On Fri, Nov 03, 2017 at 11:12:09AM +0200, Oleksandr Yermolenko via 
FreeIPA-users wrote:
> Hi,
> 
> I have a strange (for me?) situation using MIT KDC together with
> Heimdal client. PKINIT/FAST scenario.

The OTP implementation of MIT Kerberos is based on
https://www.ietf.org/rfc/rfc6560.txt, I guess this is currently not
implemented in heimdal.

bye,
Sumit

> 
> STEP 1:
> client side: 
> 
> kinit --anonymous
> klist -v
> Credentials cache: FILE:/tmp/krb5cc_1000
>         Principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
>     Cache version: 4
> 
> Server: krbtgt/idm....@idm.crp
> Client: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
> Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
> Ticket length: 273
> Auth time:  Nov  2 10:30:45 2017
> End time:   Nov  3 10:30:45 2017
> Ticket flags: anonymous, enc-pa-rep, pre-authent, initial, forwardable
> Addresses: addressless
> 
> MIT KDC side log krb5kdc.log:
> Nov 02 09:43:41 ipa31.idm.crp krb5kdc[1932](info): AS_REQ (6 etypes {18
> 17 20 19 16 23}) 2001:67c:2X70:20X0:d5de:47fa:4de1:b0e7: ISSUE:
> authtime 1509612221, etypes {rep=18 tkt=18 ses=18},
> WELLKNOWN/anonym...@idm.crp for krbtgt/idm....@idm.crp
> 
> I guess everything is fine.
> 
> STEP 2:
> client
> kinit --cache=FILE:/tmp/krb5cc_1000 a...@idm.crp
> a...@idm.crp's Password: passwordOTP
> kinit: Password incorrect
> 
> KDC log:
> Nov 02 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth
> (encrypted_timestamp) verify failure: Preauthentication failed Nov 02
> 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth
> ... <cut 6 rows with the same content>
> (encrypted_timestamp) verify failure: Preauthentication failed Nov 02
> 09:45:56 ipa31.idm.crp krb5kdc[1932](info): AS_REQ (6 etypes {18 17 20
> 19 16 23}) 2001:67c:2X70:20X0:d5de:47fa:4de1:b0e7: PREAUTH_FAILED:
> a...@idm.crp for krbtgt/idm....@idm.crp, Preauthentication failed
> 
> my thoughts: ... 
> something wrong with etypes, DH size or ....
> - set pkinit_dh_min_bits = 1024 on the server/client because of heimdal
> can't use defaults from MIT 2048 DH
> - tried allow_weak_crypto without success
> 
> pkgs' versions: MIT 1.15.1 (centos7, freeipa 4.5.0 bundle), heimdal 7.1.0
> debian9 based, also was trying 7.4 with the same result
> 
> MIT KDC and MIT client in the same environment work enough good
> 
> thanks a lot for your time reading my big message and possible ideas.
> 
> Oleksandr Yermolenko
> network/systems engineer
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to