[Bug 567188] Re: krb5 and ADS error using 10.04, not 9.04
lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as Won't Fix. ** Changed in: krb5 (Ubuntu Lucid) Status: Confirmed = Won't Fix -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/567188 Title: krb5 and ADS error using 10.04, not 9.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/567188/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 567188] Re: krb5 and ADS error using 10.04, not 9.04
I'm going to move this back to 'Confirmed' so we can take a look at this in the next sweep for bugs in krb5. There are 3 affected, so its likely the problem is at least worth a look. ** Changed in: krb5 (Ubuntu) Status: Incomplete = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/567188 Title: krb5 and ADS error using 10.04, not 9.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/567188/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 567188] Re: krb5 and ADS error using 10.04, not 9.04
Jean-Yves, did you tried the advice from Sam Hartman in comment #12 ? Is is still an issue with Ubuntu 10.10 - Maverick ? Was it an issue in Ubuntu 9.10 ? ** Also affects: krb5 (Ubuntu Lucid) Importance: Undecided Status: New ** Tags added: regression-release ** Tags removed: regression-potential ** Changed in: krb5 (Ubuntu Lucid) Status: New = Confirmed ** Changed in: krb5 (Ubuntu Lucid) Importance: Undecided = Medium ** Description changed: Environment: The installed distributions use kerberos and likewise to identify the user to an Active Directory Server. The client configuration on 9.04 is basic and efficient. I use the same configuration file (krb5.conf) on 10.04. Kerberos and likewise come from ubuntu repository for each distribution (9.04 and 10.04). Description: Using 9.04 to auth with kerberos/likewise works fine: tickets ok, everything is done login in one time only. Using 10.04 to auth the same way leads to an error and forbids the access: user login ok but the access to other ressources is forbidden, most often returning: KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. The likewise-open5 versions used are the same on both distributions. I tested with same versions of kerberos on both distributions and i got the same results. - I thought the KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN was related to a dns problem but when i solved this the following appears: - the client sends a TGS_REQ, containing the Encryption type: rc4-hmac (23), to the server. - the server answers KRB5KDC_ERR_ETYPE_NOSUPP (14) - 10.04 sends a section Authenticator rc4-hmac (23) in PA-TGS-REQ , 9.04 doesn't. + I thought the KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN was related to a dns problem but when i solved this the following appears: + the client sends a TGS_REQ, containing the Encryption type: rc4-hmac (23), to the server. + the server answers KRB5KDC_ERR_ETYPE_NOSUPP (14) + 10.04 sends a section Authenticator rc4-hmac (23) in PA-TGS-REQ , 9.04 doesn't. There's no such error using ubuntu-9.04. I grab theses informations sniffing the local network with wireshark. Is there anybody experiencing the same problems ? How can i fix this ? thanx + + == Regression details == + Discovered in version: lucid 10.04 : krb5-user 1.8.1+dfsg-2 with likewise 5.3.0-1 + Last known good version: jaunty - krb5-user 1.6.dfsg.4~beta1-5ubuntu2.2 with likewise-open5 5.0.3991.1-0ubuntu2 -- krb5 and ADS error using 10.04, not 9.04 https://bugs.launchpad.net/bugs/567188 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 567188] Re: krb5 and ADS error using 10.04, not 9.04
I have encountered this issue as well. I use pam_kerberos and AD for authentication and login authorization; this works fine. However this issue affects kerberos mediated Single Sign On to apache sites using mod_auth_kerb.so version 5.1 on the web server and the krb5 libraries on 10.04 (this used to work fine in 9.04). The SSO web authetication fails and falls back to less desirable methods (username password) The issue is resolve by adding allow_weak_crypto = true in /etc/krb5.conf Package: krb5-user Version: 1.8.1+dfsg-2 Package: firefox Version: 3.6.3+nobinonly-0ubuntu4 the wireshark trace shows the client doing a TGS-REQ to the kdc where the padata: PA-TGS-REQ - value .. AP-REQ - Authenticator rc4-hmac - Encryption type: rc4-hmac (23) - Authenticator data: the response is a KRB-ERROR