Interop/Compat: 3DES used in AS-REP despite no client support
Matt
mwreynolds at gmail.com
Tue Dec 6 15:04:10 EST 2005
Thank you to everyone for all the old posts, which have helped me, and
thank you in advance for any ideas on this:
I am trying to create an MIT / Windows interop scenario in a lab, where
the MIT realm is used for accounts, while users log on interactivly to
Windows machines and further authenticate to Windows resources.
MIT realm and domain is called X.X
AD realm (2003 SP1 w XP SP2 clients) and domain is called A.A
Mapped user accounts exist in AD so that when a user authenticates to a
Windows resource in AD domain using user at X.X credentials, we wind up
having an AS exchange with the MIT KDC and a TGS exchange with the
Windows KDC, at which point Windows auth data would be included in the
service ticket, so that the target resource may build a Windows
access/impersonation token for the user. At least in theory.
I have been going around and around with enctypes for three days now
trying to get my interop working. After reading some more threads in
this group I had decided to start over and not put any enctype
restrictions in my krb5.conf or my kdc.conf files. I have also built a
new user database from scratch on the Linux/MIT kerberos box.
Where I am stuck:
++++++++++++++++++++++
When I attempt to authenticate the user "newuser4 at X.X" to log on
interactivly to a Windows XP machine, the MIT KDC uses 3DES in one part
of the AS-REP. It does this despite the fact that the XP machine does
not ask for 3DES in the AS-REQ. Later, when the XP machine approaches
the Windows KDC about a service ticket, the Windows KDC rejects the
request with an ENCTYPE error. I believe that this may be due to the
inclusion of the 3DES encrypted block in the TGS-REQ.
What I think I should do, please comment:
+++++++++++++++++++++++++++++++++
I've come full circle and this is exactly where I was stuck about 36
horus ago, and the last time I tried to solve this by making various
changes to enctypes on the MIT KDC, but I've been around and around
with enctypes (supported, permitted, tgs, tkt) for a few days, and at
this point I really need a fresh perspective.
On one hand, it seems like an error that the MIT KDC uses 3DES when the
client does not specify that as a supported enctype in the request. On
the other hand, my inexperience is surely at the root of this somehow.
The AS-REQ and AS-REP referred to are included below, along with my
current krb5.conf and kdc.conf
No. Time Source Destination
Protocol Info
53 11:22:21.842719 10.1.1.104 10.1.1.200
KRB5 AS-REQ
Frame 53 (202 bytes on wire, 202 bytes captured)
Ethernet II, Src: 00:03:ff:3d:8e:b6, Dst: 00:03:ff:3f:8e:b6
Internet Protocol, Src Addr: 10.1.1.104 (10.1.1.104), Dst Addr:
10.1.1.200 (10.1.1.200)
User Datagram Protocol, Src Port: 1325 (1325), Dst Port: kerberos (88)
Kerberos AS-REQ
Pvno: 5
MSG Type: AS-REQ (10)
KDC_REQ_BODY
Padding: 0
KDCOptions: 40800010 (Forwardable, Renewable, Renewable OK)
Client Name (Principal): newuser4
Realm: X.X
Server Name (Service and Instance): krbtgt/X.X
till: 2037-09-13 02:48:05 (Z)
rtime: 2037-09-13 02:48:05 (Z)
Nonce: 1615283343
Encryption Types: rc4-hmac rc4-hmac-old rc4-md4 des-cbc-md5
des-cbc-crc rc4-hmac-exp rc4-hmac-old-exp
Encryption type: rc4-hmac (23)
Encryption type: rc4-hmac-old (-133)
Encryption type: rc4-md4 (-128)
Encryption type: des-cbc-md5 (3)
Encryption type: des-cbc-crc (1)
Encryption type: rc4-hmac-exp (24)
Encryption type: rc4-hmac-old-exp (-135)
0000 00 03 ff 3f 8e b6 00 03 ff 3d 8e b6 08 00 45 00
...?.....=....E.
0010 00 bc 0e 92 00 00 80 11 14 6e 0a 01 01 68 0a 01
.........n...h..
0020 01 c8 05 2d 00 58 00 a8 ad 96 6a 81 9d 30 81 9a
...-.X....j..0..
0030 a1 03 02 01 05 a2 03 02 01 0a a4 81 8d 30 81 8a
.............0..
0040 a0 07 03 05 00 40 80 00 10 a1 15 30 13 a0 03 02
..... at .....0....
0050 01 01 a1 0c 30 0a 1b 08 6e 65 77 75 73 65 72 34
....0...newuser4
0060 a2 05 1b 03 58 2e 58 a3 18 30 16 a0 03 02 01 02
....X.X..0......
0070 a1 0f 30 0d 1b 06 6b 72 62 74 67 74 1b 03 58 2e
..0...krbtgt..X.
0080 58 a5 11 18 0f 32 30 33 37 30 39 31 33 30 32 34
X....20370913024
0090 38 30 35 5a a6 11 18 0f 32 30 33 37 30 39 31 33
805Z....20370913
00a0 30 32 34 38 30 35 5a a7 06 02 04 60 47 44 8f a8
024805Z....`GD..
00b0 19 30 17 02 01 17 02 02 ff 7b 02 01 80 02 01 03
.0.......{......
00c0 02 01 01 02 01 18 02 02 ff 79 .........y
No. Time Source Destination
Protocol Info
54 11:22:21.847416 10.1.1.200 10.1.1.104
KRB5 AS-REP
Frame 54 (556 bytes on wire, 556 bytes captured)
Ethernet II, Src: 00:03:ff:3f:8e:b6, Dst: 00:03:ff:3d:8e:b6
Internet Protocol, Src Addr: 10.1.1.200 (10.1.1.200), Dst Addr:
10.1.1.104 (10.1.1.104)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1325 (1325)
Kerberos AS-REP
Pvno: 5
MSG Type: AS-REP (11)
padata: Unknown:19
Client Realm: X.X
Client Name (Principal): newuser4
Ticket
Tkt-vno: 5
Realm: X.X
Server Name (Service and Instance): krbtgt/X.X
enc-part des3-cbc-sha1
Encryption type: des3-cbc-sha1 (16)
Kvno: 1
enc-part:
75D0D7D9FE992BBC4D6C6E4A04D1E5845D1FF810281FE81F...
enc-part des-cbc-md5
0000 00 03 ff 3d 8e b6 00 03 ff 3f 8e b6 08 00 45 00
...=.....?....E.
0010 02 1e 00 03 40 00 40 11 21 9b 0a 01 01 c8 0a 01
.... at .@.!.......
0020 01 68 00 58 05 2d 02 0a 11 ef 6b 82 01 fe 30 82
.h.X.-....k...0.
0030 01 fa a0 03 02 01 05 a1 03 02 01 0b a2 16 30 14
..............0.
0040 30 12 a1 03 02 01 13 a2 0b 04 09 30 07 30 05 a0
0..........0.0..
0050 03 02 01 01 a3 05 1b 03 58 2e 58 a4 15 30 13 a0
........X.X..0..
0060 03 02 01 01 a1 0c 30 0a 1b 08 6e 65 77 75 73 65
......0...newuse
0070 72 34 a5 81 e6 61 81 e3 30 81 e0 a0 03 02 01 05
r4...a..0.......
0080 a1 05 1b 03 58 2e 58 a2 18 30 16 a0 03 02 01 02
....X.X..0......
0090 a1 0f 30 0d 1b 06 6b 72 62 74 67 74 1b 03 58 2e
..0...krbtgt..X.
00a0 58 a3 81 b7 30 81 b4 a0 03 02 01 10 a1 03 02 01
X...0...........
