[krbdev.mit.edu #8837] kprop replication does not work due to wrong DNS domain handling
Ingo via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Wed Oct 2 13:49:16 EDT 2019
Wed Oct 02 13:49:16 2019: Request 8837 was acted upon.
Transaction: Ticket created by Ingo at Hoeft-online.de
Queue: krb5
Subject: kprop replication does not work due to wrong DNS domain handling
Owner: Nobody
Requestors: Ingo at Hoeft-online.de
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8837 >
Hello,
it seems I encountered a bug with krb5-1.17 using replication with kprop, or I do not understand what's going on. I followed the setup given at https://web.mit.edu/kerberos/krb5-latest/doc/admin/install_kdc.html on Raspbian Buster (flavor of Debian 10, compiled for ARM processor). If I try to initial replicate the database I get the error message:
/usr/sbin/kprop: Key table entry not found while getting initial credentials
I have checked it of course:
~$ sudo klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
6 host/kdc10-1.example.com at EXAMPLE.COM (aes256-cts-hmac-sha1-96)
6 host/kdc10-1.example.com at EXAMPLE.COM (aes128-cts-hmac-sha1-96)
Using trace logging I get:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kprop -d -f replica_datatrans kdc10-2.example.com
[1994] 1570019063.835325: Getting initial credentials for host/kdc10-1 at EXAMPLE.COM
[1994] 1570019063.835326: Setting initial creds service to host/kdc10-2.example.com
[1994] 1570019063.835327: Looked up etypes in keytab: (empty)
[1994] 1570019063.835328: Getting initial credentials for host/kdc10-1 at EXAMPLE.COM
[1994] 1570019063.835329: Setting initial creds service to host/kdc10-2.example.com
[1994] 1570019063.835330: Looked up etypes in keytab: (empty)
/usr/sbin/kprop: Key table entry not found while getting initial credentials
The problem I see is in the first line:
Getting initial credentials for host/kdc10-1 at EXAMPLE.COM
There is the DNS domain 'example.com' missed.
I verified it on my old installation with krb5-1.10:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kprop -d -f replica_datatrans kdc10-2.example.com
[21367] 1570019913.30940: Initializing FILE:/tmp/kproptkteNiiOa with default princ host/kdc-old.example.com at EXAMPLE.COM
[21367] 1570019913.35969: Getting initial credentials for host/kdc-old.example.com at EXAMPLE.COM
[21367] 1570019913.37953: Setting initial creds service to host/kdc10-2.example.com at EXAMPLE.COM
[21367] 1570019913.38957: Sending request (235 bytes) to EXAMPLE.COM
[21367] 1570019913.39829: Resolving hostname kdc-old.example.com
[21367] 1570019913.40982: Sending initial UDP request to dgram 127.0.1.1:88
[21367] 1570019913.42912: Received answer from dgram 127.0.1.1:88
[21367] 1570019913.46078: Response was not from master KDC
[21367] 1570019913.46888: Received error from KDC: -1765328378/Client not found in Kerberos database
/usr/sbin/kprop: Client not found in Kerberos database while getting initial ticket
[21367] 1570019913.50158: Destroying ccache FILE:/tmp/kproptkteNiiOa
Of course the environment does not match but as seen in the second line I get settings with domain part:
Getting initial credentials for host/kdc-old.example.com at EXAMPLE.COM
I have tried many options in /etc/krb5.conf but wasn't able to force kprop to ask for initial credentials with DNS domain. Therefore I added the host without DNS domain to '/etc/krb5.keytab':
~$ sudo klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/kdc10-1 at EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 host/kdc10-1 at EXAMPLE.COM (aes128-cts-hmac-sha1-96)
6 host/kdc10-1.example.com at EXAMPLE.COM (aes256-cts-hmac-sha1-96)
6 host/kdc10-1.example.com at EXAMPLE.COM (aes128-cts-hmac-sha1-96)
Now I get:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kprop -d -f replica_datatrans kdc10-2.example.com
[2074] 1570021982.74607: Getting initial credentials for host/kdc10-1 at EXAMPLE.COM
[2074] 1570021982.74608: Setting initial creds service to host/kdc10-2.example.com
[2074] 1570021982.74609: Looked up etypes in keytab: aes256-cts, aes128-cts
[2074] 1570021982.74611: Sending unauthenticated request
[2074] 1570021982.74612: Sending request (215 bytes) to EXAMPLE.COM
[2074] 1570021982.74613: Resolving hostname kdc10-1.example.com
[2074] 1570021982.74614: Sending initial UDP request to dgram 192.168.10.9:88
[2074] 1570021982.74615: Received answer (291 bytes) from dgram 192.168.10.9:88
[2074] 1570021982.74616: Response was from master KDC
[2074] 1570021982.74617: Received error from KDC: -1765328359/Additional pre-authentication required
[2074] 1570021982.74620: Preauthenticating using KDC method data
--- snip ---
[2074] 1570021982.74641: Creating authenticator for host/kdc10-1 at EXAMPLE.COM -> host/kdc10-2.example.com at EXAMPLE.COM, seqnum 1056356820, subkey (null), session key aes256-cts/AB97
/usr/sbin/kprop: Server rejected authentication (during sendauth exchange) while authenticating to server
/usr/sbin/kprop: Service key not available signalled from server
Error text from server: Service key not available
On the replica KDC I get:
~$ sudo klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 host/kdc10-2.example.com at EXAMPLE.COM (aes256-cts-hmac-sha1-96)
4 host/kdc10-2.example.com at EXAMPLE.COM (aes128-cts-hmac-sha1-96)
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kpropd -d
ready
waiting for a kprop connection
Connection from kdc10-1.example.com
krb5_recvauth(5, kprop5_01, host/kdc10-2 at EXAMPLE.COM, ...)
[2284] 1570023908.773042: Retrieving host/kdc10-2 at EXAMPLE.COM from FILE:/etc/krb5.keytab (vno 4, enctype aes256-cts) with result: -1765328203/No key table entry found for host/kdc10-2 at EXAMPLE.COM
[2284] 1570023908.773043: Failed to decrypt AP-REQ ticket: -1765328339/No key table entry found for host/kdc10-2 at EXAMPLE.COM
Database load process for full propagation completed.
waiting for a kprop connection
Same as on the master KDC: no DNS domain for the host. I also added the host credential without domain to '/etc/krb5.keytab' on the replica KDC:
~$ sudo klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 host/kdc10-2.example.com at EXAMPLE.COM (aes256-cts-hmac-sha1-96)
4 host/kdc10-2.example.com at EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 host/kdc10-2 at EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 host/kdc10-2 at EXAMPLE.COM (aes128-cts-hmac-sha1-96)
Now I get on the master KDC:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kprop -d -f replica_datatrans kdc10-2.example.com
[2179] 1570024342.29886: Getting initial credentials for host/kdc10-1 at EXAMPLE.COM
[2179] 1570024342.29887: Setting initial creds service to host/kdc10-2.example.com
[2179] 1570024342.29888: Looked up etypes in keytab: aes256-cts, aes128-cts
[2179] 1570024342.29890: Sending unauthenticated request
[2179] 1570024342.29891: Sending request (215 bytes) to EXAMPLE.COM
[2179] 1570024342.29892: Resolving hostname kdc10-1.example.com
[2179] 1570024342.29893: Sending initial UDP request to dgram 192.168.10.9:88
[2179] 1570024342.29894: Received answer (291 bytes) from dgram 192.168.10.9:88
[2179] 1570024342.29895: Response was from master KDC
[2179] 1570024342.29896: Received error from KDC: -1765328359/Additional pre-authentication required
[2179] 1570024342.29899: Preauthenticating using KDC method data
--- snip ---
[2179] 1570024342.29920: Creating authenticator for host/kdc10-1 at EXAMPLE.COM -> host/kdc10-2.example.com at EXAMPLE.COM, seqnum 201407404, subkey (null), session key aes256-cts/1D24
/usr/sbin/kprop: Server rejected authentication (during sendauth exchange) while authenticating to server
/usr/sbin/kprop: The ticket isn't for us signalled from server
Error text from server: The ticket isn't for us
And the replica KDC gives me:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kpropd -d
ready
waiting for a kprop connection
Connection from kdc10-1.example.com
krb5_recvauth(5, kprop5_01, host/kdc10-2 at EXAMPLE.COM, ...)
[2339] 1570024342.92319: Retrieving host/kdc10-2 at EXAMPLE.COM from FILE:/etc/krb5.keytab (vno 4, enctype aes256-cts) with result: -1765328154/Key version number for principal in key table is incorrect
[2339] 1570024342.92320: Failed to decrypt AP-REQ ticket: -1765328349/Cannot find key for host/kdc10-2 at EXAMPLE.COM kvno 4 in keytab (request ticket server host/kdc10-2.example.com at EXAMPLE.COM)
Database load process for full propagation completed.
waiting for a kprop connection
Here in find that the replica host is addressed with
host/kdc10-2 at EXAMPLE.COM but the ticket is encrypted for
host/kdc10-2.example.com at EXAMPLE.COM
The only workaround I have found is to set in '/etc/krb5.conf':
ignore_acceptor_hostname = true
But I do not want this week configuration. What I have to do to avoid this setting? What I'm missing with the DNS domain name for the hosts? DNS forward and reverse resolution is checked for all hosts.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krb5-bugs/attachments/20191002/ff46466a/attachment.bin
More information about the krb5-bugs
mailing list