[krbdev.mit.edu #7596] PKINIT should allow missing DH param Q

Reinhard Kugler via RT rt-comment at krbdev.mit.edu
Sat Mar 30 03:10:57 EDT 2013 

> Ignore the above; it's probably wrong.  Instead, please try this patch
> in place of my previous patch:
>
>     https://github.com/tlyu/krb5/commit/dd93f6f41d98c31705cd081f5a11ffcd43da3540

now the pkinit phase looks good, but I still get "bad username or
password" on the windows client.
Eventvwr shows this error:
A Kerberos Error Message was received:
 on logon session p130 at kerberos.3ve.bmlv.at
 Client Time: 20:11:58.0000 10/17/2022 Z
 Server Time: 6:56:57.0000 3/30/2013 Z
 Error Code: 0x41 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
 Extended Error:
 Client Realm: kerberos.3ve.bmlv.at
 Client Name: p130
 Server Realm: kerberos.3ve.bmlv.at
 Server Name: krbtgt/kerberos.3ve.bmlv.at
 Target Name: krbtgt/kerberos.3ve.bmlv.at at kerberos.3ve.bmlv.at
 Error Text: PREAUTH_FAILED
 File: e
 Line: 9fe
 Error Data is in record data.

"Client Time" looks wrong, but the system time is set to 30.03.2013 08:10 UTC+1

On the network I see
AS-REQ
KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
AS-REQ
KRB Error: KDC_ERR_KEY_TOO_WEAK
AS-REQ
AS-REP

krbkdc -n:

pkinit_init_req_crypto: returning ctx at 0x1e2e2c0
pkinit_init_kdc_req_context: returning reqctx at 0x1e27010
processing KRB5_PADATA_PK_AS_REQ
CMS Verification successful
#0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
#1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
crypto_retrieve_X509_sans: looking for SANs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
crypto_retrieve_X509_sans: SAN type = 1 expecting 0
verify_client_san: Checking pkinit sans
verify_client_san: no pkinit san match found
verify_client_san: Checking upn sans
verify_client_san: upn san match found
verify_client_san: returning retval 0, valid_san 1
crypto_check_cert_eku: looking for EKUs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
client sent dh params with 1024 bits, we require 2048
bad dh parameters
pkinit_verify_padata failed: creating e-data
pkinit_create_edata: creating edata for error -1765328319 (Key
parameters not accepted)
pkinit_fini_kdc_req_context: freeing   reqctx at 0x1e27010
pkinit_fini_req_crypto: freeing   ctx at 0x1e2e2c0
pkinit_verify_padata: entered!
pkinit_find_realm_context: returning context at 0x1df1790 for realm
'kerberos.3ve.bmlv.at'
pkinit_init_req_crypto: returning ctx at 0x1e2e7a0
pkinit_init_kdc_req_context: returning reqctx at 0x1e2ca90
processing KRB5_PADATA_PK_AS_REQ
CMS Verification successful
#0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
#1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
crypto_retrieve_X509_sans: looking for SANs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
crypto_retrieve_X509_sans: SAN type = 1 expecting 0
verify_client_san: Checking pkinit sans
verify_client_san: no pkinit san match found
verify_client_san: Checking upn sans
verify_client_san: upn san match found
verify_client_san: returning retval 0, valid_san 1
crypto_check_cert_eku: looking for EKUs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
p is not well-known group 2 dhparameter
good 2048 dhparams
pkinit_find_realm_context: returning context at 0x1df1790 for realm
'kerberos.3ve.bmlv.at'
pkinit_return_padata: entered!
KDC picked etype = 18
received DH key delivery AS REQ
building certificate chain
size of certificate chain = 2
cert #0: /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=dc.kerberos.3ve.bmlv.at
mech = FS
pkinit_fini_kdc_req_context: freeing   reqctx at 0x1e2ca90
pkinit_fini_req_crypto: freeing   ctx at 0x1e2e7a0
^Cpkinit_fini_identity_crypto: freeing   ctx at 0x1e07640
pkinit_fini_plg_crypto: freeing context at 0x1e05e70
pkinit_server_plugin_fini: freeing   context at 0x1df1220

More information about the krb5-bugs mailing list