OTP/FAST: MIT KDC <--> heimdal client integration

Oleksandr Yermolenko aae at sumix.com
Thu Nov 2 05:06:39 EDT 2017 

Hi,

I have a strange (for me?) situation using MIT KDC together with
Heimdal client. PKINIT/FAST scenario.

STEP 1:
client side: 

kinit --anonymous
klist -v
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS
    Cache version: 4

Server: krbtgt/IDM.CRP at IDM.CRP
Client: WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 273
Auth time:  Nov  2 10:30:45 2017
End time:   Nov  3 10:30:45 2017
Ticket flags: anonymous, enc-pa-rep, pre-authent, initial, forwardable
Addresses: addressless

MIT KDC side log krb5kdc.log:
Nov 02 09:43:41 ipa31.idm.crp krb5kdc[1932](info): AS_REQ (6 etypes {18
17 20 19 16 23}) 2001:67c:2X70:20X0:d5de:47fa:4de1:b0e7: ISSUE:
authtime 1509612221, etypes {rep=18 tkt=18 ses=18},
WELLKNOWN/ANONYMOUS at IDM.CRP for krbtgt/IDM.CRP at IDM.CRP

I guess everything is fine.

STEP 2:
client
kinit --cache=FILE:/tmp/krb5cc_1000 aae at IDM.CRP
aae at IDM.CRP's Password: passwordOTP
kinit: Password incorrect

KDC log:
Nov 02 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth
(encrypted_timestamp) verify failure: Preauthentication failed Nov 02
09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth
... <cut 6 rows with the same content>
(encrypted_timestamp) verify failure: Preauthentication failed Nov 02
09:45:56 ipa31.idm.crp krb5kdc[1932](info): AS_REQ (6 etypes {18 17 20
19 16 23}) 2001:67c:2370:2080:d5de:47fa:4de1:b0e7: PREAUTH_FAILED:
aae at IDM.CRP for krbtgt/IDM.CRP at IDM.CRP, Preauthentication failed

my thoughts: ... 
something wrong with etypes, DH size or ....
- set pkinit_dh_min_bits = 1024 on the server/client because of heimdal
can't use defaults from MIT 2048 DH
- tried allow_weak_crypto without success

pkgs' versions: MIT 1.15.1 (centos7, freeipa 4.5.0 bundle), heimdal 7.1.0
debian9 based, also was trying 7.4 with the same result

MIT KDC and MIT client in the same environment work enough good

thanks a lot for your time reading my big message and possible ideas.

Oleksandr Yermolenko
network/systems engineer

More information about the Kerberos mailing list