with error code KRB5KDC_ERR_ETYPE_NOSUPP after adding allow_weak_crypto = true the TGS-REQ to the kdc is responded with a TGS-REP which includes a ticket. The SSO session with the apache server continues, and the wireshark trace shows the following in the http headers : GSS-API - SPNEGO - netTOkenInit - krb5_blob - Kerberos AP-REQ - Authenticator des-cbc-crc - Encryption type: des-cbc-crc (1) - Autheticator data: will add more info if needed. For now the the extra line works. Thank you for the suggestion. -- krb5 and ADS error using 10.04, not 9.04 https://bugs.launchpad.net/bugs/567188 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 567188] Re: krb5 and ADS error using 10.04, not 9.04
My guess is that the DES only checkbox is checked in your AD configuration for the service account used by the Apache server. If you clear that checkbox and generate a keytab including both RC4 and DES keys then I suspect allow_weak_crypto will not be needed. I'm sorry, but I do not have instructions for generating an RC4 keytab off the top of my head. --Sam -- krb5 and ADS error using 10.04, not 9.04 https://bugs.launchpad.net/bugs/567188 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 567188] Re: krb5 and ADS error using 10.04, not 9.04
After days of tests it seems it's a kerberos tickets forwarding problem, smbclient replying with an spnego error claiming a lack of information from kerberos. The group resolving problem looks like an issue with ticket forwarding (forwardable and forward true in appdefaults): the filer requires login/pass. downgrading smbclient does not fix the problem. There was no problem with this filer when i used a ubuntu 9 workstation and kerberos/likewise. -- krb5 and ADS error using 10.04, not 9.04 https://bugs.launchpad.net/bugs/567188 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 567188] Re: krb5 and ADS error using 10.04, not 9.04
If Allow_weak_crypto = true is making things work better with Windows, something is broken somewhere else to cause this. Without this parameter in krb5.conf the auth against the ADS to access services like http goes wrong and asks fora login/pass instead of using the kerberos tickets, claiming unsupported enctype. I think we have fairly high confidence in that code. I'm sure too we can have confidence in the MIT code, no problem with that. It just goes wrong using the last ubuntu version of krb5 when trying to authenticate and browse a samba share that was perfectly browsable with the krb5 version used in 9.04. -- krb5 and ADS error using 10.04, not 9.04 https://bugs.launchpad.net/bugs/567188 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 567188] Re: krb5 and ADS error using 10.04, not 9.04
jean-yves == jean-yves chateaux jean- yves.chate...@sagemcom.com writes: If Allow_weak_crypto = true is making things work better with Windows, jean-yves something is broken somewhere else to cause this. jean-yves Without this parameter in krb5.conf the auth against the jean-yves ADS to access services like http goes wrong and asks fora jean-yves login/pass instead of using the kerberos tickets, jean-yves claiming unsupported enctype. This sounds like a problem outside of the krb5 package. -- krb5 and ADS error using 10.04, not 9.04 https://bugs.launchpad.net/bugs/567188 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 567188] Re: krb5 and ADS error using 10.04, not 9.04
packages: 9.04 : krb5-user 1.6.dfsg.4~beta1-5ubuntu2.2 with likewise-open5 5.0.3991.1-0ubuntu2 10.04 : krb5-user 1.8.1+dfsg-2 with likewise 5.3.0-1 -- krb5 and ADS error using 10.04, not 9.04 https://bugs.launchpad.net/bugs/567188 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 567188] Re: krb5 and ADS error using 10.04, not 9.04
