PKINIT anonymous with armor cache fails on MIT server and heimdal client

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

PKINIT anonymous with armor cache fails on MIT server and heimdal client

Diogenes S. Jesus
My set up is one MIT server and one heimdal client.
WiWhile trying to use armor cache with the heimdal client

Macintosh:~ splash$ kinit --anonymous
Macintosh:~ splash$ klist -A
Credentials cache: API:F4CE5CCF-9BC5-44C8-B2F5-9A2A29C88A2D
        Principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS

  Issued                Expires               Principal
Apr  7 23:59:52 2016  Apr  8 09:59:52 2016  krbtgt/[hidden email]


Macintosh:~ splash$ KRB5_TRACE=/dev/stdout kinit --fast-armor-cache=API:F4CE5CCF-9BC5-44C8-B2F5-9A2A29C88A2D [hidden email]
2016-04-08T00:00:13 set-error: -1765328242: Reached end of credential caches
2016-04-08T00:00:13 set-error: -1765328243: Principal [hidden email] not found in any credential cache
2016-04-08T00:00:13 set-error: -1765328243: Did not find credential for krbtgt/WELLKNOWN:ANONYMOUS@WELLKNOWN:ANONYMOUS in cache API:F4CE5CCF-9BC5-44C8-B2F5-9A2A29C88A2D
2016-04-08T00:00:13 set-error: -1765328243: Matching credential (krbtgt/WELLKNOWN:ANONYMOUS@WELLKNOWN:ANONYMOUS) not found
kinit: krb5_init_creds_set_fast_ccache: Matching credential (krbtgt/WELLKNOWN:ANONYMOUS@WELLKNOWN:ANONYMOUS) not found
Macintosh:~ splash$ 


However the same steps on mit client works fine:

ubuntu@uservm-test:~$ klist -A
ubuntu@uservm-test:~$ kinit -n
ubuntu@uservm-test:~$ klist -A
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS

Valid starting     Expires            Service principal
04/07/16 22:11:25  04/08/16 08:11:25  krbtgt/[hidden email]
renew until 04/08/16 22:11:25
ubuntu@uservm-test:~$ KRB5_TRACE=/dev/stdout kinit -T /tmp/krb5cc_1000 d_santos
[4513] 1460067090.345908: Getting initial credentials for [hidden email]
[4513] 1460067090.350315: FAST armor ccache: /tmp/krb5cc_1000
[4513] 1460067090.350459: Retrieving WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM.COM\@REALM.COM@X-CACHECONF: from FILE:/tmp/krb5cc_1000 with result: 0/Success
[4513] 1460067090.350482: Read config in FILE:/tmp/krb5cc_1000 for krbtgt/[hidden email]: fast_avail: yes
[4513] 1460067090.350496: Using FAST due to armor ccache negotiation result
[4513] 1460067090.350524: Getting credentials WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/[hidden email] using ccache FILE:/tmp/krb5cc_1000
[4513] 1460067090.350601: Retrieving WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/[hidden email] from FILE:/tmp/krb5cc_1000 with result: 0/Success
[4513] 1460067090.350709: Armor ccache sesion key: aes256-cts/0DB9
[4513] 1460067090.350789: Creating authenticator for WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/[hidden email], seqnum 0, subkey aes256-cts/5902, session key aes256-cts/0DB9
[4513] 1460067090.350984: FAST armor key: aes256-cts/834F
[4513] 1460067090.351053: Encoding request body and padata into FAST request
[4513] 1460067090.351148: Sending request (955 bytes) to REALM.COM
[4513] 1460067090.351213: Resolving hostname kdc01.realm.com
[4513] 1460067090.353595: Sending initial UDP request to dgram 10.10.0.4:88
[4513] 1460067090.360897: Received answer (601 bytes) from dgram 10.10.0.4:88
[4513] 1460067090.362748: Response was not from master KDC
[4513] 1460067090.362884: Received error from KDC: -1765328359/Additional pre-authentication required
[4513] 1460067090.362965: Decoding FAST response
[4513] 1460067090.363132: Processing preauth types: 16, 15, 14, 136, 147, 141, 133, 137
[4513] 1460067090.363213: Received cookie: MIT
[4513] 1460067090.363304: PKINIT client has no configured identity; giving up
[4513] 1460067090.363415: Preauth module pkinit (147) (info) returned: 0/Success
[4513] 1460067090.363498: PKINIT client has no configured identity; giving up
[4513] 1460067090.363564: Preauth module pkinit (16) (real) returned: 22/Invalid argument
[4513] 1460067090.363641: PKINIT client has no configured identity; giving up
[4513] 1460067090.363705: Preauth module pkinit (14) (real) returned: 22/Invalid argument
[4513] 1460067090.364498: PKINIT client has no configured identity; giving up
[4513] 1460067090.364579: Preauth module pkinit (14) (real) returned: 22/Invalid argument
Enter OTP Token Value: 
[4513] 1460067103.336774: Preauth module otp (141) (real) returned: 0/Success
[4513] 1460067103.336923: Produced preauth for next request: 133, 142
[4513] 1460067103.337028: Encoding request body and padata into FAST request
[4513] 1460067103.337243: Sending request (1096 bytes) to REALM.COM
[4513] 1460067103.337412: Resolving hostname kdc01.realm.com
[4513] 1460067103.339839: Sending initial UDP request to dgram 10.10.0.4:88
[4513] 1460067103.490579: Received answer (934 bytes) from dgram 10.10.0.4:88
[4513] 1460067103.493242: Response was not from master KDC
[4513] 1460067103.493420: Decoding FAST response
[4513] 1460067103.493631: Processing preauth types: (empty)
[4513] 1460067103.493757: Produced preauth for next request: (empty)
[4513] 1460067103.493854: Salt derived from principal: REALM.COMd_santos
[4513] 1460067103.493993: AS key determined by preauth: aes256-cts/834F
[4513] 1460067103.494118: FAST reply key: aes256-cts/44BA
[4513] 1460067103.494244: Decrypted AS reply; session key is: aes256-cts/F0D6
[4513] 1460067103.494355: FAST negotiation: available
[4513] 1460067103.494449: Initializing FILE:/tmp/krb5cc_1000 with default princ [hidden email]
[4513] 1460067103.494831: Removing [hidden email] -> krbtgt/[hidden email] from FILE:/tmp/krb5cc_1000
[4513] 1460067103.494942: Storing [hidden email] -> krbtgt/[hidden email] in FILE:/tmp/krb5cc_1000
[4513] 1460067103.495122: Storing config in FILE:/tmp/krb5cc_1000 for krbtgt/[hidden email]: fast_avail: yes
[4513] 1460067103.495233: Removing [hidden email] -> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM.COM\@REALM.COM@X-CACHECONF: from FILE:/tmp/krb5cc_1000
[4513] 1460067103.495317: Storing [hidden email] -> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM.COM\@REALM.COM@X-CACHECONF: in FILE:/tmp/krb5cc_1000
[4513] 1460067103.495482: Storing config in FILE:/tmp/krb5cc_1000 for krbtgt/[hidden email]: pa_type: 141
[4513] 1460067103.495585: Removing [hidden email] -> krb5_ccache_conf_data/pa_type/krbtgt\/REALM.COM\@REALM.COM@X-CACHECONF: from FILE:/tmp/krb5cc_1000
[4513] 1460067103.495664: Storing [hidden email] -> krb5_ccache_conf_data/pa_type/krbtgt\/REALM.COM\@REALM.COM@X-CACHECONF: in FILE:/tmp/krb5cc_1000
ubuntu@uservm-test:~$ klist -a
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [hidden email]

