"Key table entry not found while getting initial credentials" + KRB5KDC_ERR_PREAUTH_REQUIRED

Igor Mammedov niallain at gmail.com
Wed May 14 08:23:46 EDT 2008 

Arlene Berry wrote:
> Did anyone every respond on this?  I'm guessing it's bug #2131 which I
> reported a long time ago and which has never been fixed.  Here's a link
> to my report: 
> http://mailman.mit.edu/pipermail/krb5-bugs/2004-January/002162.html. 
> Basically, the problem is that the MIT library doesn't look at what's
> actually available in the key table when choosing encryption types for
> preauthentication encryption type negotiation.  Note the encryption
> types in your AS-REQ.  That is a list of all of the types that the
> library says it can do in descending order of preference.  Somewhere in
> the KRB-ERROR token's e-data will be a reply as to which of those types
> the server can do.  The MIT library will choose one (it must be choosing
> rc4-hmac since that one works) and will then look for the chosen type in
> the key table.  If it's not there you get the error.  The types that the
> MIT library submits is determined by the krb5.conf default_tkt_enctypes
> option which defaults to all of the types the library is capable of
> doing.  You can change default_tkt_enctypes to ensure that des-cbc-md5
> is chosen but doing so will change things for all applications on the host.

Nope, nobody has responded on it yet.
I've tried woodoo you suggested and if I put des-cbc-md5 in the beginning of 
the  default_tkt_enctypes list, It works.
However ordinary user or admin will look for another solution instead of jumping
around of krb5 stuff.

> 
>> Date: Wed, 2 Apr 2008 12:59:40 +0400
>> From: niallain at gmail.com
>> To: krb5-bugs at mit.edu
>> Subject: "Key table entry not found while getting initial credentials"
> + KRB5KDC_ERR_PREAUTH_REQUIRED
>> CC: krbdev at mit.edu
>>
>> Hi folks,
>> Maybe I've found a bug in krb5 libs code.
>> Here is the thing:
>> When we store user password in keytab with des-cbc-md5 encryption
>>
>> with "addent -password -p TESTUSERNAME -k 1 -e des-cbc-md5"
>>
>> we receive error KRB5KDC_ERR_PREAUTH_REQUIRED from the server and
>> kinit says "Key table entry not found while getting initial credentials".
>>
>> Also note that in the dump of the client-server conversation there is no
>> field "padata" in the request.
>>
>> -------------- Incorrect case --------------------
>> User Datagram Protocol, Src Port: 46944 (46944), Dst Port: kerberos (88)
>> Kerberos AS-REQ
>> Pvno: 5
>> MSG Type: AS-REQ (10)
>> KDC_REQ_BODY
>> Padding: 0
>> KDCOptions: 40000010 (Forwardable, Renewable OK)
>> Client Name (Principal): TESTUSERNAME
>> Realm: MY.TEST.REALM
>> Server Name (Unknown): krbtgt/MY.TEST.REALM
>> from: 2008-04-02 07:56:30 (Z)
>> till: 2008-04-03 07:56:30 (Z)
>> Nonce: 1207122990
>> Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
>>
>> User Datagram Protocol, Src Port: kerberos (88), Dst Port: 46944 (46944)
>> Kerberos KRB-ERROR
>> Pvno: 5
>> MSG Type: KRB-ERROR (30)
>> stime: 2008-04-02 07:55:18 (Z)
>> susec: 502936
>> error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
>> Realm: MY.TEST.REALM
>> Server Name (Unknown): krbtgt/MY.TEST.REALM
>> e-data
>>
>> However if we add entry into keytab this way:
>>
>> "addent -password -p TESTUSERNAME -k 1 -e rc4-hmac"
>>
>> Then client sends "padata" in the request and the server replies with
> a valid TGT.
>>
>> So this is probably a bug in the client code (kinit or krb5 libs), if
> it is not then
>> could someone clarify why it works this way?
>>
>> ------------- Normal case --------------------------
>>
>> User Datagram Protocol, Src Port: 41142 (41142), Dst Port: kerberos (88)
>> Kerberos AS-REQ
>> Pvno: 5
>> MSG Type: AS-REQ (10)
>> padata: PA-ENC-TIMESTAMP
>> Type: PA-ENC-TIMESTAMP (2)
>> Value: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX... rc4-hmac
>> KDC_REQ_BODY
>> Padding: 0
>> KDCOptions: 40000010 (Forwardable, Renewable OK)
>> Client Name (Principal): TESTUSERNAME
>> Realm: MY.TEST.REALM
>> Server Name (Unknown): krbtgt/MY.TEST.REALM
>> from: 2008-04-02 08:05:01 (Z)
>> till: 2008-04-03 08:05:01 (Z)
>> Nonce: 1207123501
>> Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
>>
>> User Datagram Protocol, Src Port: kerberos (88), Dst Port: 41142 (41142)
>> Kerberos AS-REP
>> Pvno: 5
>> MSG Type: AS-REP (11)
>> Client Realm: MY.TEST.REALM
>> Client Name (Principal): TESTUSERNAME
>> Ticket
>> enc-part rc4-hmac
>>
>>
>>
>>
>> --
>>
>> Best regards,
>>
>> -------------------------
>> Igor Mammedov,
>> niallain "at" gmail.com
>>
>>
>>
>>
>> _______________________________________________
>> krbdev mailing list krbdev at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/krbdev
> 
> 
> ------------------------------------------------------------------------
> Express yourself wherever you are. Mobilize!
> <http://www.gowindowslive.com/Mobile/Landing/Messenger/Default.aspx?Locale=en-US?ocid=TAG_APRIL>


-- 

Best regards,

-------------------------
Igor Mammedov,
niallain "at" gmail.com

More information about the krbdev mailing list