT rt-comment at krbdev.mit.edu
Wed Dec 4 14:21:15 EST 2013 

Hi,

when I try S4U2Self from a Linux box joined in an AD domain with Windows
2008 servers I see the
following, with Windows 2012 everything is working as expected:

# kdestroy -A
[root at winbind-client gssapi]# kinit -k 'WINBIND-CLIENT$@AD18.IPA18.DEVEL'
(reverse-i-search)`': ^C
[root at winbind-client gssapi]# KRB5_TRACE=/dev/stdout kvno -U 'Administrator at AD18.IPA18.DEVEL' 'WINBIND-CLIENT$@AD18.IPA18.DEVEL'
[22588] 1386169036.438500: Getting credentials Administrator\@AD18.IPA18.DEVEL at AD18.IPA18.DEVEL -> WINBIND-CLIENT$@AD18.IPA18.DEVEL using ccache DIR::/run/user/0/krb5cc/tkt
[22588] 1386169036.439111: Retrieving Administrator\@AD18.IPA18.DEVEL at AD18.IPA18.DEVEL -> WINBIND-CLIENT$@AD18.IPA18.DEVEL from DIR::/run/user/0/krb5cc/tkt with result: -1765328243/Matching credential not found
[22588] 1386169036.439333: Getting initial credentials for Administrator\@AD18.IPA18.DEVEL at AD18.IPA18.DEVEL
[22588] 1386169036.439946: Processing preauth types: 130
[22588] 1386169036.440146: Produced preauth for next request: (empty)
[22588] 1386169036.440353: Sending request (200 bytes) to AD18.IPA18.DEVEL
[22588] 1386169036.442854: Resolving hostname win-kps47i803u9.ad18.ipa18.devel.
[22588] 1386169036.447148: Sending initial UDP request to dgram 192.168.122.99:88
[22588] 1386169036.449229: Received answer (205 bytes) from dgram 192.168.122.99:88
[22588] 1386169036.450399: Response was not from master KDC
[22588] 1386169036.450694: Received error from KDC: -1765328359/Additional pre-authentication required
[22588] 1386169036.450980: Processing preauth types: 16, 15, 19, 2
[22588] 1386169036.451240: Selected etype info: etype aes256-cts, salt "AD18.IPA18.DEVELAdministrator", params ""
[22588] 1386169036.451458: Preauth module encrypted_timestamp (2) (real) returned: -1765328174/Generic preauthentication failure
[22588] 1386169036.451641: Getting credentials Administrator\@AD18.IPA18.DEVEL at AD18.IPA18.DEVEL -> WINBIND-CLIENT$@AD18.IPA18.DEVEL using ccache DIR::/run/user/0/krb5cc/tkt
[22588] 1386169036.451990: Retrieving Administrator\@AD18.IPA18.DEVEL at AD18.IPA18.DEVEL -> WINBIND-CLIENT$@AD18.IPA18.DEVEL from DIR::/run/user/0/krb5cc/tkt with result: -1765328243/Matching credential not found
[22588] 1386169036.452193: Getting credentials WINBIND-CLIENT$@AD18.IPA18.DEVEL -> krbtgt/AD18.IPA18.DEVEL at AD18.IPA18.DEVEL using ccache DIR::/run/user/0/krb5cc/tkt
[22588] 1386169036.452516: Retrieving WINBIND-CLIENT$@AD18.IPA18.DEVEL -> krbtgt/AD18.IPA18.DEVEL at AD18.IPA18.DEVEL from DIR::/run/user/0/krb5cc/tkt with result: 0/Success
[22588] 1386169036.452754: Get cred via TGT krbtgt/AD18.IPA18.DEVEL at AD18.IPA18.DEVEL after requesting WINBIND-CLIENT$@AD18.IPA18.DEVEL (canonicalize on)
[22588] 1386169036.452951: Generated subkey for TGS request: aes256-cts/5640
[22588] 1386169036.453247: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[22588] 1386169036.453584: Encoding request body and padata into FAST request
[22588] 1386169036.453882: Sending request (1967 bytes) to AD18.IPA18.DEVEL
[22588] 1386169036.455546: Resolving hostname win-kps47i803u9.ad18.ipa18.devel.
[22588] 1386169036.458828: Resolving hostname win-kps47i803u9.ad18.ipa18.devel.
[22588] 1386169036.460741: Initiating TCP connection to stream 192.168.122.99:88
[22588] 1386169036.461407: Sending TCP request to stream 192.168.122.99:88
[22588] 1386169036.464099: Received answer (1430 bytes) from stream 192.168.122.99:88
[22588] 1386169036.466031: Response was not from master KDC
[22588] 1386169036.466305: Decoding FAST response
[22588] 1386169036.466679: Got cred; -1765328368/KDC has no support for padata type
kvno: KDC has no support for padata type while getting credentials for WINBIND-CLIENT$@AD18.IPA18.DEVEL


If I patch krb5int_fast_prep_req() to not do any FAST encoding, e.g.

--- krb5-1.11.3/src/lib/krb5/krb/fast.c.orig	2013-11-22 12:58:07.000000000 +0100
+++ krb5-1.11.3/src/lib/krb5/krb/fast.c	2013-11-22 12:58:17.696000000 +0100
@@ -247,9 +247,9 @@
     assert(state != NULL);
     assert(state->fast_outer_request.padata == NULL);
     memset(pa_array, 0, sizeof(pa_array));
-    if (state->armor_key == NULL) {
+    //if (state->armor_key == NULL) {
         return encoder(request, encoded_request);
-    }
+    //}
 
     TRACE_FAST_ENCODE(context);
     state->nonce = request->nonce;


Everything is working as expected. I'm not sure which part of the FAST
encoding Windows 2008 does not like here. If you need more information
to debug this please let me know.

bye,
Sumit

More information about the krb5-bugs mailing list