Valid starting     Expires            Service principal
04/07/16 22:11:46  04/08/16 08:11:46  krbtgt/[hidden email]
renew until 04/08/16 22:11:33
Addresses: (none)
ubuntu@uservm-test:~$ 



Any clue on why is this happenng?

Thanks

--

--------

Diogenes S. de Jesus
Security+, CEH
+421 902179163
Reply | Threaded
Open this post in threaded view
|

Re: PKINIT anonymous with armor cache fails on MIT server and heimdal client

Henry B Hotz

> On Apr 7, 2016, at 3:16 PM, Diogenes S. Jesus <[hidden email]> wrote:
>
> My set up is one MIT server and one heimdal client.
> WiWhile trying to use armor cache with the heimdal client

Versions?

Personal: [hidden email]
Business: [hidden email]
https://www.linkedin.com/in/hbhotz/

Reply | Threaded
Open this post in threaded view
|

Re: PKINIT anonymous with armor cache fails on MIT server and heimdal client

Diogenes S. Jesus

Right, minor detail missing :)


The KDC:

ubuntu@kdc01:~$ dpkg -l | grep krb5

ii  krb5-admin-server                1.12+dfsg-2ubuntu5.2             amd64        MIT Kerberos master server (kadmind)

ii  krb5-config                      2.3                              all          Configuration files for Kerberos Version 5

ii  krb5-kdc                         1.12+dfsg-2ubuntu5.2             amd64        MIT Kerberos key server (KDC)

ii  krb5-kdc-ldap                    1.12+dfsg-2ubuntu5.2             amd64        MIT Kerberos key server (KDC) LDAP plugin

ii  krb5-locales                     1.12+dfsg-2ubuntu4.2             all          Internationalization support for MIT Kerberos

ii  krb5-otp:amd64                   1.12+dfsg-2ubuntu5.2             amd64        OTP plugin for MIT Kerberos

ii  krb5-pkinit:amd64                1.12+dfsg-2ubuntu5.2             amd64        PKINIT plugin for MIT Kerberos

ii  krb5-user                        1.12+dfsg-2ubuntu5.2             amd64        Basic programs to authenticate using MIT Kerberos

ii  libgssapi-krb5-2:amd64           1.12+dfsg-2ubuntu5.2             amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism

ii  libkrb5-26-heimdal:amd64         1.6~git20131207+dfsg-1ubuntu1    amd64        Heimdal Kerberos - libraries

ii  libkrb5-3:amd64                  1.12+dfsg-2ubuntu5.2             amd64        MIT Kerberos runtime libraries

ii  libkrb5support0:amd64            1.12+dfsg-2ubuntu5.2             amd64        MIT Kerberos runtime libraries - Support library



The OSX client:

Macintosh:~ splash$ kinit --version

kinit (Heimdal 1.5.1apple1)

Copyright 1995-2011 Kungliga Tekniska Högskolan

Send bug-reports to [hidden email]


The MIT client:

ubuntu@uservm-test:~$ dpkg -l | grep krb5

ii  krb5-config                       2.3                            all          Configuration files for Kerberos Version 5

ii  krb5-locales                      1.12+dfsg-2ubuntu4.2           all          Internationalization support for MIT Kerberos

ii  krb5-otp:amd64                    1.12+dfsg-2ubuntu5.2           amd64        OTP plugin for MIT Kerberos

ii  krb5-pkinit:amd64                 1.12+dfsg-2ubuntu5.2           amd64        PKINIT plugin for MIT Kerberos

ii  krb5-user                         1.12+dfsg-2ubuntu5.2           amd64        Basic programs to authenticate using MIT Kerberos

ii  libgssapi-krb5-2:amd64            1.12+dfsg-2ubuntu5.2           amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism

ii  libkrb5-26-heimdal:amd64          1.6~git20131207+dfsg-1ubuntu1  amd64        Heimdal Kerberos - libraries

ii  libkrb5-3:amd64                   1.12+dfsg-2ubuntu5.2           amd64        MIT Kerberos runtime libraries

ii  libkrb5support0:amd64             1.12+dfsg-2ubuntu5.2           amd64        MIT Kerberos runtime libraries - Support library

ii  sssd-krb5                         1.11.5-1ubuntu3                amd64        System Security Services Daemon -- Kerberos back end

ii  sssd-krb5-common                  1.11.5-1ubuntu3                amd64        System Security Services Daemon -- Kerberos helpers



On Fri, Apr 8, 2016 at 12:30 AM, Henry B (Hank) Hotz, CISSP <[hidden email]> wrote:

> On Apr 7, 2016, at 3:16 PM, Diogenes S. Jesus <[hidden email]> wrote:
>
> My set up is one MIT server and one heimdal client.
> WiWhile trying to use armor cache with the heimdal client

Versions?

