Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

The study of non-linear physics is like the study of non-elephant biology.

devel / comp.protocols.kerberos / Re: kinit without dns

SubjectAuthor
o Re: kinit without dnsMichael B Allen

1
Re: kinit without dns

<mailman.12.1706143055.2322.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=463&group=comp.protocols.kerberos#463

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!rocksolid2!news.neodome.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: iop...@gmail.com (Michael B Allen)
Newsgroups: comp.protocols.kerberos
Subject: Re: kinit without dns
Date: Wed, 24 Jan 2024 19:37:15 -0500
Organization: TNet Consulting
Lines: 53
Message-ID: <mailman.12.1706143055.2322.kerberos@mit.edu>
References: <CAGMFw4hwaL50oe4zzxU7F2L9BVZG_DG8CuMG47utmQxQ8CBM0w@mail.gmail.com>
<202401242034.40OKYMTT023485@hedwig.cmf.nrl.navy.mil>
<CAGMFw4j7kL1HpBDs4GcawuewDChXDE9QfWXpEKM=2ivEuL9T7Q@mail.gmail.com>
<tslplxqa0bs.fsf@suchdamage.org>
<CAGMFw4hLMjoqS0WetzGvNMCBLCrLXrUGSsni14bZwA3NSRpzAQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="32744"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos <kerberos@mit.edu>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=IT198JjW;
dkim=pass (2048-bit key,
unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
header.s=20230601 header.b=csPfriBU
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=cO5/MOSTZDY5BuRpJaTez3NgvXLFpmKsTFmb8aKivXrEIBqzFQ3eRNjVhyd/mq+LFy3+NmlSOQmYHg+igsAHUos6bQiKYWZJAae9HQYEOw3Gzt5TpQ/PkvcITXh1NMVT5Vj9qs1M6SsDLTo8ws6uvp4T8pa+X9W3IBNKHGTY7uCBtH1LDd0FnzaVyudv4qinS/zEgj6uYisgWDoQbnVqH6emavj+jOREjYc/4/JPBXjudbR+UeUS2UpTQR1gRXGMrD4MhBFoN6psnjGWN3Sove4nFou8XLFEHWKbEWGf4XUqGGKF5Q0ruYfWCxlMIQFSQsSa+Rbo1Lb1jSS7vBnSIQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=YHyJ/fI4cIREjLrQRQPvWhuKpaNxeg74R7+czofaGB8=;
b=PjOe327MaZSQL2b/rXH63rNa2wJPRF48CdR1yvmPmvTl8VZ3iEne73GETnsexlBnPOFFdvxPfvJNpKqBNaU5rJ2iB4CZ6EEocVkvrivSsi+HoX6sq9eM6RuFBEhVhW5TF0qYcvdxhV/qFJ7wNJInIyTxWK3fno8APNi9jyUANCujotiQ7+7jbHFigBpDDcUfL3Ua0Gcz7mmrFRFHl5LSfY5lTrNJpPvn2J9pkE5HUOxTOQNxbsNS1BXK/spgJL8csZcHNW2NvO6aiguB3GfpTXYfqd6cs/rsKvjpqZlHxrbnuo5UJe+3DbaybThYg5VvB2up/Ah2wMZFAyaMM2rYbw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
209.85.167.53) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass
(p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass
(signature was verified) header.d=gmail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=YHyJ/fI4cIREjLrQRQPvWhuKpaNxeg74R7+czofaGB8=;
b=IT198JjWr1y4/tdqPn1LkOnfb/fdHX9W+FMwld4gxBebNeaX0XkwwTuBvnQp6GvG7y8UUXNdvIsBxj4reWvwVtxqqANgnDP5D6XO9F7lNyoTrRx80K8QJ9CXUFTF9hXtwYHb08HPOui+0+8IbD42BPipzESgk1hbEtt0GYWtG1g=
Authentication-Results: spf=pass (sender IP is 209.85.167.53)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.167.53 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.167.53; helo=mail-lf1-f53.google.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1706143047; x=1706747847; darn=mit.edu;
h=content-transfer-encoding:to:subject:message-id:date:from
:in-reply-to:references:mime-version:from:to:cc:subject:date
:message-id:reply-to;
bh=YHyJ/fI4cIREjLrQRQPvWhuKpaNxeg74R7+czofaGB8=;
b=csPfriBUq1xk6v2RW1Ee6BBgGuiBUTUTwvvuAUqiFhfkhZ105mRdUPi3OD+BR/wA6/
Zsto694UsIEXMSW1uyc3Ac0STCZst3Am28mXYmfst6DdfnJTA8u8loirnGJvhDwFYLlM
NsmDwdAqBRn5+K3cz3wMbq2zCts9dKd3uhb2uYrRuXslV9KbboYW749cz90zkQ8SWIhB
7o+xAONP0NIl0+uigf5ZtotWgxVKv/MjqSbPBZ+CQKLAHhoFpalinCVr3mK8AY+BUIiU
Br4TH4NwGqaPwAVefJWZEGndXAr9uAY3GyL/1DUguckvarrDKFwzYtv7zpbPLBBBxKVE
x/dQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1706143047; x=1706747847;
h=content-transfer-encoding:to:subject:message-id:date:from
:in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=YHyJ/fI4cIREjLrQRQPvWhuKpaNxeg74R7+czofaGB8=;
b=YNiAQBDjp1mnirH8OUENbcEAUssWoXqqe7nuEv9y64Sg+Ws5GTu7VOAfkFoeqf6Y+6
v5nnIMv6ODxiLIadJF6Vp3UtLJ6QygwaQ871zMce4QIvUeo58w7Urpk+ooEPaSXb6Oek
Eyf6GjiqW6EctaSD4ZRPE99J4q3Mm2JIsEjQjV4SeQ5+KLcWmPQH0EemVOruDIfBjq6n
k8jB6TeG9lXJv5oP5+ePJ4yB5ZzjlWLWb8PV/eczs0REvm5oURfEitELcjozSdFNXuaF
Mrx2CtRA9X6F3A3LWRkdEngyjjRD3RVamrNc0aKyD7hdy8QS4wDYQffVbxeSZEZl802F
O4ng==
X-Gm-Message-State: AOJu0YwJL3mWtvjjqw7JO/CrRUUvpCqMTXEddN7BbG07UZG5OHW+WMim
VuqExQkZxWrYswF4IaUfrESIF8TWD140CyJ9G8uEb420f0eW0aXBfmzAw9Ql9eTPszX1Q5gSsnx
16uial8UD3MWacNYs1Cqj26F4cPPDaaaKzkw=
X-Google-Smtp-Source: AGHT+IEi9ABmGs6NSmr6L5C/DrSQqbTIfufRCNKIcOIojLEnehWU7+yzhxH7RJPpE4bXD6eIAKqCb2auZi6HXGg5AXw=
X-Received: by 2002:a05:6512:2399:b0:50f:a14:254a with SMTP id
c25-20020a056512239900b0050f0a14254amr62778lfv.36.1706143047432; Wed, 24 Jan
2024 16:37:27 -0800 (PST)
In-Reply-To: <tslplxqa0bs.fsf@suchdamage.org>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SN1PEPF0002636C:EE_|BY3PR01MB6578:EE_
X-MS-Office365-Filtering-Correlation-Id: 03b1690f-df7b-489d-290b-08dc1d3dcfb4
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: SKzXGORoc7AJhdPsp2lahV/Erj8h4r0Hm0HsvlcFheeksRLUBhhZQ9i5s46IbakKkiLj89NbD33elKN/nPlRxrrCZ/yaIhX9gYLLLqL+C1LyuUdHdk6Hnbxh5LV8tuIhwgE/40J8W4ZDwEItLztyG2IL+IC2Wbjw+AlRJpos2Wh5+wfeenWoaFItIJgOv4Zf0mv8ldRcTgbF5XgkbQRGT4rqDNT21snk1b84TK2pvWVPVIXtsql9Kg48yz1zUNssRbk0nvf8kWfZXJamNCj5vULj6xfF08vGJL/Wrh8pObdd7TmAYZ5afqTcK0TiNPrTWZ667Abzhewa775LVbrf4QJJmFEkHolJAfElYeHICRyH5+hao3+TnToE9gypQEWYZoKT415LfczoX19yKknI2NxTumtm/fCpmjvcoeGNt6vhdcb0ixowiHGTs4QZlswXkiZ8JqgVNdj8ZpXX1sYZKtETHR+ZqGbz/9jOPAgMjgSjozmeSJbLrEgpzqZJ3QcLLBWgfT3SoqR/asey5f4X1JaflGt/7hqo37AXYQY0WbI/ydYkMKsb/I/ZCPUCXj/vf6wRlRKa8Y3sBWzat5oj2luuQuwD3EicbF0vlhSxLc+iS7npmdsMuyBO9NSQeLvb
X-Forefront-Antispam-Report: CIP:209.85.167.53; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-lf1-f53.google.com; PTR:mail-lf1-f53.google.com;
CAT:NONE;
SFS:(13230031)(4636009)(136003)(346002)(396003)(376002)(39860400002)(451199024)(61400799012)(64100799003)(48200799006)(83380400001)(73392003)(3480700007)(966005)(336012)(26005)(82202003)(7596003)(2906002)(356005)(7636003)(5660300002)(8676002)(42186006)(7116003)(6862004)(498600001)(6666004)(53546011)(70586007)(316002)(786003)(68406010)(76482006)(55446002)(86362001);
DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Jan 2024 00:37:29.4669 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 03b1690f-df7b-489d-290b-08dc1d3dcfb4
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: SN1PEPF0002636C.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY3PR01MB6578
X-MIME-Autoconverted: from quoted-printable to 8bit by mailman.mit.edu id
40P0bXUE293181
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CAGMFw4hLMjoqS0WetzGvNMCBLCrLXrUGSsni14bZwA3NSRpzAQ@mail.gmail.com>
X-Mailman-Original-References: <CAGMFw4hwaL50oe4zzxU7F2L9BVZG_DG8CuMG47utmQxQ8CBM0w@mail.gmail.com>
<202401242034.40OKYMTT023485@hedwig.cmf.nrl.navy.mil>
<CAGMFw4j7kL1HpBDs4GcawuewDChXDE9QfWXpEKM=2ivEuL9T7Q@mail.gmail.com>
<tslplxqa0bs.fsf@suchdamage.org>
 by: Michael B Allen - Thu, 25 Jan 2024 00:37 UTC

On Wed, Jan 24, 2024 at 4:27 PM Sam Hartman <hartmans@debian.org> wrote:
>
> >>>>> "Michael" == Michael B Allen <ioplex@gmail.com> writes:
>
> Michael> Hi Ken,
>
> Michael> Indeed. Unfortunately my stock packages on CentOS 9 Stream
> Michael> are 1.21 but the KRB5_TRACE feature was introduced in 1.9.
>
> Last time I checked, 1.21 > 1.9.

Good point and, after some fiddling, it does indeed work and would
have revealed the issue:

$ KRB5_TRACE=trace.txt kinit -k -t java31.keytab 'java31$@GOGO.LOCO'
kinit: Pre-authentication failed: Invalid argument while getting
initial credentials
$ cat trace.txt
850878: Matching java31$@GOGO.LOCO in collection with result: 0/Success
850879: Getting initial credentials for java31$@GOGO.LOCO
850880: Found entries for java31$@GOGO.LOCO in keytab: aes128-cts
850882: Sending unauthenticated request
850883: Sending request (189 bytes) to GOGO.LOCO
850884: Resolving hostname dc1.gogo.loco
850885: Sending initial UDP request to dgram 10.11.12.22:88
850886: Received answer (185 bytes) from dgram 10.11.12.22:88
850887: Response was from primary KDC
850888: Received error from KDC: -1765328359/Additional
pre-authentication required
850891: Preauthenticating using KDC method data
850892: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD
(15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
850893: Selected etype info: etype aes256-cts, salt
"GOGO.LOCOhostjava31.gogo.loco", params ""
850894: PKINIT client has no configured identity; giving up
850895: PKINIT client has no configured identity; giving up
850896: Preauth module pkinit (16) (real) returned: 22/Invalid argument
850897: Retrieving java31$@GOGO.LOCO from FILE:java31.keytab (vno 0,
enctype aes256-cts) with result: -1765328203/No key table entry found
for java31$@GOGO.LOCO
850898: Preauth module encrypted_timestamp (2) (real) returned:
-1765328203/No key table entry found for java31$@GOGO.LOCO

Second to last line is pretty clear. Kinit was looking for an
aes256-cts key but the keytab only had an aes128-cts entry.

Mike

--
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor