[krbdev.mit.edu #8837] kprop replication does not work due to wrong DNS domain handling

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[krbdev.mit.edu #8837] kprop replication does not work due to wrong DNS domain handling

Jeffrey Arbuckle via RT

Wed Oct 02 13:49:16 2019: Request 8837 was acted upon.
 Transaction: Ticket created by [hidden email]
       Queue: krb5
     Subject: kprop replication does not work due to wrong DNS domain handling
       Owner: Nobody
  Requestors: [hidden email]
      Status: new
 Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8837 >


Hello,

it seems I encountered a bug with krb5-1.17 using replication with kprop, or I do not understand what's going on. I followed the setup given at https://web.mit.edu/kerberos/krb5-latest/doc/admin/install_kdc.html on Raspbian Buster (flavor of Debian 10, compiled for ARM processor). If I try to initial replicate the database I get the error message:

/usr/sbin/kprop: Key table entry not found while getting initial credentials

I have checked it of course:
~$ sudo klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   6 host/[hidden email] (aes256-cts-hmac-sha1-96)
   6 host/[hidden email] (aes128-cts-hmac-sha1-96)

Using trace logging I get:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kprop -d -f replica_datatrans kdc10-2.example.com
[1994] 1570019063.835325: Getting initial credentials for host/[hidden email]
[1994] 1570019063.835326: Setting initial creds service to host/kdc10-2.example.com
[1994] 1570019063.835327: Looked up etypes in keytab: (empty)
[1994] 1570019063.835328: Getting initial credentials for host/[hidden email]
[1994] 1570019063.835329: Setting initial creds service to host/kdc10-2.example.com
[1994] 1570019063.835330: Looked up etypes in keytab: (empty)
/usr/sbin/kprop: Key table entry not found while getting initial credentials

The problem I see is in the first line:
Getting initial credentials for host/[hidden email]

There is the DNS domain 'example.com' missed.

I verified it on my old installation with krb5-1.10:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kprop -d -f replica_datatrans kdc10-2.example.com
[21367] 1570019913.30940: Initializing FILE:/tmp/kproptkteNiiOa with default princ host/[hidden email]
[21367] 1570019913.35969: Getting initial credentials for host/[hidden email]
[21367] 1570019913.37953: Setting initial creds service to host/[hidden email]
[21367] 1570019913.38957: Sending request (235 bytes) to EXAMPLE.COM
[21367] 1570019913.39829: Resolving hostname kdc-old.example.com
[21367] 1570019913.40982: Sending initial UDP request to dgram 127.0.1.1:88
[21367] 1570019913.42912: Received answer from dgram 127.0.1.1:88
[21367] 1570019913.46078: Response was not from master KDC
[21367] 1570019913.46888: Received error from KDC: -1765328378/Client not found in Kerberos database
/usr/sbin/kprop: Client not found in Kerberos database while getting initial ticket
[21367] 1570019913.50158: Destroying ccache FILE:/tmp/kproptkteNiiOa

Of course the environment does not match but as seen in the second line I get settings with domain part:
Getting initial credentials for host/[hidden email]

I have tried many options in /etc/krb5.conf but wasn't able to force kprop to ask for initial credentials with DNS domain. Therefore I added the host without DNS domain to '/etc/krb5.keytab':
~$ sudo klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/[hidden email] (aes256-cts-hmac-sha1-96)
   2 host/[hidden email] (aes128-cts-hmac-sha1-96)
   6 host/[hidden email] (aes256-cts-hmac-sha1-96)
   6 host/[hidden email] (aes128-cts-hmac-sha1-96)

Now I get:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kprop -d -f replica_datatrans kdc10-2.example.com
[2074] 1570021982.74607: Getting initial credentials for host/[hidden email]
[2074] 1570021982.74608: Setting initial creds service to host/kdc10-2.example.com
[2074] 1570021982.74609: Looked up etypes in keytab: aes256-cts, aes128-cts
[2074] 1570021982.74611: Sending unauthenticated request
[2074] 1570021982.74612: Sending request (215 bytes) to EXAMPLE.COM
[2074] 1570021982.74613: Resolving hostname kdc10-1.example.com
[2074] 1570021982.74614: Sending initial UDP request to dgram 192.168.10.9:88
[2074] 1570021982.74615: Received answer (291 bytes) from dgram 192.168.10.9:88
[2074] 1570021982.74616: Response was from master KDC
[2074] 1570021982.74617: Received error from KDC: -1765328359/Additional pre-authentication required
[2074] 1570021982.74620: Preauthenticating using KDC method data
--- snip ---
[2074] 1570021982.74641: Creating authenticator for host/[hidden email] -> host/[hidden email], seqnum 1056356820, subkey (null), session key aes256-cts/AB97
/usr/sbin/kprop: Server rejected authentication (during sendauth exchange) while authenticating to server
/usr/sbin/kprop: Service key not available signalled from server
Error text from server: Service key not available

On the replica KDC I get:
~$ sudo klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 host/[hidden email] (aes256-cts-hmac-sha1-96)
   4 host/[hidden email] (aes128-cts-hmac-sha1-96)

~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kpropd -d
ready
waiting for a kprop connection
Connection from kdc10-1.example.com
krb5_recvauth(5, kprop5_01, host/[hidden email], ...)
[2284] 1570023908.773042: Retrieving host/[hidden email] from FILE:/etc/krb5.keytab (vno 4, enctype aes256-cts) with result: -1765328203/No key table entry found for host/[hidden email]
[2284] 1570023908.773043: Failed to decrypt AP-REQ ticket: -1765328339/No key table entry found for host/[hidden email]
Database load process for full propagation completed.
waiting for a kprop connection

Same as on the master KDC: no DNS domain for the host. I also added the host credential without domain to '/etc/krb5.keytab' on the replica KDC:
~$ sudo klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 host/[hidden email] (aes256-cts-hmac-sha1-96)
   4 host/[hidden email] (aes128-cts-hmac-sha1-96)
   2 host/[hidden email] (aes256-cts-hmac-sha1-96)
   2 host/[hidden email] (aes128-cts-hmac-sha1-96)

Now I get on the master KDC:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kprop -d -f replica_datatrans kdc10-2.example.com
[2179] 1570024342.29886: Getting initial credentials for host/[hidden email]
[2179] 1570024342.29887: Setting initial creds service to host/kdc10-2.example.com
[2179] 1570024342.29888: Looked up etypes in keytab: aes256-cts, aes128-cts
[2179] 1570024342.29890: Sending unauthenticated request
[2179] 1570024342.29891: Sending request (215 bytes) to EXAMPLE.COM
[2179] 1570024342.29892: Resolving hostname kdc10-1.example.com
[2179] 1570024342.29893: Sending initial UDP request to dgram 192.168.10.9:88
[2179] 1570024342.29894: Received answer (291 bytes) from dgram 192.168.10.9:88
[2179] 1570024342.29895: Response was from master KDC
[2179] 1570024342.29896: Received error from KDC: -1765328359/Additional pre-authentication required
[2179] 1570024342.29899: Preauthenticating using KDC method data
--- snip ---
[2179] 1570024342.29920: Creating authenticator for host/[hidden email] -> host/[hidden email], seqnum 201407404, subkey (null), session key aes256-cts/1D24
/usr/sbin/kprop: Server rejected authentication (during sendauth exchange) while authenticating to server
/usr/sbin/kprop: The ticket isn't for us signalled from server
Error text from server: The ticket isn't for us

And the replica KDC gives me:
~$ sudo KRB5_TRACE=/dev/stdout /usr/sbin/kpropd -d
ready
waiting for a kprop connection
Connection from kdc10-1.example.com
krb5_recvauth(5, kprop5_01, host/[hidden email], ...)
[2339] 1570024342.92319: Retrieving host/[hidden email] from FILE:/etc/krb5.keytab (vno 4, enctype aes256-cts) with result: -1765328154/Key version number for principal in key table is incorrect
[2339] 1570024342.92320: Failed to decrypt AP-REQ ticket: -1765328349/Cannot find key for host/[hidden email] kvno 4 in keytab (request ticket server host/[hidden email])
Database load process for full propagation completed.
waiting for a kprop connection

Here in find that the replica host is addressed with
host/[hidden email] but the ticket is encrypted for
host/[hidden email]

The only workaround I have found is to set in '/etc/krb5.conf':

ignore_acceptor_hostname = true

But I do not want this week configuration. What I have to do to avoid this setting? What I'm missing with the DNS domain name for the hosts? DNS forward and reverse resolution is checked for all hosts.



_______________________________________________
krb5-bugs mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/krb5-bugs

signature.asc (674 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [krbdev.mit.edu #8837] kprop replication does not work due to wrong DNS domain handling [Solved]

Greg Hudson via RT-2

<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8837 >

The problem was that the DNS domain 'example.com' was missed when referred to the local device name, for example
> Getting initial credentials for host/[hidden email]
that should be 'host/[hidden email]'.

Because of this Kerberos credentials does not match and authentication fails.

The reason was an entry in '/etc/hosts'. To avoid an error message from sudo when executed offline (e.g. on a laptop) I was told to insert the hostname into '/etc/hosts' like this:
127.0.1.1       kdc10-1

Together with name resolution order defined with "hosts: files dns" in '/etc/nsswitch.conf' the file is first asked and I get with
~$ hostname -f
kdc10-1

This is also used by Kerberos.

The solution is to use the full qualified local hostname "127.0.1.1. kdc10-1.example.com" in '/etc/hosts' or omit the local device name completely. In the latter case DNS lookup is used to resolve the name. I omit the local device name now to have DNS name resolution for it.

_______________________________________________
krb5-bugs mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/krb5-bugs