Personal: [hidden email]
Business: [hidden email]
https://www.linkedin.com/in/hbhotz/



Reply | Threaded
Open this post in threaded view
|

Re: PKINIT anonymous with armor cache fails on MIT server and heimdal client

Benjamin Kaduk-2
In reply to this post by Diogenes S. Jesus
On Thu, 7 Apr 2016, Diogenes S. Jesus wrote:

> My set up is one MIT server and one heimdal client.
> WiWhile trying to use armor cache with the heimdal client
>
> Macintosh:~ splash$ kinit --anonymous
> Macintosh:~ splash$ klist -A
> Credentials cache: API:F4CE5CCF-9BC5-44C8-B2F5-9A2A29C88A2D
>         Principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
>
>   Issued                Expires               Principal
> Apr  7 23:59:52 2016  Apr  8 09:59:52 2016  krbtgt/[hidden email]
>
>
> Macintosh:~ splash$ KRB5_TRACE=/dev/stdout kinit
> --fast-armor-cache=API:F4CE5CCF-9BC5-44C8-B2F5-9A2A29C88A2D
> [hidden email]
> 2016-04-08T00:00:13 set-error: -1765328242: Reached end of credential caches
> 2016-04-08T00:00:13 set-error: -1765328243: Principal [hidden email]
> not found in any credential cache
> 2016-04-08T00:00:13 set-error: -1765328243: Did not find credential for
> krbtgt/WELLKNOWN:ANONYMOUS@WELLKNOWN:ANONYMOUS in cache
> API:F4CE5CCF-9BC5-44C8-B2F5-9A2A29C88A2D
> 2016-04-08T00:00:13 set-error: -1765328243: Matching credential
> (krbtgt/WELLKNOWN:ANONYMOUS@WELLKNOWN:ANONYMOUS) not found
> kinit: krb5_init_creds_set_fast_ccache: Matching credential
> (krbtgt/WELLKNOWN:ANONYMOUS@WELLKNOWN:ANONYMOUS) not found
> Macintosh:~ splash$

I am somewhat skeptical that this is actually a heimdal client being used,
since I have a mac kinit that repors as Heimdal 1.5.1apple1 copyright
1995-2011, that produces no ouput with KRB5_TRACE -- I thought only MIT
krb5 implemented KRB5_TRACE support.  Please try again with /usr/bin/kinit
and also provide the 'type kinit' output.  This data seems consistent with
a scenario where you have krb5 installed from fink/macports/etc.. That
krb5 could potentially be an older version that does not understand the
API: cache type, or maybe it's just that MIT krb5's idea of the default
cache is not the API cache, and the full collection is not searched in the
kinit case in question.

-Ben


> However the same steps on mit client works fine:
>
> ubuntu@uservm-test:~$ klist -A
> ubuntu@uservm-test:~$ kinit -n
> ubuntu@uservm-test:~$ klist -A
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
>
> Valid starting     Expires            Service principal
> 04/07/16 22:11:25  04/08/16 08:11:25  krbtgt/[hidden email]
> renew until 04/08/16 22:11:25
> ubuntu@uservm-test:~$ KRB5_TRACE=/dev/stdout kinit -T /tmp/krb5cc_1000
> d_santos
> [4513] 1460067090.345908: Getting initial credentials for [hidden email]
> [4513] 1460067090.350315: FAST armor ccache: /tmp/krb5cc_1000
> [4513] 1460067090.350459: Retrieving WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
> -> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM.COM\@REALM.COM@X-CACHECONF:
> from FILE:/tmp/krb5cc_1000 with result: 0/Success
> [4513] 1460067090.350482: Read config in FILE:/tmp/krb5cc_1000 for krbtgt/
> [hidden email]: fast_avail: yes
> [4513] 1460067090.350496: Using FAST due to armor ccache negotiation result
> [4513] 1460067090.350524: Getting credentials
> WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
> -> krbtgt/[hidden email] using ccache FILE:/tmp/krb5cc_1000
> [4513] 1460067090.350601: Retrieving WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
> -> krbtgt/[hidden email] from FILE:/tmp/krb5cc_1000 with result:
> 0/Success
> [4513] 1460067090.350709: Armor ccache sesion key: aes256-cts/0DB9
> [4513] 1460067090.350789: Creating authenticator for
> WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/[hidden email],
> seqnum 0, subkey aes256-cts/5902, session key aes256-cts/0DB9
> [4513] 1460067090.350984: FAST armor key: aes256-cts/834F
> [4513] 1460067090.351053: Encoding request body and padata into FAST request
> [4513] 1460067090.351148: Sending request (955 bytes) to REALM.COM
> [4513] 1460067090.351213: Resolving hostname kdc01.realm.com
> [4513] 1460067090.353595: Sending initial UDP request to dgram 10.10.0.4:88
> [4513] 1460067090.360897: Received answer (601 bytes) from dgram
> 10.10.0.4:88
> [4513] 1460067090.362748: Response was not from master KDC
> [4513] 1460067090.362884: Received error from KDC: -1765328359/Additional
> pre-authentication required
> [4513] 1460067090.362965: Decoding FAST response
> [4513] 1460067090.363132: Processing preauth types: 16, 15, 14, 136, 147,
> 141, 133, 137
> [4513] 1460067090.363213: Received cookie: MIT
> [4513] 1460067090.363304: PKINIT client has no configured identity; giving
> up
> [4513] 1460067090.363415: Preauth module pkinit (147) (info) returned:
> 0/Success
> [4513] 1460067090.363498: PKINIT client has no configured identity; giving
> up
> [4513] 1460067090.363564: Preauth module pkinit (16) (real) returned:
> 22/Invalid argument
> [4513] 1460067090.363641: PKINIT client has no configured identity; giving
> up
> [4513] 1460067090.363705: Preauth module pkinit (14) (real) returned:
> 22/Invalid argument
> [4513] 1460067090.364498: PKINIT client has no configured identity; giving
> up
> [4513] 1460067090.364579: Preauth module pkinit (14) (real) returned:
> 22/Invalid argument
> Enter OTP Token Value:
> [4513] 1460067103.336774: Preauth module otp (141) (real) returned:
> 0/Success
> [4513] 1460067103.336923: Produced preauth for next request: 133, 142
> [4513] 1460067103.337028: Encoding request body and padata into FAST request
> [4513] 1460067103.337243: Sending request (1096 bytes) to REALM.COM
> [4513] 1460067103.337412: Resolving hostname kdc01.realm.com
> [4513] 1460067103.339839: Sending initial UDP request to dgram 10.10.0.4:88
> [4513] 1460067103.490579: Received answer (934 bytes) from dgram
> 10.10.0.4:88
> [4513] 1460067103.493242: Response was not from master KDC
> [4513] 1460067103.493420: Decoding FAST response
> [4513] 1460067103.493631: Processing preauth types: (empty)
> [4513] 1460067103.493757: Produced preauth for next request: (empty)
> [4513] 1460067103.493854: Salt derived from principal: REALM.COMd_santos
> [4513] 1460067103.493993: AS key determined by preauth: aes256-cts/834F
> [4513] 1460067103.494118: FAST reply key: aes256-cts/44BA
> [4513] 1460067103.494244: Decrypted AS reply; session key is:
> aes256-cts/F0D6
> [4513] 1460067103.494355: FAST negotiation: available
> [4513] 1460067103.494449: Initializing FILE:/tmp/krb5cc_1000 with default
> princ [hidden email]
> [4513] 1460067103.494831: Removing [hidden email] -> krbtgt/
> [hidden email] from FILE:/tmp/krb5cc_1000
> [4513] 1460067103.494942: Storing [hidden email] -> krbtgt/
> [hidden email] in FILE:/tmp/krb5cc_1000
> [4513] 1460067103.495122: Storing config in FILE:/tmp/krb5cc_1000 for
> krbtgt/[hidden email]: fast_avail: yes
> [4513] 1460067103.495233: Removing [hidden email] ->
> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM.COM\@REALM.COM@X-CACHECONF:
> from FILE:/tmp/krb5cc_1000
> [4513] 1460067103.495317: Storing [hidden email] ->
> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM.COM\@REALM.COM@X-CACHECONF:
> in FILE:/tmp/krb5cc_1000
> [4513] 1460067103.495482: Storing config in FILE:/tmp/krb5cc_1000 for
> krbtgt/[hidden email]: pa_type: 141
> [4513] 1460067103.495585: Removing [hidden email] ->
> krb5_ccache_conf_data/pa_type/krbtgt\/REALM.COM\@REALM.COM@X-CACHECONF:
> from FILE:/tmp/krb5cc_1000
> [4513] 1460067103.495664: Storing [hidden email] ->
> krb5_ccache_conf_data/pa_type/krbtgt\/REALM.COM\@REALM.COM@X-CACHECONF: in
> FILE:/tmp/krb5cc_1000
> ubuntu@uservm-test:~$ klist -a
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: [hidden email]
>
> Valid starting     Expires            Service principal
> 04/07/16 22:11:46  04/08/16 08:11:46  krbtgt/[hidden email]
> renew until 04/08/16 22:11:33
> Addresses: (none)
> ubuntu@uservm-test:~$
>
>
>
> Any clue on why is this happenng?
>
> Thanks
>
> --
>
> --------
>
> Diogenes S. de Jesus
> Security+, CEH
> +421 902179163
>
Reply | Threaded
Open this post in threaded view
|

Re: PKINIT anonymous with armor cache fails on MIT server and heimdal client

Diogenes S. Jesus
@Benjamin that's interesting, are you sure? Because:

Macintosh:~ splash$ /usr/bin/kinit --version

kinit (Heimdal 1.5.1apple1)

Copyright 1995-2011 Kungliga Tekniska Högskolan

Send bug-reports to [hidden email]


Macintosh:~ splash$ which kinit

/usr/bin/kinit

Macintosh:~ splash$


Macintosh:~ splash$ type kinit

kinit is /usr/bin/kinit

Macintosh:~ splash$


Macintosh:~ splash$ strings /usr/bin/kinit | grep -i mit

Macintosh:~ splash$

 

This Mac has never seen fink/macports.


Also, note that for the anonymous request it was used --anonymous (heimdal) and not -n (MIT). If I use -n, kinit throws me the usage (expected, since it's not MIT):

Macintosh:~ splash$ kinit -n

Usage: : kinit [-fpRkvAaV] [--afslog] [--cache=cachename] [-c cachename] [--forwardable] [--keytab=keytabname] [-t keytabname] [--lifetime=time] [-l time] [--proxiable] [--renew] [--renewable]

   [--renewable-life=time] [-r time] [--server=principal] [-S principal] [--start-time=time] [-s time] [--kdc-hostname=hostname] [--use-keytab] [--validate] [--enctypes=enctypes]... [-e enctypes]...

......< cut >....