00b0 01 a2 81 a7 04 81 a4 75 d0 d7 d9 fe 99 2b bc 4d
.......u.....+.M
00c0 6c 6e 4a 04 d1 e5 84 5d 1f f8 10 28 1f e8 1f 01
lnJ....]...(....
00d0 c5 cc 2f 5a 83 cf f9 65 7c eb 44 4b ef 5f 08 74
../Z...e|.DK._.t
00e0 51 20 35 ec 7d ed 38 67 ee c3 69 8e 07 4a 36 77 Q
5.}.8g..i..J6w
00f0 15 f2 13 d8 b2 f0 20 1d 30 87 8a ed 55 60 51 2d ......
.0...U`Q-
0100 b3 c0 e9 a9 f9 66 70 11 e7 53 36 f7 44 48 ed 94
.....fp..S6.DH..
0110 6e 26 b7 36 eb 8f 80 56 80 94 5b 71 c7 52 56 69
n&.6...V..[q.RVi
0120 c0 49 1f cc 10 9c 9e 09 e3 b9 54 7b 19 fe 1f c0
.I........T{....
0130 04 83 07 d6 49 14 da 96 c7 17 d3 4f 21 04 3e 89
....I......O!.>.
0140 43 60 7c ec 50 8d eb 94 72 60 bd 7a 15 1b 00 3d
C`|.P...r`.z...=
0150 da 5a be d1 2e 97 6b 08 35 4b ef a6 81 ce 30 81
.Z....k.5K....0.
0160 cb a0 03 02 01 03 a2 81 c3 04 81 c0 ed 61 26 19
.............a&.
0170 73 ee 2d 62 31 56 3a 97 78 d1 cf 60 11 19 07 55
s.-b1V:.x..`...U
0180 17 d7 56 4d 75 26 b6 39 27 30 6c e7 37 b9 9c aa
..VMu&.9'0l.7...
0190 7e d3 db 9a f8 03 75 e1 6e f8 14 9c bc cd 48 ab
~.....u.n.....H.
01a0 f4 5d e4 37 dd 42 72 87 3b 6d c7 8e 00 cb cf 41
.].7.Br.;m.....A
01b0 28 6f d6 22 88 40 9c 1f 96 02 b4 9c 17 03 3f 61
(o.". at ........?a
01c0 41 ea cd 3b 01 87 84 5a 37 30 af 16 dd 4c 8e 6f
A..;...Z70...L.o
01d0 48 99 a1 de 6d a4 ca a6 be 5a eb 3e 7e d5 74 bb
H...m....Z.>~.t.
01e0 bb 29 2c 03 af 47 4e b2 cf 63 11 6c 12 cb bf 4a
.),..GN..c.l...J
01f0 8f ce 94 fe 0e 8e e5 03 9d f6 ff 5d a2 ef fa e8
...........]....
0200 9c 5b 10 a2 75 c0 f3 7d b7 57 f6 12 4e a7 9a b6
.[..u..}.W..N...
0210 1d 95 2d 39 25 10 ab 80 fd b7 8a 0b 8d 38 05 88
..-9%........8..
0220 98 a1 6c f1 8c 92 13 5e 4d fb 80 09 ..l....^M...
krb5.conf file on MIT KDC box
[libdefaults]
default_realm = X.X
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
X.X = {
kdc = suse-c.x.x
admin_server = suse-c.x.x
default_domain = x.x
}
[domain_realm]
.x.x = X.X
x.x = X.X
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
kdc.conf file on MIT KDC box
[kdcdefaults]
kdc_ports = 750,88
[realms]
X.X = {
database_name = /var/lib/kerberos/krb5kdc/principal
admin_keytab =
FILE:/var/lib/kerberos/krb5kdc/kadm5.keytab
acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl
key_stash_file = /var/lib/kerberos/krb5kdc/.k5.X.X
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
More information about the Kerberos
mailing list