ubuntu16.04 and /etc/krb5.conf (Errata Corrige)
Giuseppe Mazza
g.mazza at imperial.ac.uk
Thu Jun 16 09:24:30 EDT 2016
Sorry, the strange case is:
gmazza2 at futurama:~$ kinit gmazza at IC.AC.UK
Password for gmazza at IC.AC.UK: debug3: Received SSH2_MSG_IGNORE
debug3: Received SSH2_MSG_IGNORE
debug3: Received SSH2_MSG_IGNORE
debug3: Received SSH2_MSG_IGNORE
debug3: Received SSH2_MSG_IGNORE
debug3: Received SSH2_MSG_IGNORE
debug3: Received SSH2_MSG_IGNORE
debug3: Received SSH2_MSG_IGNORE
gmazza2 at futurama:~$ klist -e
Ticket cache: FILE:/tmp/krb5cc_868_M0Lmlr
Default principal: gmazza at IC.AC.UK
Valid starting Expires Service principal
16/06/16 14:17:44 17/06/16 00:17:44 krbtgt/IC.AC.UK at IC.AC.UK
renew until 17/06/16 00:17:44, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
- it does not work:
gmazza2 at futurama:~$ ssh gmazza at futurama uptime
gmazza at futurama's password: debug3: Received SSH2_MSG_IGNORE
- however there are gmazza's tickets:
gmazza2 at futurama:~$ klist -e
Ticket cache: FILE:/tmp/krb5cc_868_M0Lmlr
Default principal: gmazza at IC.AC.UK
Valid starting Expires Service principal
16/06/16 14:17:44 17/06/16 00:17:44 krbtgt/IC.AC.UK at IC.AC.UK
renew until 17/06/16 00:17:44, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
16/06/16 14:18:05 17/06/16 00:17:44 krbtgt/DOC.IC.AC.UK at IC.AC.UK
renew until 17/06/16 00:17:44, Etype (skey, tkt): des-cbc-crc, des-cbc-md5
16/06/16 14:18:05 17/06/16 00:17:44
host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
- it does work:
gmazza2 at futurama:~$ ssh gmazza at futurama uptime
14:18:17 up 21:46, 2 users, load average: 0.00, 0.01, 0.05
In my previous email I had copied and pasted a wrong case, i.e.
gmazza2 at futurama:~$ ssh gmazza2 at futurama
that it does not work as expected, because I had kinit-ed gmazza at IC.AC.UK
Giuseppe.
On 16/06/16 14:09, Giuseppe Mazza wrote:
> (I apologize for my long email)
>
> I am going to try to provide some feedback:
> #
> # my (not) working scenario...
> #
> 1] Linux kerberos server:
> Ubuntu 14.04.4 LTS \n \l
> ii krb5-kdc 1.12+dfsg-2ub amd64 MIT Kerberos key
> server (KDC)
>
> 2.a] Ubuntu 16.04 linux client, called futurama.doc.ic.ac.uk:
> ii krb5-user 1.13.2+dfsg-5 amd64 Basic programs to
> authenticate using MIT K
>
>
> 2.b] Ubuntu 14.04 linux client, called bee.doc.ic.ac.uk:
> ii krb5-user 1.12+dfsg-2ub amd64 Basic programs to
> authenticate using MIT
>
> 3] same /etc/krb5.conf on both clients, i.e. no hardcoded hostnames of
> my dc's.
>
> 4] I will be using my two accounts, gmazza at IC.AC.UK (user in the Windows
> DC) and gmazza2 at DOC.IC.AC.UK (user in kerberos realm).
>
> The things I will describe work for bee.doc.ic.ac.uk, but not
> for futurama.doc.ic.ac.uk. In particular I have noticed the things below:
>
> - it works:
> gmazza2 at futurama:~$ ssh gmazza2 at futurama
>
> - it does not work:
> gmazza2 at futurama:~$ ssh gmazza at futurama
> gmazza at futurama's password:
> Permission denied, please try again.
> gmazza at futurama's password:
>
> - it works:
> gmazza2 at futurama:~$ export KRB5_TRACE=/dev/stdout
> gmazza2 at futurama:~$ kinit gmazza at IC.AC.UK
> [325] 1466081998.890390: Getting initial credentials for gmazza at IC.AC.UK
> [325] 1466081998.890912: Sending request (169 bytes) to IC.AC.UK
> [325] 1466081998.894103: Resolving hostname icads43.ic.ac.uk.