- Dio


On Fri, Apr 8, 2016 at 11:09 PM, Benjamin Kaduk <[hidden email]> wrote:
On Thu, 7 Apr 2016, Diogenes S. Jesus wrote:

> My set up is one MIT server and one heimdal client.
> WiWhile trying to use armor cache with the heimdal client
>
> Macintosh:~ splash$ kinit --anonymous
> Macintosh:~ splash$ klist -A
> Credentials cache: API:F4CE5CCF-9BC5-44C8-B2F5-9A2A29C88A2D
>         Principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
>
>   Issued                Expires               Principal
> Apr  7 23:59:52 2016  Apr  8 09:59:52 2016  krbtgt/[hidden email]
>
>
> Macintosh:~ splash$ KRB5_TRACE=/dev/stdout kinit
> --fast-armor-cache=API:F4CE5CCF-9BC5-44C8-B2F5-9A2A29C88A2D
> [hidden email]
> 2016-04-08T00:00:13 set-error: -1765328242: Reached end of credential caches
> 2016-04-08T00:00:13 set-error: -1765328243: Principal [hidden email]
> not found in any credential cache
> 2016-04-08T00:00:13 set-error: -1765328243: Did not find credential for
> krbtgt/WELLKNOWN:ANONYMOUS@WELLKNOWN:ANONYMOUS in cache
> API:F4CE5CCF-9BC5-44C8-B2F5-9A2A29C88A2D
> 2016-04-08T00:00:13 set-error: -1765328243: Matching credential
> (krbtgt/WELLKNOWN:ANONYMOUS@WELLKNOWN:ANONYMOUS) not found
> kinit: krb5_init_creds_set_fast_ccache: Matching credential
> (krbtgt/WELLKNOWN:ANONYMOUS@WELLKNOWN:ANONYMOUS) not found
> Macintosh:~ splash$

I am somewhat skeptical that this is actually a heimdal client being used,
since I have a mac kinit that repors as Heimdal 1.5.1apple1 copyright
1995-2011, that produces no ouput with KRB5_TRACE -- I thought only MIT
krb5 implemented KRB5_TRACE support.  Please try again with /usr/bin/kinit
and also provide the 'type kinit' output.  This data seems consistent with
a scenario where you have krb5 installed from fink/macports/etc.. That
krb5 could potentially be an older version that does not understand the
API: cache type, or maybe it's just that MIT krb5's idea of the default
cache is not the API cache, and the full collection is not searched in the
kinit case in question.

-Ben


> However the same steps on mit client works fine:
>
> ubuntu@uservm-test:~$ klist -A
> ubuntu@uservm-test:~$ kinit -n
> ubuntu@uservm-test:~$ klist -A
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
>
> Valid starting     Expires            Service principal
> 04/07/16 22:11:25  04/08/16 08:11:25  krbtgt/[hidden email]
> renew until 04/08/16 22:11:25
> ubuntu@uservm-test:~$ KRB5_TRACE=/dev/stdout kinit -T /tmp/krb5cc_1000
> d_santos
> [4513] 1460067090.345908: Getting initial credentials for [hidden email]
> [4513] 1460067090.350315: FAST armor ccache: /tmp/krb5cc_1000
> [4513] 1460067090.350459: Retrieving WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
> -> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM.COM\@REALM.COM@X-CACHECONF:
> from FILE:/tmp/krb5cc_1000 with result: 0/Success
> [4513] 1460067090.350482: Read config in FILE:/tmp/krb5cc_1000 for krbtgt/
> [hidden email]: fast_avail: yes
> [4513] 1460067090.350496: Using FAST due to armor ccache negotiation result
> [4513] 1460067090.350524: Getting credentials
> WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
> -> krbtgt/[hidden email] using ccache FILE:/tmp/krb5cc_1000
> [4513] 1460067090.350601: Retrieving WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
> -> krbtgt/[hidden email] from FILE:/tmp/krb5cc_1000 with result:
> 0/Success
> [4513] 1460067090.350709: Armor ccache sesion key: aes256-cts/0DB9
> [4513] 1460067090.350789: Creating authenticator for
> WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/[hidden email],
> seqnum 0, subkey aes256-cts/5902, session key aes256-cts/0DB9
> [4513] 1460067090.350984: FAST armor key: aes256-cts/834F
> [4513] 1460067090.351053: Encoding request body and padata into FAST request
> [4513] 1460067090.351148: Sending request (955 bytes) to REALM.COM
> [4513] 1460067090.351213: Resolving hostname kdc01.realm.com
> [4513] 1460067090.353595: Sending initial UDP request to dgram 10.10.0.4:88
> [4513] 1460067090.360897: Received answer (601 bytes) from dgram
> 10.10.0.4:88
> [4513] 1460067090.362748: Response was not from master KDC
> [4513] 1460067090.362884: Received error from KDC: -1765328359/Additional
> pre-authentication required
> [4513] 1460067090.362965: Decoding FAST response
> [4513] 1460067090.363132: Processing preauth types: 16, 15, 14, 136, 147,
> 141, 133, 137
> [4513] 1460067090.363213: Received cookie: MIT
> [4513] 1460067090.363304: PKINIT client has no configured identity; giving
> up
> [4513] 1460067090.363415: Preauth module pkinit (147) (info) returned:
> 0/Success
> [4513] 1460067090.363498: PKINIT client has no configured identity; giving
> up
> [4513] 1460067090.363564: Preauth module pkinit (16) (real) returned:
> 22/Invalid argument
> [4513] 1460067090.363641: PKINIT client has no configured identity; giving
> up
> [4513] 1460067090.363705: Preauth module pkinit (14) (real) returned:
> 22/Invalid argument
> [4513] 1460067090.364498: PKINIT client has no configured identity; giving
> up
> [4513] 1460067090.364579: Preauth module pkinit (14) (real) returned:
> 22/Invalid argument
> Enter OTP Token Value:
> [4513] 1460067103.336774: Preauth module otp (141) (real) returned:
> 0/Success
> [4513] 1460067103.336923: Produced preauth for next request: 133, 142
> [4513] 1460067103.337028: Encoding request body and padata into FAST request
> [4513] 1460067103.337243: Sending request (1096 bytes) to REALM.COM
> [4513] 1460067103.337412: Resolving hostname kdc01.realm.com
> [4513] 1460067103.339839: Sending initial UDP request to dgram 10.10.0.4:88
> [4513] 1460067103.490579: Received answer (934 bytes) from dgram
> 10.10.0.4:88
> [4513] 1460067103.493242: Response was not from master KDC
> [4513] 1460067103.493420: Decoding FAST response
> [4513] 1460067103.493631: Processing preauth types: (empty)
> [4513] 1460067103.493757: Produced preauth for next request: (empty)
> [4513] 1460067103.493854: Salt derived from principal: REALM.COMd_santos
> [4513] 1460067103.493993: AS key determined by preauth: aes256-cts/834F
> [4513] 1460067103.494118: FAST reply key: aes256-cts/44BA
> [4513] 1460067103.494244: Decrypted AS reply; session key is:
> aes256-cts/F0D6
> [4513] 1460067103.494355: FAST negotiation: available
> [4513] 1460067103.494449: Initializing FILE:/tmp/krb5cc_1000 with default
> princ [hidden email]
> [4513] 1460067103.494831: Removing [hidden email] -> krbtgt/
> [hidden email] from FILE:/tmp/krb5cc_1000
> [4513] 1460067103.494942: Storing [hidden email] -> krbtgt/
> [hidden email] in FILE:/tmp/krb5cc_1000
> [4513] 1460067103.495122: Storing config in FILE:/tmp/krb5cc_1000 for
> krbtgt/[hidden email]: fast_avail: yes
> [4513] 1460067103.495233: Removing [hidden email] ->
> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM.COM\@REALM.COM@X-CACHECONF:
> from FILE:/tmp/krb5cc_1000
> [4513] 1460067103.495317: Storing [hidden email] ->
> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM.COM\@REALM.COM@X-CACHECONF:
> in FILE:/tmp/krb5cc_1000
> [4513] 1460067103.495482: Storing config in FILE:/tmp/krb5cc_1000 for
> krbtgt/[hidden email]: pa_type: 141
> [4513] 1460067103.495585: Removing [hidden email] ->
> krb5_ccache_conf_data/pa_type/krbtgt\/REALM.COM\@REALM.COM@X-CACHECONF:
> from FILE:/tmp/krb5cc_1000
> [4513] 1460067103.495664: Storing [hidden email] ->
> krb5_ccache_conf_data/pa_type/krbtgt\/REALM.COM\@REALM.COM@X-CACHECONF: in
> FILE:/tmp/krb5cc_1000
> ubuntu@uservm-test:~$ klist -a
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: [hidden email]
>
> Valid starting     Expires            Service principal
> 04/07/16 22:11:46  04/08/16 08:11:46  krbtgt/[hidden email]
> renew until 04/08/16 22:11:33
> Addresses: (none)
> ubuntu@uservm-test:~$
>
>
>
> Any clue on why is this happenng?
>
> Thanks
>
> --
>
> --------
>
> Diogenes S. de Jesus
> Security+, CEH
> <a href="tel:%2B421%20902179163" value="+421902179163">+421 902179163
>



--

--------

Diogenes S. de Jesus
Reply | Threaded
Open this post in threaded view
|

Re: PKINIT anonymous with armor cache fails on MIT server and heimdal client

Henry B Hotz
In reply to this post by Benjamin Kaduk-2
Use kinit —version to see if it’s Heimdal.

Heimdal does not support KRB5_TRACE, but it does support [logging] entries in the krb5.conf. The Mac version has some Mac-unique way to set debug logging as well.

> On Apr 8, 2016, at 2:09 PM, Benjamin Kaduk <[hidden email]> wrote:
>
> On Thu, 7 Apr 2016, Diogenes S. Jesus wrote:
>
>> My set up is one MIT server and one heimdal client.
>> WiWhile trying to use armor cache with the heimdal client
>>
>> Macintosh:~ splash$ kinit --anonymous
>> Macintosh:~ splash$ klist -A
>> Credentials cache: API:F4CE5CCF-9BC5-44C8-B2F5-9A2A29C88A2D
>>        Principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
>>
>>  Issued                Expires               Principal
>> Apr  7 23:59:52 2016  Apr  8 09:59:52 2016  krbtgt/[hidden email]
>>
>>
>> Macintosh:~ splash$ KRB5_TRACE=/dev/stdout kinit
>> --fast-armor-cache=API:F4CE5CCF-9BC5-44C8-B2F5-9A2A29C88A2D
>> [hidden email]
>> 2016-04-08T00:00:13 set-error: -1765328242: Reached end of credential caches
>> 2016-04-08T00:00:13 set-error: -1765328243: Principal [hidden email]
>> not found in any credential cache
>> 2016-04-08T00:00:13 set-error: -1765328243: Did not find credential for
>> krbtgt/WELLKNOWN:ANONYMOUS@WELLKNOWN:ANONYMOUS in cache
>> API:F4CE5CCF-9BC5-44C8-B2F5-9A2A29C88A2D
>> 2016-04-08T00:00:13 set-error: -1765328243: Matching credential
>> (krbtgt/WELLKNOWN:ANONYMOUS@WELLKNOWN:ANONYMOUS) not found
>> kinit: krb5_init_creds_set_fast_ccache: Matching credential
>> (krbtgt/WELLKNOWN:ANONYMOUS@WELLKNOWN:ANONYMOUS) not found
>> Macintosh:~ splash$
>
> I am somewhat skeptical that this is actually a heimdal client being used,
> since I have a mac kinit that repors as Heimdal 1.5.1apple1 copyright
> 1995-2011, that produces no ouput with KRB5_TRACE -- I thought only MIT
> krb5 implemented KRB5_TRACE support.  Please try again with /usr/bin/kinit
> and also provide the 'type kinit' output.  This data seems consistent with
> a scenario where you have krb5 installed from fink/macports/etc.. That
> krb5 could potentially be an older version that does not understand the
> API: cache type, or maybe it's just that MIT krb5's idea of the default
> cache is not the API cache, and the full collection is not searched in the
> kinit case in question.
>
> -Ben
>
>
>> However the same steps on mit client works fine:
>>
>> ubuntu@uservm-test:~$ klist -A
>> ubuntu@uservm-test:~$ kinit -n
>> ubuntu@uservm-test:~$ klist -A
>> Ticket cache: FILE:/tmp/krb5cc_1000
>> Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
>>
>> Valid starting     Expires            Service principal
>> 04/07/16 22:11:25  04/08/16 08:11:25  krbtgt/[hidden email]
>> renew until 04/08/16 22:11:25
>> ubuntu@uservm-test:~$ KRB5_TRACE=/dev/stdout kinit -T /tmp/krb5cc_1000
>> d_santos
>> [4513] 1460067090.345908: Getting initial credentials for [hidden email]
>> [4513] 1460067090.350315: FAST armor ccache: /tmp/krb5cc_1000
>> [4513] 1460067090.350459: Retrieving WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
>> -> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM.COM\@REALM.COM@X-CACHECONF:
>> from FILE:/tmp/krb5cc_1000 with result: 0/Success
>> [4513] 1460067090.350482: Read config in FILE:/tmp/krb5cc_1000 for krbtgt/
>> [hidden email]: fast_avail: yes
>> [4513] 1460067090.350496: Using FAST due to armor ccache negotiation result
>> [4513] 1460067090.350524: Getting credentials
>> WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
>> -> krbtgt/[hidden email] using ccache FILE:/tmp/krb5cc_1000
>> [4513] 1460067090.350601: Retrieving WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
>> -> krbtgt/[hidden email] from FILE:/tmp/krb5cc_1000 with result:
>> 0/Success
>> [4513] 1460067090.350709: Armor ccache sesion key: aes256-cts/0DB9
>> [4513] 1460067090.350789: Creating authenticator for
>> WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/[hidden email],
>> seqnum 0, subkey aes256-cts/5902, session key aes256-cts/0DB9
>> [4513] 1460067090.350984: FAST armor key: aes256-cts/834F
>> [4513] 1460067090.351053: Encoding request body and padata into FAST request
>> [4513] 1460067090.351148: Sending request (955 bytes) to REALM.COM
>> [4513] 1460067090.351213: Resolving hostname kdc01.realm.com
>> [4513] 1460067090.353595: Sending initial UDP request to dgram 10.10.0.4:88
>> [4513] 1460067090.360897: Received answer (601 bytes) from dgram
>> 10.10.0.4:88
>> [4513] 1460067090.362748: Response was not from master KDC
>> [4513] 1460067090.362884: Received error from KDC: -1765328359/Additional
>> pre-authentication required
>> [4513] 1460067090.362965: Decoding FAST response
>> [4513] 1460067090.363132: Processing preauth types: 16, 15, 14, 136, 147,
>> 141, 133, 137
>> [4513] 1460067090.363213: Received cookie: MIT
>> [4513] 1460067090.363304: PKINIT client has no configured identity; giving
>> up
>> [4513] 1460067090.363415: Preauth module pkinit (147) (info) returned:
>> 0/Success
>> [4513] 1460067090.363498: PKINIT client has no configured identity; giving
>> up
>> [4513] 1460067090.363564: Preauth module pkinit (16) (real) returned:
>> 22/Invalid argument
>> [4513] 1460067090.363641: PKINIT client has no configured identity; giving
>> up
>> [4513] 1460067090.363705: Preauth module pkinit (14) (real) returned:
>> 22/Invalid argument
>> [4513] 1460067090.364498: PKINIT client has no configured identity; giving
>> up
>> [4513] 1460067090.364579: Preauth module pkinit (14) (real) returned:
>> 22/Invalid argument
>> Enter OTP Token Value:
>> [4513] 1460067103.336774: Preauth module otp (141) (real) returned:
>> 0/Success
>> [4513] 1460067103.336923: Produced preauth for next request: 133, 142
>> [4513] 1460067103.337028: Encoding request body and padata into FAST request
>> [4513] 1460067103.337243: Sending request (1096 bytes) to REALM.COM
>> [4513] 1460067103.337412: Resolving hostname kdc01.realm.com
>> [4513] 1460067103.339839: Sending initial UDP request to dgram 10.10.0.4:88
>> [4513] 1460067103.490579: Received answer (934 bytes) from dgram
>> 10.10.0.4:88
>> [4513] 1460067103.493242: Response was not from master KDC
>> [4513] 1460067103.493420: Decoding FAST response
>> [4513] 1460067103.493631: Processing preauth types: (empty)
>> [4513] 1460067103.493757: Produced preauth for next request: (empty)
>> [4513] 1460067103.493854: Salt derived from principal: REALM.COMd_santos
>> [4513] 1460067103.493993: AS key determined by preauth: aes256-cts/834F
>> [4513] 1460067103.494118: FAST reply key: aes256-cts/44BA
>> [4513] 1460067103.494244: Decrypted AS reply; session key is:
>> aes256-cts/F0D6
>> [4513] 1460067103.494355: FAST negotiation: available
>> [4513] 1460067103.494449: Initializing FILE:/tmp/krb5cc_1000 with default
>> princ [hidden email]
>> [4513] 1460067103.494831: Removing [hidden email] -> krbtgt/
>> [hidden email] from FILE:/tmp/krb5cc_1000
>> [4513] 1460067103.494942: Storing [hidden email] -> krbtgt/
>> [hidden email] in FILE:/tmp/krb5cc_1000
>> [4513] 1460067103.495122: Storing config in FILE:/tmp/krb5cc_1000 for
>> krbtgt/[hidden email]: fast_avail: yes
>> [4513] 1460067103.495233: Removing [hidden email] ->
>> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM.COM\@REALM.COM@X-CACHECONF:
>> from FILE:/tmp/krb5cc_1000
>> [4513] 1460067103.495317: Storing [hidden email] ->
>> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM.COM\@REALM.COM@X-CACHECONF:
>> in FILE:/tmp/krb5cc_1000
>> [4513] 1460067103.495482: Storing config in FILE:/tmp/krb5cc_1000 for
>> krbtgt/[hidden email]: pa_type: 141
>> [4513] 1460067103.495585: Removing [hidden email] ->
>> krb5_ccache_conf_data/pa_type/krbtgt\/REALM.COM\@REALM.COM@X-CACHECONF:
>> from FILE:/tmp/krb5cc_1000
>> [4513] 1460067103.495664: Storing [hidden email] ->
>> krb5_ccache_conf_data/pa_type/krbtgt\/REALM.COM\@REALM.COM@X-CACHECONF: in
>> FILE:/tmp/krb5cc_1000
>> ubuntu@uservm-test:~$ klist -a
>> Ticket cache: FILE:/tmp/krb5cc_1000
>> Default principal: [hidden email]
>>
>> Valid starting     Expires            Service principal
>> 04/07/16 22:11:46  04/08/16 08:11:46  krbtgt/[hidden email]
>> renew until 04/08/16 22:11:33
>> Addresses: (none)
>> ubuntu@uservm-test:~$
>>
>>
>>
>> Any clue on why is this happenng?
>>
>> Thanks
>>
>> --
>>
>> --------
>>
>> Diogenes S. de Jesus
>> Security+, CEH
>> +421 902179163