jean-yves == jean-yves chateaux jean- yves.chate...@sagemcom.com writes: jean-yves The errors are the results of MIT resolution to exclude jean-yves DES/DES3 from the supported enctypes (security reasons). jean-yves The parameter allow_weak_crypto = true should be added jean-yves in the default [libdefaults] section of /etc/krb5.conf. That's very strange. All versions of Windows have supported rc4 (arcfour-hmac-md5 in MIT terms), and no version of Windows should require DES to work. If Allow_weak_crypto = true is making things work better with Windows, something is broken somewhere else to cause this. jean-yves Adding this parameter solved the errors of the original jean-yves bug report but leads to a new one: likewise+krb5 cannot jean-yves get the authenticated user groups correctly from the ADS jean-yves when trying to browse samba shares using tickets. It jean-yves looks like a bug in krb5 when using allow_weak_crypto = jean-yves true in the des/des3 old school support. This support jean-yves is _not_ like the previous des/des3 krb version support. That's very strange. There have been some changes in DES support surrounding reorganization of libk5crypto, however at this point, I think we have fairly high confidence in that code. Note that allow_weak_crypto is not new in 1.8; the thing that is new in 1.8 is that the default changed from true to false. --Sam -- krb5 and ADS error using 10.04, not 9.04 https://bugs.launchpad.net/bugs/567188 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 567188] Re: krb5 and ADS error using 10.04, not 9.04
Thank you for taking the time to report this bug and helping to make Ubuntu better. Please answer these questions: 1. Is this reproducible? 2. If so, what specific steps should we take to recreate this bug? Be as detailed as possible. This will help us to find and resolve the problem. ** Changed in: krb5 (Ubuntu) Importance: Undecided = Medium ** Changed in: krb5 (Ubuntu) Status: New = Incomplete -- krb5 and ADS error using 10.04, not 9.04 https://bugs.launchpad.net/bugs/567188 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 567188] Re: krb5 and ADS error using 10.04, not 9.04
The errors are the results of MIT resolution to exclude DES/DES3 from the supported enctypes (security reasons). The parameter allow_weak_crypto = true should be added in the default [libdefaults] section of /etc/krb5.conf. Adding this parameter solved the errors of the original bug report but leads to a new one: likewise+krb5 cannot get the authenticated user groups correctly from the ADS when trying to browse samba shares using tickets. It looks like a bug in krb5 when using allow_weak_crypto = true in the des/des3 old school support. This support is _not_ like the previous des/des3 krb version support. MIT isn't really in verbose mode about the code they modified to make this partial support good enough. -- krb5 and ADS error using 10.04, not 9.04 https://bugs.launchpad.net/bugs/567188 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 567188] Re: krb5 and ADS error using 10.04, not 9.04
jean-yves chateaux jean-yves.chate...@sagemcom.com writes: The errors are the results of MIT resolution to exclude DES/DES3 from the supported enctypes (security reasons). DES3 was not marked as weak. Neither was rc4-hmac (enctype 23). The export-grade rc4-hmac-exp is enctype 24 and was marked as weak, but that doesn't explain the KRB5KDC_ERR_ETYPE_NOSUPP when requesting rc4-hmac (23). The parameter allow_weak_crypto = true should be added in the default [libdefaults] section of /etc/krb5.conf. Adding this parameter solved the errors of the original bug report but leads to a new one: likewise+krb5 cannot get the authenticated user groups correctly from the ADS when trying to browse samba shares using tickets. The user groups problem probably has nothing to do with disabling weak crypto. I think more information is needed. In particular, what package versions for the krb5 packages are in each configuration? -- krb5 and ADS error using 10.04, not 9.04 https://bugs.launchpad.net/bugs/567188 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 567188] Re: krb5 and ADS error using 10.04, not 9.04
Thank you for taking the time to report this bug and helping to make Ubuntu better. This bug did not have a package associated with it, which is important for ensuring that it gets looked at by the proper developers. You can learn more about finding the right package at https://wiki.ubuntu.com/Bugs/FindRightPackage. I have classified this bug as a bug in krb5. When reporting bugs in the future please use apport, either via the appropriate application's Help - Report a Problem menu or using 'ubuntu-bug' and the name of the package affected. You can learn more about this functionality at https://wiki.ubuntu.com/ReportingBugs. ** Package changed: ubuntu = krb5 (Ubuntu) ** Tags added: lucid regression-potential -- krb5 and ADS error using 10.04, not 9.04 https://bugs.launchpad.net/bugs/567188 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