> [325] 1466081998.896228: Sending initial UDP request to dgram
> 129.31.100.150:88
> [325] 1466081998.899013: Received answer (174 bytes) from dgram
> 129.31.100.150:88
> [325] 1466081998.900138: Response was not from master KDC
> [325] 1466081998.900216: Received error from KDC: -1765328359/Additional
> pre-authentication required
> [325] 1466081998.900281: Processing preauth types: 16, 15, 19, 2
> [325] 1466081998.900308: Selected etype info: etype aes256-cts, salt
> "IC.AC.UKgmazza", params ""
> Password for gmazza at IC.AC.UK: debug3: Received SSH2_MSG_IGNORE
> debug3: Received SSH2_MSG_IGNORE
> debug3: Received SSH2_MSG_IGNORE
> debug3: Received SSH2_MSG_IGNORE
> debug3: Received SSH2_MSG_IGNORE
> debug3: Received SSH2_MSG_IGNORE
> debug3: Received SSH2_MSG_IGNORE
> debug3: Received SSH2_MSG_IGNORE
>
> [325] 1466082004.103603: AS key obtained for encrypted timestamp:
> aes256-cts/1F56
> [325] 1466082004.103637: Encrypted timestamp (for 1466082003.328534):
> plain 301AA011180F32303136303631363133303030335AA1050203050356,
> encrypted
> C915E62DB9E0CE17F45BA2FDABB44DEF69EF02DAE0ADF1138204A1D114B27FF0AE505BB410C1FCB00E0F31BFE6939ED3E7B2C68B9C52FDA4
>
> [325] 1466082004.103654: Preauth module encrypted_timestamp (2) (real)
> returned: 0/Success
> [325] 1466082004.103657: Produced preauth for next request: 2
> [325] 1466082004.103668: Sending request (247 bytes) to IC.AC.UK
> [325] 1466082004.106120: Resolving hostname icads39.ic.ac.uk.
> [325] 1466082004.106383: Sending initial UDP request to dgram
> 155.198.63.21:88
> [325] 1466082004.110203: Received answer (88 bytes) from dgram
> 155.198.63.21:88
> [325] 1466082004.111234: Response was not from master KDC
> [325] 1466082004.111262: Received error from KDC: -1765328332/Response
> too big for UDP, retry with TCP
> [325] 1466082004.111268: Request or response is too big for UDP;
> retrying with TCP
> [325] 1466082004.111281: Sending request (247 bytes) to IC.AC.UK (tcp only)
> [325] 1466082004.112344: Resolving hostname icads44.ic.ac.uk.
> [325] 1466082004.113626: Initiating TCP connection to stream 129.31.47.2:88
> [325] 1466082004.114123: Sending TCP request to stream 129.31.47.2:88
> [325] 1466082004.117400: Received answer (2689 bytes) from stream
> 129.31.47.2:88
> [325] 1466082004.117416: Terminating TCP connection to stream
> 129.31.47.2:88
> [325] 1466082004.118434: Response was not from master KDC
> [325] 1466082004.118467: Processing preauth types: 19
> [325] 1466082004.118475: Selected etype info: etype aes256-cts, salt
> "IC.AC.UKgmazza", params ""
> [325] 1466082004.118480: Produced preauth for next request: (empty)
> [325] 1466082004.118489: AS key determined by preauth: aes256-cts/1F56
> [325] 1466082004.118538: Decrypted AS reply; session key is:
> aes256-cts/5BA4
> [325] 1466082004.118555: FAST negotiation: unavailable
> [325] 1466082004.118578: Initializing FILE:/tmp/krb5cc_868_TQFkWp with
> default princ gmazza at IC.AC.UK
> [325] 1466082004.118635: Storing gmazza at IC.AC.UK ->
> krbtgt/IC.AC.UK at IC.AC.UK in FILE:/tmp/krb5cc_868_TQFkWp
> [325] 1466082004.118662: Storing config in FILE:/tmp/krb5cc_868_TQFkWp
> for krbtgt/IC.AC.UK at IC.AC.UK: pa_type: 2
> [325] 1466082004.118684: Storing gmazza at IC.AC.UK ->
> krb5_ccache_conf_data/pa_type/krbtgt\/IC.AC.UK\@IC.AC.UK at X-CACHECONF: in
> FILE:/tmp/krb5cc_868_TQFkWp
>
> gmazza2 at futurama:~$ klist -e
> Ticket cache: FILE:/tmp/krb5cc_868_TQFkWp
> Default principal: gmazza at IC.AC.UK
>
> Valid starting Expires Service principal
> 16/06/16 14:00:04 17/06/16 00:00:04 krbtgt/IC.AC.UK at IC.AC.UK
> renew until 17/06/16 00:00:04, Etype (skey, tkt):
> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>
> - it does not work:
> gmazza2 at futurama:~$ ssh gmazza2 at futurama
> [375] 1466082089.872003: ccselect can't find appropriate cache for
> server principal host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK
> [375] 1466082089.872158: Getting credentials gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK using ccache
> FILE:/tmp/krb5cc_868_TQFkWp
> [375] 1466082089.872299: Retrieving gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp
> with result: -1765328243/Matching credential not found
> [375] 1466082089.872397: Retrieving gmazza at IC.AC.UK ->
> krbtgt/DOC.IC.AC.UK at DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp with
> result: -1765328243/Matching credential not found
> [375] 1466082089.872489: Retrieving gmazza at IC.AC.UK ->
> krbtgt/IC.AC.UK at IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp with result:
> 0/Success
> [375] 1466082089.872507: Starting with TGT for client realm:
> gmazza at IC.AC.UK -> krbtgt/IC.AC.UK at IC.AC.UK
> [375] 1466082089.872611: Retrieving gmazza at IC.AC.UK ->
> krbtgt/DOC.IC.AC.UK at DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp with
> result: -1765328243/Matching credential not found
> [375] 1466082089.872628: Requesting TGT krbtgt/DOC.IC.AC.UK at IC.AC.UK
> using TGT krbtgt/IC.AC.UK at IC.AC.UK
> [375] 1466082089.872694: Generated subkey for TGS request: aes256-cts/36BD
> [375] 1466082089.872848: etypes requested in TGS request: aes256-cts,
> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts,
> des-cbc-crc, des, des-cbc-md4
> [375] 1466082089.873071: Encoding request body and padata into FAST request
> [375] 1466082089.873237: Sending request (2863 bytes) to IC.AC.UK
> [375] 1466082089.875549: Resolving hostname icads44.ic.ac.uk.
> [375] 1466082089.876375: Sending initial UDP request to dgram
> 129.31.47.2:88
> [375] 1466082089.878367: Received answer (311 bytes) from dgram
> 129.31.47.2:88
> [375] 1466082089.879374: Response was not from master KDC
> [375] 1466082089.879420: Decoding FAST response
> [375] 1466082089.879497: Request or response is too big for UDP;
> retrying with TCP
> [375] 1466082089.879512: Sending request (2863 bytes) to IC.AC.UK (tcp
> only)
> [375] 1466082089.880644: Resolving hostname icads43.ic.ac.uk.
> [375] 1466082089.881101: Initiating TCP connection to stream
> 129.31.100.150:88
> [375] 1466082089.881629: Sending TCP request to stream 129.31.100.150:88
> [375] 1466082089.883386: Received answer (2758 bytes) from stream
> 129.31.100.150:88
> [375] 1466082089.883408: Terminating TCP connection to stream
> 129.31.100.150:88
> [375] 1466082089.884435: Response was not from master KDC
> [375] 1466082089.884481: Decoding FAST response
> [375] 1466082089.884661: FAST reply key: aes256-cts/C91B
> [375] 1466082089.884730: TGS reply is for gmazza at IC.AC.UK ->
> krbtgt/DOC.IC.AC.UK at IC.AC.UK with session key des-cbc-crc/A617
> [375] 1466082089.884819: TGS request result: 0/Success
> [375] 1466082089.884838: Storing gmazza at IC.AC.UK ->
> krbtgt/DOC.IC.AC.UK at IC.AC.UK in FILE:/tmp/krb5cc_868_TQFkWp
> [375] 1466082089.884915: Received TGT for service realm:
> krbtgt/DOC.IC.AC.UK at IC.AC.UK
> [375] 1466082089.884927: Requesting tickets for
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK, referrals on
> [375] 1466082089.884955: Generated subkey for TGS request: des-cbc-crc/14B2
> [375] 1466082089.885000: etypes requested in TGS request: aes256-cts,
> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts,
> des-cbc-crc, des, des-cbc-md4
> [375] 1466082089.885099: Encoding request body and padata into FAST request
> [375] 1466082089.885228: Sending request (2832 bytes) to DOC.IC.AC.UK
> (tcp only)
> [375] 1466082089.885263: Resolving hostname kerberos.doc.ic.ac.uk
> [375] 1466082089.885710: Initiating TCP connection to stream
> 146.169.1.157:88
> [375] 1466082089.886276: Terminating TCP connection to stream
> 146.169.1.157:88
> [375] 1466082089.886314: Resolving hostname kerberos1.doc.ic.ac.uk
> [375] 1466082089.886738: Initiating TCP connection to stream
> 146.169.1.11:88
> [375] 1466082089.887249: Terminating TCP connection to stream
> 146.169.1.11:88
> [375] 1466082089.887270: Resolving hostname kerberos2.doc.ic.ac.uk
> [375] 1466082089.887611: Initiating TCP connection to stream
> 146.169.1.71:88
> [375] 1466082089.888136: Terminating TCP connection to stream
> 146.169.1.71:88
> [375] 1466082089.889673: ccselect can't find appropriate cache for
> server principal host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK
> [375] 1466082089.889789: Getting credentials gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK using ccache
> FILE:/tmp/krb5cc_868_TQFkWp
> [375] 1466082089.889906: Retrieving gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp
> with result: -1765328243/Matching credential not found
> [375] 1466082089.890009: Retrieving gmazza at IC.AC.UK ->
> krbtgt/DOC.IC.AC.UK at DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp with
> result: 0/Success
> [375] 1466082089.890024: Found cached TGT for service realm:
> gmazza at IC.AC.UK -> krbtgt/DOC.IC.AC.UK at IC.AC.UK
> [375] 1466082089.890033: Requesting tickets for
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK, referrals on
> [375] 1466082089.890062: Generated subkey for TGS request: des-cbc-crc/B04E
> [375] 1466082089.890113: etypes requested in TGS request: aes256-cts,
> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts,
> des-cbc-crc, des, des-cbc-md4
> [375] 1466082089.890252: Encoding request body and padata into FAST request
> [375] 1466082089.890394: Sending request (2832 bytes) to DOC.IC.AC.UK
> [375] 1466082089.890446: Resolving hostname kerberos.doc.ic.ac.uk
> [375] 1466082089.890897: Initiating TCP connection to stream
> 146.169.1.157:88
> [375] 1466082089.891502: Terminating TCP connection to stream
> 146.169.1.157:88
> [375] 1466082089.891525: Resolving hostname kerberos.doc.ic.ac.uk
> [375] 1466082089.891874: Sending initial UDP request to dgram
> 146.169.1.157:750
> [375] 1466082089.893602: Received answer (861 bytes) from dgram
> 146.169.1.157:750
> [375] 1466082089.894766: Response was not from master KDC
> [375] 1466082089.894812: Decoding FAST response
> [375] 1466082089.894897: FAST reply key: des-cbc-crc/EE43
> [375] 1466082089.894953: TGS reply is for gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK with session key aes256-cts/4216
> [375] 1466082089.894987: TGS request result: 0/Success
> [375] 1466082089.894997: Received creds for desired service
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK
> [375] 1466082089.895012: Storing gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK in FILE:/tmp/krb5cc_868_TQFkWp
> [375] 1466082089.895181: Creating authenticator for gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK, seqnum 683096606, subkey
> aes256-cts/1E3F, session key aes256-cts/4216
> [375] 1466082089.896680: ccselect can't find appropriate cache for
> server principal host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK
> [375] 1466082089.896837: Getting credentials gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK using ccache
> FILE:/tmp/krb5cc_868_TQFkWp
> [375] 1466082089.896953: Retrieving gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp
> with result: 0/Success
> [375] 1466082089.897036: Creating authenticator for gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK, seqnum 249884086, subkey
> aes256-cts/FDB1, session key aes256-cts/4216
> [375] 1466082089.898397: ccselect can't find appropriate cache for
> server principal host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK
> [375] 1466082089.898517: Getting credentials gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK using ccache
> FILE:/tmp/krb5cc_868_TQFkWp
> [375] 1466082089.898630: Retrieving gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp
> with result: 0/Success
> [375] 1466082089.898760: Getting credentials gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK using ccache
> FILE:/tmp/krb5cc_868_TQFkWp
> [375] 1466082089.898865: Retrieving gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp
> with result: 0/Success
> [375] 1466082089.898946: Creating authenticator for gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK, seqnum 1071734415, subkey
> aes256-cts/0F2B, session key aes256-cts/4216
> gmazza2 at futurama's password:
>
>
> BUT...
> - there are gmazza's tickets now:
> gmazza2 at futurama:~$ klist -e
> Ticket cache: FILE:/tmp/krb5cc_868_TQFkWp
> Default principal: gmazza at IC.AC.UK
>
> Valid starting Expires Service principal
> 16/06/16 14:00:04 17/06/16 00:00:04 krbtgt/IC.AC.UK at IC.AC.UK
> renew until 17/06/16 00:00:04, Etype (skey, tkt):
> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> 16/06/16 14:01:29 17/06/16 00:00:04 krbtgt/DOC.IC.AC.UK at IC.AC.UK
> renew until 17/06/16 00:00:04, Etype (skey, tkt): des-cbc-crc,
> des-cbc-md5
> 16/06/16 14:01:29 17/06/16 00:00:04
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK
> Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>
>
> - it works the second time with the same command "ssh gmazza at futurama"
> gmazza2 at futurama:~$ export KRB5_TRACE=
> gmazza2 at futurama:~$ ssh gmazza at futurama uptime
> 14:02:58 up 21:31, 2 users, load average: 0.01, 0.05, 0.07
>
>
> Sorry for my long email.
> Hope my description makes sense.
>
> Cheers,
> Giuseppe
More information about the Kerberos
mailing list