Personal: [hidden email]
Business: [hidden email]
https://www.linkedin.com/in/hbhotz/

Reply | Threaded
Open this post in threaded view
|

Re: PKINIT anonymous with armor cache fails on MIT server and heimdal client

Benjamin Kaduk-2
In reply to this post by Diogenes S. Jesus
On Fri, 8 Apr 2016, Diogenes S. Jesus wrote:

> @Benjamin that's interesting, are you sure? Because:

No, not sure.

> Macintosh:~ splash$ /usr/bin/kinit --version
>
> kinit (Heimdal 1.5.1apple1)
>
> Copyright 1995-2011 Kungliga Tekniska Högskolan
>
> Send bug-reports to [hidden email]

What version of OS X?

> Macintosh:~ splash$ which kinit
>

'which' is not a builtin in bash, so it will produce incorrect results in
some cases (though probably not here).  'type' is better, since it is
builtin.

> /usr/bin/kinit
>
> Macintosh:~ splash$
>
>
> Macintosh:~ splash$ type kinit
>
> kinit is /usr/bin/kinit
>
> Macintosh:~ splash$
>
>
> Macintosh:~ splash$ strings /usr/bin/kinit | grep -i mit
ldd would be more interesting than strings.

> Macintosh:~ splash$
>
>
>
> This Mac has never seen fink/macports.
>
>
> Also, note that for the anonymous request it was used --anonymous (heimdal)
> and not -n (MIT). If I use -n, kinit throws me the usage (expected, since
> it's not MIT):
>
> Macintosh:~ splash$ kinit -n
>
> Usage: : kinit [-fpRkvAaV] [--afslog] [--cache=cachename] [-c cachename]
> [--forwardable] [--keytab=keytabname] [-t keytabname] [--lifetime=time] [-l
> time] [--proxiable] [--renew] [--renewable]
>
>    [--renewable-life=time] [-r time] [--server=principal] [-S principal]
> [--start-time=time] [-s time] [--kdc-hostname=hostname] [--use-keytab]
> [--validate] [--enctypes=enctypes]... [-e enctypes]...
>
> ......< cut >....
It certainly seems that you have a different OS X heimdal than I do, which
is why I ask what OS X version.

-Ben
Reply | Threaded
Open this post in threaded view
|

Re: PKINIT anonymous with armor cache fails on MIT server and heimdal client

Diogenes S. Jesus

On Sat, Apr 9, 2016 at 3:46 AM, Benjamin Kaduk <[hidden email]> wrote:
On Fri, 8 Apr 2016, Diogenes S. Jesus wrote:

> @Benjamin that's interesting, are you sure? Because:

No, not sure.

> Macintosh:~ splash$ /usr/bin/kinit --version
>
> kinit (Heimdal 1.5.1apple1)
>
> Copyright 1995-2011 Kungliga Tekniska Högskolan
>
> Send bug-reports to [hidden email]

What version of OS X?

This is on El Captain:

Macintosh:~ splash$ sw_vers 

ProductName: Mac OS X

ProductVersion: 10.11.3

BuildVersion: 15D21


 

> Macintosh:~ splash$ which kinit
>

'which' is not a builtin in bash, so it will produce incorrect results in
some cases (though probably not here).  'type' is better, since it is
builtin.

True, but irrelevant here.
 

> /usr/bin/kinit
>
> Macintosh:~ splash$
>
>
> Macintosh:~ splash$ type kinit
>
> kinit is /usr/bin/kinit
>
> Macintosh:~ splash$
>
>
> Macintosh:~ splash$ strings /usr/bin/kinit | grep -i mit

ldd would be more interesting than strings.

Not ldd (there is no ldd on El Captain) but equivalent:

Macintosh:~ splash$ otool -L /usr/bin/kinit 

/usr/bin/kinit:

/System/Library/Frameworks/Security.framework/Versions/A/Security (compatibility version 1.0.0, current version 57337.20.38)

/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1256.12.0)

/System/Library/PrivateFrameworks/Heimdal.framework/Versions/A/Heimdal (compatibility version 1.0.0, current version 1.0.0)

/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1226.10.1)

 

> Macintosh:~ splash$
>
>
>
> This Mac has never seen fink/macports.
>
>
> Also, note that for the anonymous request it was used --anonymous (heimdal)
> and not -n (MIT). If I use -n, kinit throws me the usage (expected, since
> it's not MIT):
>
> Macintosh:~ splash$ kinit -n
>
> Usage: : kinit [-fpRkvAaV] [--afslog] [--cache=cachename] [-c cachename]
> [--forwardable] [--keytab=keytabname] [-t keytabname] [--lifetime=time] [-l
> time] [--proxiable] [--renew] [--renewable]
>
>    [--renewable-life=time] [-r time] [--server=principal] [-S principal]
> [--start-time=time] [-s time] [--kdc-hostname=hostname] [--use-keytab]
> [--validate] [--enctypes=enctypes]... [-e enctypes]...
>
> ......< cut >....

It certainly seems that you have a different OS X heimdal than I do, which
is why I ask what OS X version.

-Ben