Re: [Freeipa-devel] [PATCH] 965 Allow ipa-getkeytab to skip missing enctypes
Simo Sorce wrote: On Fri, 2012-02-24 at 08:57 -0500, Rob Crittenden wrote: Simo Sorce wrote: On Thu, 2012-02-23 at 22:05 -0500, Rob Crittenden wrote: We noticed that older client machines couldn't join FreeIPA 2.1.90 servers running KDC 1.90. It was failing to return a ticket for DES so the whole keytab request was failing. I changed it so failures are acceptable as long as one requested type is returned. I wasn't able to get my KDC to actually return a DES key despite enabling weak crypto and adding the des enctypes. Not sure if this is a problem on my end or not. I used RHEL 5 as the client. The problem is that the authoritative list for the IPA server is in cn=REALM.NAME,cn=kerberos,$suffix In there there are 2 multivalue attributes: krbDefaultEncSaltTypes and krbSupportedEncSaltTypes. You need to add any enctype you want 'supported' in that list. You may have to restart DS after you change those values as I don't remember if we update internal structures on the fly. Restarting the KDC did it. I disabled arcfour and now I see two failed cert types from RHEL 5: $ ipa-getkeytab -s doberman.example.com -p test/zeus.example.com -k /tmp/test.kt Failed to retrieve encryption type ArcFour with HMAC/md5 (#23) Failed to retrieve encryption type DES cbc mode with CRC-32 (#1) Keytab successfully retrieved and stored in: /tmp/test.kt On the patch where does the '48' comes from ? Completely arbitrarily trying to keep error on a single line (similar to the list of supported enctypes truncating at 79). I do not like this much, but it is just an error message so ACK. Simo.krb5_enctype_to_string I switch it to use 79 and be consistent with other uses of krb5_enctype_to_string() pushed to master and ipa-2-2 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 965 Allow ipa-getkeytab to skip missing enctypes
On Fri, 2012-02-24 at 08:57 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > On Thu, 2012-02-23 at 22:05 -0500, Rob Crittenden wrote: > >> We noticed that older client machines couldn't join FreeIPA 2.1.90 > >> servers running KDC 1.90. It was failing to return a ticket for DES so > >> the whole keytab request was failing. > >> > >> I changed it so failures are acceptable as long as one requested type is > >> returned. > >> > >> I wasn't able to get my KDC to actually return a DES key despite > >> enabling weak crypto and adding the des enctypes. Not sure if this is a > >> problem on my end or not. I used RHEL 5 as the client. > > > > The problem is that the authoritative list for the IPA server is in > > cn=REALM.NAME,cn=kerberos,$suffix > > > > In there there are 2 multivalue attributes: krbDefaultEncSaltTypes and > > krbSupportedEncSaltTypes. > > > > You need to add any enctype you want 'supported' in that list. > > You may have to restart DS after you change those values as I don't > > remember if we update internal structures on the fly. > > Restarting the KDC did it. I disabled arcfour and now I see two failed > cert types from RHEL 5: > > $ ipa-getkeytab -s doberman.example.com -p test/zeus.example.com -k > /tmp/test.kt > Failed to retrieve encryption type ArcFour with HMAC/md5 (#23) > Failed to retrieve encryption type DES cbc mode with CRC-32 (#1) > Keytab successfully retrieved and stored in: /tmp/test.kt > > > > > On the patch where does the '48' comes from ? > > Completely arbitrarily trying to keep error on a single line (similar to > the list of supported enctypes truncating at 79). I do not like this much, but it is just an error message so ACK. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 965 Allow ipa-getkeytab to skip missing enctypes
Simo Sorce wrote: On Thu, 2012-02-23 at 22:05 -0500, Rob Crittenden wrote: We noticed that older client machines couldn't join FreeIPA 2.1.90 servers running KDC 1.90. It was failing to return a ticket for DES so the whole keytab request was failing. I changed it so failures are acceptable as long as one requested type is returned. I wasn't able to get my KDC to actually return a DES key despite enabling weak crypto and adding the des enctypes. Not sure if this is a problem on my end or not. I used RHEL 5 as the client. The problem is that the authoritative list for the IPA server is in cn=REALM.NAME,cn=kerberos,$suffix In there there are 2 multivalue attributes: krbDefaultEncSaltTypes and krbSupportedEncSaltTypes. You need to add any enctype you want 'supported' in that list. You may have to restart DS after you change those values as I don't remember if we update internal structures on the fly. Restarting the KDC did it. I disabled arcfour and now I see two failed cert types from RHEL 5: $ ipa-getkeytab -s doberman.example.com -p test/zeus.example.com -k /tmp/test.kt Failed to retrieve encryption type ArcFour with HMAC/md5 (#23) Failed to retrieve encryption type DES cbc mode with CRC-32 (#1) Keytab successfully retrieved and stored in: /tmp/test.kt On the patch where does the '48' comes from ? Completely arbitrarily trying to keep error on a single line (similar to the list of supported enctypes truncating at 79). rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 965 Allow ipa-getkeytab to skip missing enctypes
On Thu, 2012-02-23 at 22:05 -0500, Rob Crittenden wrote: > We noticed that older client machines couldn't join FreeIPA 2.1.90 > servers running KDC 1.90. It was failing to return a ticket for DES so > the whole keytab request was failing. > > I changed it so failures are acceptable as long as one requested type is > returned. > > I wasn't able to get my KDC to actually return a DES key despite > enabling weak crypto and adding the des enctypes. Not sure if this is a > problem on my end or not. I used RHEL 5 as the client. The problem is that the authoritative list for the IPA server is in cn=REALM.NAME,cn=kerberos,$suffix In there there are 2 multivalue attributes: krbDefaultEncSaltTypes and krbSupportedEncSaltTypes. You need to add any enctype you want 'supported' in that list. You may have to restart DS after you change those values as I don't remember if we update internal structures on the fly. On the patch where does the '48' comes from ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 965 Allow ipa-getkeytab to skip missing enctypes
We noticed that older client machines couldn't join FreeIPA 2.1.90 servers running KDC 1.90. It was failing to return a ticket for DES so the whole keytab request was failing. I changed it so failures are acceptable as long as one requested type is returned. I wasn't able to get my KDC to actually return a DES key despite enabling weak crypto and adding the des enctypes. Not sure if this is a problem on my end or not. I used RHEL 5 as the client. rob >From 9fe7b33a985472a0a522e34f97f033772a92f5bc Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 23 Feb 2012 21:56:07 -0500 Subject: [PATCH] Only warn if ipa-getkeytab doesn't get all requested enctypes. Older client machines may request DES keys not supported in newer KDCs. Thsi was causing the entire request to fail as well as client enrollment. https://fedorahosted.org/freeipa/ticket/2424 --- ipa-client/ipa-getkeytab.c | 37 - 1 files changed, 32 insertions(+), 5 deletions(-) diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c index 28ef5b5..f758ffb 100644 --- a/ipa-client/ipa-getkeytab.c +++ b/ipa-client/ipa-getkeytab.c @@ -548,6 +548,7 @@ static int ldap_set_keytab(krb5_context krbctx, int kvno, i; ber_tag_t rtag; ber_int_t *encs = NULL; + int successful_keys = 0; /* cant' return more than nkeys, sometimes less */ encs = calloc(keys->nkeys + 1, sizeof(ber_int_t)); @@ -587,12 +588,14 @@ static int ldap_set_keytab(krb5_context krbctx, goto error_out; } +#ifdef LDAP_OPT_X_SASL_NOCANON /* Don't do DNS canonicalization */ ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON); if (ret != LDAP_SUCCESS) { fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n")); goto error_out; } +#endif version = LDAP_VERSION3; ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version); @@ -620,7 +623,13 @@ static int ldap_set_keytab(krb5_context krbctx, LDAP_SASL_QUIET, ldap_sasl_interact, princ); if (ret != LDAP_SUCCESS) { - fprintf(stderr, _("SASL Bind failed!\n")); + char *msg=NULL; +#ifdef LDAP_OPT_DIAGNOSTIC_MESSAGE + ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, +(void*)&msg); +#endif + fprintf(stderr, "SASL Bind failed %s (%d) %s!\n", +ldap_err2string(ret), ret, msg ? msg : ""); goto error_out; } } @@ -705,16 +714,34 @@ static int ldap_set_keytab(krb5_context krbctx, rtag = ber_scanf(sctrl, "{i{", &kvno); if (rtag == LBER_ERROR) { - fprintf(stderr, _("ber_scanf() failed, Invalid control ?!\n")); + fprintf(stderr, _("ber_scanf() failed, unable to find kvno ?!\n")); goto error_out; } for (i = 0; i < keys->nkeys; i++) { ret = ber_scanf(sctrl, "{i}", &encs[i]); if (ret == LBER_ERROR) { -fprintf(stderr, _("ber_scanf() failed, Invalid control ?!\n")); -goto error_out; -} + char enc[48]; + krb5_error_code krberr; + krberr = krb5_enctype_to_string( +keys->ksdata[i].enctype, enc, 48); + if (krberr) { +fprintf(stderr, _("Failed to retrieve " + "encryption type type #%d\n"), + keys->ksdata[i].enctype); + } else { +fprintf(stderr, _("Failed to retrieve " + "encryption type %s (#%d)\n"), + enc, keys->ksdata[i].enctype); + } +} else { + successful_keys++; + } + } + + if (successful_keys == 0) { + fprintf(stderr, _("Failed to retrieve any keys")); + goto error_out; } ret = filter_keys(krbctx, keys, encs); -- 1.7.6.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel