Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

backups: always in season, never out of style.

devel / comp.protocols.kerberos / Re: Replica KDC has no support for encryption type

SubjectAuthor
o Re: Replica KDC has no support for encryption typeDr. Lars Hanke

1
Re: Replica KDC has no support for encryption type

<mailman.26.1644230005.8148.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=216&group=comp.protocols.kerberos#216

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: deb...@lhanke.de (Dr. Lars Hanke)
Newsgroups: comp.protocols.kerberos
Subject: Re: Replica KDC has no support for encryption type
Date: Mon, 7 Feb 2022 11:32:56 +0100
Organization: TNet Consulting
Lines: 88
Message-ID: <mailman.26.1644230005.8148.kerberos@mit.edu>
References: <917dadc9-e45b-f86a-e394-754ccc30eeae@lhanke.de>
<387069fb-7834-588d-c8f7-b2575434402b@mit.edu>
<4e33beec-aa24-b317-f89a-85dd2c891db0@lhanke.de>
Reply-To: <debian@lhanke.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="26651"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Thunderbird/91.5.0
To: Greg Hudson <ghudson@mit.edu>, "kerberos@MIT.EDU" <kerberos@MIT.EDU>
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=lLOZNl5Fv3f26vVGbB86lghwy/89pzoiFHo8XIFVvg0XDpu7iP+d4+H8Oir6Mo218Zdc19+2rkI9WoaZhc+BQpGZ8gAy9soQTrEnIxuJZC0vYP5EYjKwU8173FGzQZTGQNN8cx4R13awtHxsSqq13ajkES5jj0hCbwVXBSDKhHF8VEh3f5VUVeh0dHtSLGHqLQPW+/iiIxbpjPbtsqbG+tskY2/svpHoDf02hno6BKWMIFk+P6AKH+JLvSC1MILsnymdMEHtuijwkuVMYPN6ItgzWz32sbEsEZVzhcODz/Ea9bJTsv5ESLuzG2LwAKgbrzwNwyDleO72Zfdsy9p6YA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=iDWppAvTzy1sgSPPtwJfbKGVOKRtTLYvUMguqe3XZBo=;
b=N7oGg89iIdGMlpSUl9b4LwPs0JHeMiUbDFXbi3x8CEf81C0wsQr430ZLARNjSYQvraCOhXF9HY5TgWPnEOzmRbF5Z2x7UTb+lF8CI/MEuMqET/0QEU088udAaB/loyXmTGBVSKbX1R2n85Jp9qWIpw4lmC5LHpN32NCfSGYrt3i3ZkfWxcQHsQmhtj4Rmhzpn244FwLbNN90Z6n6PujEMP+CWQVxC54fX3XIWQPTmcDbm3w4n/kmTUZc9XoMuyw+CfZ5PZmLu8klVNLJyYiH0AqWtsB0XELgg9HcsTgQa3jEGmDqi3hAl1qwyYievTEiRLwjo/KM+Vwa+gJhqnSTtg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none (sender ip is
212.227.126.133) smtp.rcpttodomain=mit.edu smtp.mailfrom=lhanke.de;
dmarc=none action=none header.from=lhanke.de; dkim=none (message not signed);
arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=iDWppAvTzy1sgSPPtwJfbKGVOKRtTLYvUMguqe3XZBo=;
b=W+szi5o9u011TBQmILxJ/g1uAvdtsuyykZWQY2m4SyYmAOUZbiuldYT8yI/+67QmTOT4RABjppx8HgvP7r6+C5TWx3mFCY1Tgz5tWS+EBodqf3tmSAOSMsbPiG4UGFIgd+mA5pFpr3Kw44DAP/hzdKHV/kAS7gkZCUBn29iiLjU=
Authentication-Results: spf=none (sender IP is 212.227.126.133)
smtp.mailfrom=lhanke.de; dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=lhanke.de;
Received-SPF: None (protection.outlook.com: lhanke.de does not designate
permitted sender hosts)
X-Virus-Scanned: Debian amavisd-new at munin.uac.microsult.de
Content-Language: de-DE
In-Reply-To: <387069fb-7834-588d-c8f7-b2575434402b@mit.edu>
X-Provags-ID: V03:K1:ZpEeGH/gBaTLzDFmc34awJ/LQzE1gMjdT8fxD0Ufg6qhE7dSmlR
mwXEEK6JPMizALkGq0G+imqC5BQuMDbKqPKScBBqYjggCuBPrKx4tLVnG9eqi7yUjeGE8eQ
c52u3V+eU1gp87F75hnZRv+COXix7cQkZoUnFPHYGAQT4EVf27qhriKKqSEHzHNB1BYvYGN
HPaiFBPjUpWdhKZ79kjMA==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:7UA0mYQHQ10=:h6TzQovJ6ewg2OOcquSnfK
qrVZXkJuZfAXipwz1ph6og+GuKvsFuDLIfjhGK11aWCfk+diAGHwAkt0e1qjYu/njIh5eGx6V
jGsi3lDWewyRzWzV6Ya1GRHNUpmiWX74Gn9dqVd7ZbJ3Ptu/YdNPG9rkAlHmJzljE5dpMmh6S
C7CzWgtX1HwQj2d51WqZmtOB5bIwer8SV2PQZT9s+YpJ+zbOTvwx9gv86PS407rUUZvaLGbrQ
ffYkaOwi4aNdu3YT5oBxg0PL7u139e8HKzpMx7UNs982oDBp2QZNMmbjrAYy2Vsf+XwKNKGgv
EoQe9e+T2c/ur1WQ1ywk8Yw31irJ7jt4oj/ahx24p4WJfRTFfi9LSvpo/ZJzk1hBitg9T/EHO
VqaVAeXTG3t1tac2i2F3IoZmU7bCI97SX772+0oWcC7ki4n7ojecfYHGFWjVu4MkO4SkSzOCt
SK4wIu3l7Ky8ODBI+CPAS4oSV/zpEFwSGg8eTfCrfX/ZJZ3jE3TKyhzr+lw2LEFlD7PwmIYpM
v2wAzQu8ISRrJA6U8AR5mk592xlz/ILbtBzASowS7HpfalBZI07Zm86k7YAhu6WVJ1ahLc+mA
0UNH2MNR4A4NJTfPJWUUUcOIlqkuVBX98w2r1GwaSNa4KcEBHvpJRedbKkjNZ+RhyTi+sVUiO
4XFhrWxFUePyzZXyR3MGnjeGgiIKnY4J7YMVwkPF6NvTFRKsziwopoUkgwHAXDbRCy7M=
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 00f77b1e-87f4-4baf-b8cd-08d9ea253643
X-MS-TrafficTypeDiagnostic: BL0PR01MB5234:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <BL0PR01MB5234A52E8BB827BE507C32C4D52C9@BL0PR01MB5234.prod.exchangelabs.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8273;
X-MS-Exchange-SenderADCheck: 2
X-MS-Exchange-AntiSpam-Relay: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: tYoOApxSiONGuvpGm+4TQjY/xIKOT0lRqlSE8+3p10utea8X7y4YH/KSExjQhT06j6pG7XpCPkYSBOPgemIZe4WAzQJFu6z/7B4o8TaJS/LPgE4g/F9tYwNPvv4NbnyekuDt5FQDbeVs1kO+jjwS11shuTH67FNlhfjXq2REBpfiBQ0+xg9ajyjSg048Im9ijfuOFNTkAXpQvd8KQfk4Hhv7eHQOVd5Y6ZJB7kSdpLjqda0lGxjnh2uV9HmfB8xfwsPWaYRTYR9NItUTORENGYa91Z3rB4LBIEyhysdDnPtKBTCGC1hV3oKQtQuN38P9AkWns87fHAlXfE1xd/o3eByaMnFIGo7qMEM4xYvddbzYvL+sHVw1ptklCyYEincSOAa3Y7BOJ4t8NQCenpbEhRfjL8t2PD8s+IMnL0EF1j8vhNLBxOajN7B3/f+NNKUbG2y6uyPw4kKEdaTFE+8YaG9d+UNVtWf4WNAiwMBhSLZlB6yOaS8fVzzcX1rJi3aUS/OWqpd8gZCVE9D/uzc5gILMvV6+aNNVYwzvrVZCDOWLcbuGKxuemlDdJQGFlyHKh9d+NrDE4060YiX6yqOePcTdx/qJPNMoKudZ5OjMZp+HDxVmb/SjLYVY80WGtVmMSUlMIFNGrZLaQQ6F0dlUEsn0rMryZ1sf/Ev+kc79DVJiEB5F4XC30yEx0vweVryIZYCDsiYW3zWY3t4/esPQptOs9d8LF6tgGibBkIbk6Wo=
X-Forefront-Antispam-Report: CIP:212.227.126.133; CTRY:DE; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mout.kundenserver.de; PTR:mout.kundenserver.de; CAT:NONE;
SFS:(13230001)(4636009)(68406010)(2616005)(8676002)(70586007)(2906002)(26005)(336012)(6266002)(86362001)(53546011)(5660300002)(31696002)(33964004)(110136005)(3450700001)(36756003)(508600001)(7596003)(7636003)(83380400001)(356005)(316002)(786003)(31686004)(73022008)(41612003)(43740500002);
DIR:OUT; SFP:1022;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2022 10:32:59.0514 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 00f77b1e-87f4-4baf-b8cd-08d9ea253643
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT068.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR01MB5234
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <4e33beec-aa24-b317-f89a-85dd2c891db0@lhanke.de>
X-Mailman-Original-References: <917dadc9-e45b-f86a-e394-754ccc30eeae@lhanke.de>
<387069fb-7834-588d-c8f7-b2575434402b@mit.edu>
 by: Dr. Lars Hanke - Mon, 7 Feb 2022 10:32 UTC

I enabled logging on both KDC. For some reason the KDC claims that
/var/log was read-only. It's not, but logging to /tmp produced log files.

