[Freeipa-users] FreeIPA OTP/FAST: MIT KDC <--> heimdal client integration

Fri, 03 Nov 2017 02:14:56 -0700 

Hi,

I have a strange (for me?) situation using MIT KDC together with
Heimdal client. PKINIT/FAST scenario.

STEP 1:
client side: 

kinit --anonymous
klist -v
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
    Cache version: 4

Server: krbtgt/idm....@idm.crp
Client: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 273
Auth time:  Nov  2 10:30:45 2017
End time:   Nov  3 10:30:45 2017
Ticket flags: anonymous, enc-pa-rep, pre-authent, initial, forwardable
Addresses: addressless

MIT KDC side log krb5kdc.log:
Nov 02 09:43:41 ipa31.idm.crp krb5kdc[1932](info): AS_REQ (6 etypes {18
17 20 19 16 23}) 2001:67c:2X70:20X0:d5de:47fa:4de1:b0e7: ISSUE:
authtime 1509612221, etypes {rep=18 tkt=18 ses=18},
WELLKNOWN/anonym...@idm.crp for krbtgt/idm....@idm.crp

I guess everything is fine.

STEP 2:
client
kinit --cache=FILE:/tmp/krb5cc_1000 a...@idm.crp
a...@idm.crp's Password: passwordOTP
kinit: Password incorrect

KDC log:
Nov 02 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth
(encrypted_timestamp) verify failure: Preauthentication failed Nov 02
09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth
... <cut 6 rows with the same content>
(encrypted_timestamp) verify failure: Preauthentication failed Nov 02
09:45:56 ipa31.idm.crp krb5kdc[1932](info): AS_REQ (6 etypes {18 17 20
19 16 23}) 2001:67c:2X70:20X0:d5de:47fa:4de1:b0e7: PREAUTH_FAILED:
a...@idm.crp for krbtgt/idm....@idm.crp, Preauthentication failed

my thoughts: ... 
something wrong with etypes, DH size or ....
- set pkinit_dh_min_bits = 1024 on the server/client because of heimdal
can't use defaults from MIT 2048 DH
- tried allow_weak_crypto without success

pkgs' versions: MIT 1.15.1 (centos7, freeipa 4.5.0 bundle), heimdal 7.1.0
debian9 based, also was trying 7.4 with the same result

MIT KDC and MIT client in the same environment work enough good

thanks a lot for your time reading my big message and possible ideas.

Oleksandr Yermolenko
network/systems engineer
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to