[krbdev.mit.edu #7650] Issue following client referral from AD

Sumit Bose via RT rt-comment at krbdev.mit.edu
Fri May 31 03:10:18 EDT 2013


On Thu, May 30, 2013 at 11:42:24AM -0400, Greg Hudson via RT wrote:
> This is what we get for using in-out parameters.  Please test 
> https://github.com/greghudson/krb5/commits/usemaster (just the top 
> commit) to see if it solves your problem.  It's not easy for me to test 
> since we don't natively generate AS referrals.

Thanks Greg, works like a charm:

# KRB5_TRACE=/dev/stdout KRB5_CONFIG=./krb5.conf KRB5CCNAME=FILE:./bla.ccfile kinit -C -E Administrator at SUBDOM.SUB
[3265] 1369983085.77137: Getting initial credentials for Administrator\@SUBDOM.SUB at DOM1.FOO
[3265] 1369983085.77752: Sending request (210 bytes) to DOM1.FOO
[3265] 1369983085.80773: Resolving hostname ad1.dom1.foo.
[3265] 1369983085.83679: Sending initial UDP request to dgram 10.34.47.82:88
[3265] 1369983085.85482: Received answer from dgram 10.34.47.82:88
[3265] 1369983085.86999: Response was not from master KDC
[3265] 1369983085.87134: Received error from KDC: -1765328316/Realm not local to KDC
[3265] 1369983085.87217: Following referral to realm dom2.bar
[3265] 1369983085.87334: Sending request (210 bytes) to dom2.bar
[3265] 1369983085.88944: Resolving hostname ad2.dom2.bar.
[3265] 1369983085.98131: Sending initial UDP request to dgram 10.34.47.47:88
[3265] 1369983085.99132: Received answer from dgram 10.34.47.47:88
[3265] 1369983085.99970: Response was not from master KDC
[3265] 1369983085.100094: Received error from KDC: -1765328316/Realm not local to KDC
[3265] 1369983085.100165: Following referral to realm SUBDOM.SUB
[3265] 1369983085.100282: Sending request (214 bytes) to SUBDOM.SUB
[3265] 1369983085.102557: Resolving hostname adsub2.subdom.sub.
[3265] 1369983085.104183: Sending initial UDP request to dgram 10.34.47.53:88
[3265] 1369983085.106733: Received answer from dgram 10.34.47.53:88
[3265] 1369983085.112464: Response was not from master KDC
[3265] 1369983085.112584: Received error from KDC: -1765328359/Additional pre-authentication required
[3265] 1369983085.112695: Processing preauth types: 16, 15, 19, 2
[3265] 1369983085.112788: Selected etype info: etype rc4-hmac, salt "(null)", params ""
Password for Administrator\@SUBDOM.SUB at DOM1.FOO: 
[3265] 1369983091.646357: AS key obtained for encrypted timestamp: rc4-hmac/A4BB
[3265] 1369983091.646437: Encrypted timestamp (for 1369983091.646369): plain 301AA011180F32303133303533313036353133315AA105020309DCE1, encrypted E7518311C1387B2A152A40E6ECCB3E43F439383CFA1CFEF3F5EC3D5D55AAA34046237B41E4A64D0A29AE790F2F56EBDD38B5F2FE
[3265] 1369983091.646484: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Erfolg
[3265] 1369983091.646511: Produced preauth for next request: 2
[3265] 1369983091.646545: Sending request (290 bytes) to SUBDOM.SUB
[3265] 1369983091.648411: Resolving hostname adsub2.subdom.sub.
[3265] 1369983091.649530: Sending initial UDP request to dgram 10.34.47.53:88
[3265] 1369983091.651150: Received answer from dgram 10.34.47.53:88
[3265] 1369983091.652045: Response was not from master KDC
[3265] 1369983091.652150: Salt derived from principal: SUBDOM.SUBAdministrator
[3265] 1369983091.652240: AS key determined by preauth: rc4-hmac/A4BB
[3265] 1369983091.652358: Decrypted AS reply; session key is: aes256-cts/B3A4
[3265] 1369983091.652429: FAST negotiation: unavailable
[3265] 1369983091.652526: Initializing FILE:./bla.ccfile with default princ Administrator at SUBDOM.SUB
[3265] 1369983091.656741: Removing Administrator at SUBDOM.SUB -> krbtgt/SUBDOM.SUB at SUBDOM.SUB from FILE:./bla.ccfile
[3265] 1369983091.656833: Storing Administrator at SUBDOM.SUB -> krbtgt/SUBDOM.SUB at SUBDOM.SUB in FILE:./bla.ccfile


bye,
Sumit



More information about the krb5-bugs mailing list