On Wed, 19 Nov 2014 12:53:01 +0200
Alexander Bokovoy <aboko...@redhat.com> wrote:

> On Tue, 18 Nov 2014, Simo Sorce wrote:
> >On Tue, 18 Nov 2014 15:01:15 -0500
> >Nathaniel McCallum <npmccal...@redhat.com> wrote:
> >
> >> As I see it, we're setting out a new precedent. All new ASN.1 code
> >> will take this route (which is, indeed, better). So while it is
> >> small now, it won't stay small forever. Being that we are in the
> >> business of routinely handling ASN.1 stuff, this seems to me like
> >> a sensible architecture for the future.
> >
> >Ok, I think I should have fixed all the issues you brought up.
> >
> >And my tests still work fine :)
> Works fine. However, I'm getting wrong TGT enctype back from the KDC
> when I try to obtain TGT with des-cbc-crc key:
> 
> [root@master ~]# ipa host-add --force f21test.f21.test
> -----------------------------
> Added host "f21test.f21.test"
> -----------------------------
>   Host name: f21test.f21.test
>   Principal name: host/f21test.f21.t...@f21.test
>   Password: False
>   Keytab: False
>   Managed by: f21test.f21.test
> [root@master ~]# ipa service-add --force afs/f21test
> ------------------------------------
> Added service "afs/f21t...@f21.test"
> ------------------------------------
>   Principal: afs/f21t...@f21.test
>   Managed by: f21test.f21.test
> [root@master ~]# ipa-getkeytab -s `hostname` -p afs/f21test
> -k /tmp/afs.keytab -e des-cbc-crc:v4 -P New Principal Password: 
> Verify Principal Password: 
> Keytab successfully retrieved and stored in: /tmp/afs.keytab
> [root@master ~]# klist -kt /tmp/afs.keytab  -K -e
> Keytab name: FILE:/tmp/afs.keytab
> KVNO Timestamp         Principal
> ---- -----------------
> -------------------------------------------------------- 1 11/19/14
> 12:13:01 afs/f21t...@f21.test (des-cbc-crc) (0xea1a0b29152cb383)

The key is des-cbc-crc

> 
> [root@master ~]# KRB5_TRACE=/dev/stderr KRB5CCNAME=/tmp/afs.ccache
> kinit -kt /tmp/afs.keytab afs/f21test [28636] 1416392072.862773:
> Getting initial credentials for afs/f21t...@f21.test [28636]
> 1416392072.864408: Looked up etypes in keytab: des-cbc-crc [28636]
> 1416392072.864522: Sending request (175 bytes) to F21.TEST [28636]
> 1416392072.865127: Sending initial UDP request to dgram
> 192.168.5.169:88 [28636] 1416392072.866958: Received answer (283
> bytes) from dgram 192.168.5.169:88 [28636] 1416392072.867028:
> Response was from master KDC [28636] 1416392072.867088: Received
> error from KDC: -1765328359/Additional pre-authentication required
> [28636] 1416392072.867140: Processing preauth types: 136, 19, 2, 133
> [28636] 1416392072.867175: Selected etype info: etype des-cbc-crc,
> salt "F21.TESTafsf21test", params "" [28636] 1416392072.867193:
> Received cookie: MIT [28636] 1416392072.867234: Retrieving
> afs/f21t...@f21.test from FILE:/tmp/afs.keytab (vno 0, enctype
> des-cbc-crc) with result: 0/Success [28636] 1416392072.867264: AS key
> obtained for encrypted timestamp: des-cbc-crc/0BE8 [28636]
> 1416392072.867304: Encrypted timestamp (for 1416392072.867050): plain
> 301AA011180F32303134313131393130313433325AA10502030D3AEA, encrypted
> 1C567557D395C0639CB417EE90C08CD41E4829D910166D62ACEDCC2168C23BAD8C70DFE4CD533A81
> [28636] 1416392072.867331: Preauth module encrypted_timestamp (2)
> (real) returned: 0/Success [28636] 1416392072.867349: Produced
> preauth for next request: 133, 2 [28636] 1416392072.867372: Sending
> request (252 bytes) to F21.TEST [28636] 1416392072.867416: Sending
> initial UDP request to dgram 192.168.5.169:88 [28636]
> 1416392072.946260: Received answer (649 bytes) from dgram
> 192.168.5.169:88 [28636] 1416392072.946391: Response was from master
> KDC [28636] 1416392072.946485: Processing preauth types: 19 [28636]
> 1416392072.946542: Selected etype info: etype des-cbc-crc, salt
> "F21.TESTafsf21test", params "" [28636] 1416392072.946593: Produced
> preauth for next request: (empty) [28636] 1416392072.946626: AS key
> determined by preauth: des-cbc-crc/0BE8 [28636] 1416392072.946688:
> Decrypted AS reply; session key is: des-cbc-crc/9B41 [28636]
> 1416392072.946727: FAST negotiation: available [28636]
> 1416392072.946793: Initializing FILE:/tmp/afs.ccache with default
> princ afs/f21t...@f21.test [28636] 1416392072.947118: Removing
> afs/f21t...@f21.test -> krbtgt/f21.t...@f21.test from
> FILE:/tmp/afs.ccache [28636] 1416392072.947146: Storing
> afs/f21t...@f21.test -> krbtgt/f21.t...@f21.test in
> FILE:/tmp/afs.ccache [28636] 1416392072.947187: Storing config in
> FILE:/tmp/afs.ccache for krbtgt/f21.t...@f21.test: fast_avail: yes
> [28636] 1416392072.947219: Removing afs/f21t...@f21.test ->
> krb5_ccache_conf_data/fast_avail/krbtgt\/F21.TEST\@F21.TEST@X-CACHECONF:
> from FILE:/tmp/afs.ccache [28636] 1416392072.947240: Storing
> afs/f21t...@f21.test ->
> krb5_ccache_conf_data/fast_avail/krbtgt\/F21.TEST\@F21.TEST@X-CACHECONF:
> in FILE:/tmp/afs.ccache [28636] 1416392072.947419: Storing config in
> FILE:/tmp/afs.ccache for krbtgt/f21.t...@f21.test: pa_type: 2 [28636]
> 1416392072.947458: Removing afs/f21t...@f21.test ->
> krb5_ccache_conf_data/pa_type/krbtgt\/F21.TEST\@F21.TEST@X-CACHECONF:
> from FILE:/tmp/afs.ccache [28636] 1416392072.947480: Storing
> afs/f21t...@f21.test ->
> krb5_ccache_conf_data/pa_type/krbtgt\/F21.TEST\@F21.TEST@X-CACHECONF:
> in FILE:/tmp/afs.ccache [root@master ~]# KRB5_TRACE=/dev/stderr
> KRB5CCNAME=/tmp/afs.ccache klist -edf Ticket cache:
> FILE:/tmp/afs.ccache Default principal: afs/f21t...@f21.test
> 
> Valid starting     Expires            Service principal
> 11/19/14 12:14:32  11/20/14 12:14:32  krbtgt/f21.t...@f21.test
>       Flags: FIA, Etype (skey, tkt): des-cbc-crc,
> aes256-cts-hmac-sha1-96 

Look carefully, you got des-cbc-crc just fine, the tkt enctype is
aes256-cts-hmac-sha1-96 and that does not depend on how getkeytab work,
as it is negotiated at runtime by the KDC.

I.E. if it is a problem it is not one of getkeytab, but we'll have to
look elsewhere.

> KDC logs show this:
> Nov 19 12:25:57 master.f21.test krb5kdc[28713](info): AS_REQ (9
> etypes {1 18 17 16 23 25 26 3 2}) 192.168.5.169: NEEDED_PREAUTH:
> afs/f21t...@f21.test for krbtgt/f21.t...@f21.test, Additional
> pre-authentication required Nov 19 12:25:57 master.f21.test
> krb5kdc[28713](info): AS_REQ (9 etypes {1 18 17 16 23 25 26 3 2})
> 192.168.5.169: ISSUE: authtime 1416392757, etypes {rep=1 tkt=18
> ses=1}, afs/f21t...@f21.test for krbtgt/f21.t...@f21.test
> 
> My /etc/krb5.conf has
> [libdefaults]
>  allow_weak_crypto = true
>  permitted_enctypes = DEFAULT +des
>  supported_enctypes = DEFAULT +des
> 
> We can handle weak types' response TGT after F21 release, this is
> certainly not limiting.
> 
> I've tried with older ipa-getkeytab and it fell back to the pre-4.0
> method as expected.
> 
> Regarding the patchset itself:
> 
> Patch 0001: fix 'wuld' in the commit message. The rest is fine.
> 
> Patch 0002:
>  - ticket number is missing in the commit message

Well this commit does not solve any ticket in itself, it just add the
library, it is the next one that uses it, but I guess I can repeat the
numbers in both commits.

>  - perhaps, an instruction how to regenerate asn1 code can be made a
>    Makefile target? We don't need to call it ourselves but this would
>    simplify things in future

I had put it in the README, will see to put it in Makefile I guess

>  - I'm little uncomfortable how ASN_DEBUG() output goes explicitly to
>    stderr but I guess this is something we currently cannot override
>    with DS-specific log printing, so no big deal right now

Yeah, there may be a way to override, but I had no time to look
carefully into it.

>  - any specific need to get asn1/compile committed? We don't commit it
>    in the client code (ipa-client/compile).

Uh, no I committed this one in error, thanks for spotting it.

> Patch 0003: OK

Will provide another round soon.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to