1. I'm running into the "NO PREAUTH" problem with the KDC that's mentioned here:
Greg: > For reasons I don't personally understand, the "NO PREAUTH" error > happens when a TGS request with no preauth comes in for a service > (not client) principal with requires-preauth set. http://www.mail-archive.com/[email protected]/msg15735.html Here's the relevant code from the 1.9.1 kdc_utils.c: > /* Check for any kind of preauthentication */ > if (isflagset(server->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) && > !isflagset(ticket->enc_part2->flags, TKT_FLG_PRE_AUTH)) { > *status = "NO PREAUTH"; > return KRB_ERR_GENERIC; > } I actually hit this when trying to do a u2u TGS_REQ, because one of my princs was just created manually instead of by scripts that set +requires_preauth, while the other was created "correctly", so the u2u TGS_REQ works one way but not the other (see also #2 below). Is there any further rationale for the server->attributes check above? Thinking about it, the flag seems to be doing double duty: for clients it requires preauth so dictionary attacks aren't possible, and for services it requires the clients to be preauthed, I guess as an added security requirement? When doing u2u, this double-duty means all the client princs need to be set or none of them do, however, or they won't interoperate. Added note: If I modprinc +requires_preauth, but the ccache already has the tgt in it, it still fails at this u2u stage. I have to delete the ccache and re-get the tgt, which sets the preauth bit in the tgt that the kdc checks above, I assume? This last thing isn't a problem when I don't switch requires_preauth after a valid tgt has already been gotten, but it's non-intuitive behavior, at least. I assume there's no way to force a preauth at the TGS_REQ phase, so the request would just take another loop? 2. On a related note, is there any way to default +requires_preauth on princs? There are password policies, but I didn't see any way to have attribute policies that would allow +requires_preauth +disallow_svr as the default for all my princs created through kadmin manually. When I create accounts using my perl Authen::Krb5::Admin scripts, I set the flags correctly, of course, it's just sometimes nice to drop into kadmin quickly to make a test account. Chris ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