The results were not exactly enlightening. This is kinit -p user/admin,
ldapsearch -b "cn=admin,dc=example,dc=com" -H ldap://krb2.example.com
uid=user, ldapsearch -b "cn=admin,dc=example,dc=com" -H
ldap://krb1.example.com uid=user on krb2:

Feb 07 10:47:13 krb2 krb5kdc[6696](Error): preauth spake failed to
initialize: No SPAKE preauth groups configured
Feb 07 10:47:13 krb2 krb5kdc[6696](info): setting up network...
Feb 07 10:47:13 krb2 krb5kdc[6696](info): setsockopt(12,IPV6_V6ONLY,1)
worked
Feb 07 10:47:13 krb2 krb5kdc[6696](info): setsockopt(14,IPV6_V6ONLY,1)
worked
Feb 07 10:47:13 krb2 krb5kdc[6696](info): setsockopt(16,IPV6_V6ONLY,1)
worked
Feb 07 10:47:13 krb2 krb5kdc[6696](info): set up 6 sockets
Feb 07 10:47:13 krb2 krb5kdc[6697](info): commencing operation
Feb 07 10:47:20 krb2 krb5kdc[6697](info): AS_REQ (8 etypes {18 17 20 19
16 23 25 26}) 10.0.0.10: NEEDED_PREAUTH: user/admin@EXAMPLE.COM for
krbtgt/EXAMPLE.COM@EXAMPLE.COM, Additional pre-authentication required
Feb 07 10:47:24 krb2 krb5kdc[6697](info): AS_REQ (8 etypes {18 17 20 19
16 23 25 26}) 10.0.0.10: ISSUE: authtime 1644227244, etypes {rep=18
tkt=18 ses=18}, user/admin@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM
Feb 07 10:47:33 krb2 krb5kdc[6697](info): TGS_REQ (8 etypes {18 17 20 19
16 23 25 26}) 10.0.0.10: BAD_ENCRYPTION_TYPE: authtime 0,
user/admin@EXAMPLE.COM for ldap/krb2.example.com@EXAMPLE.COM, KDC has no
support for encryption type
Feb 07 10:47:33 krb2 krb5kdc[6697](info): TGS_REQ (8 etypes {18 17 20 19
16 23 25 26}) 10.0.0.10: BAD_ENCRYPTION_TYPE: authtime 0,
user/admin@EXAMPLE.COM for ldap/krb2.example.com@EXAMPLE.COM, KDC has no
support for encryption type
Feb 07 10:47:39 krb2 krb5kdc[6697](info): TGS_REQ (8 etypes {18 17 20 19
16 23 25 26}) 10.0.0.10: ISSUE: authtime 1644227244, etypes {rep=18
tkt=18 ses=18}, user/admin@EXAMPLE.COM for ldap/krb1.example.com@EXAMPLE.COM

Following these operations my ticket cache on krb2 contains:

07.02.2022 10:47:24  07.02.2022 20:47:24 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 08.02.2022 10:47:20
07.02.2022 10:47:39  07.02.2022 20:47:24 ldap/krb1.example.com@EXAMPLE.COM
       renew until 08.02.2022 10:47:20

Then I change the kdc to krb1 in /etc/krb5.conf, and retry the failed
ldapsearch -b "cn=admin,dc=example,dc=com" -H ldap://krb2.example.com
uid=user. This is what I see in the log of krb1:

Feb 07 10:56:09 hel krb5kdc[16026](info): TGS_REQ (8 etypes {18 17 20 19
16 23 25 26}) 10.0.0.10: ISSUE: authtime 1644227244, etypes {rep=18
tkt=18 ses=18}, user/admin@EXAMPLE.COM for ldap/krb2.example.com@EXAMPLE.COM

After that the ticket cache also holds:

07.02.2022 10:56:09  07.02.2022 20:47:24 ldap/krb2.example.com@EXAMPLE.COM
       renew until 08.02.2022 10:47:20

The IP address in the logs is that of krb2. The full error message on
krb2 is:

root@krb2:~# ldapsearch -b "cn=admin,dc=example,dc=com" -H
ldap://krb2.example.com uid=user
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
       additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information (KDC
has no support for encryption type)

To me the etypes (encryption types?) in the requests are all the same.
So I'm still totally clueless ...

I appreciate any ideas for further troubleshooting.

Am 04.02.22 um 18:19 schrieb Greg Hudson:
> On 2/4/22 2:19 AM, Dr. Lars Hanke wrote:
>> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type)
> It might help to compare the KDC log entry for this TGS request on the
> old and new KDC.
>
> During a TGS request, "KDC has no support for encryption type" can mean
> that the KDC could not select an encryption type for the session key.
> The session key enctype must be present in (1) the enctypes listed in
> the KDC request, (2) the KDC's permitted_enctypes if set, and (3) the
> enctypes supported by the server DB entry (which is usually the enctypes
> of the server's long-term keys, unless overridden by the
> session_enctypes string attribute).

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor