Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

Beeping is cute, if you are in the office ;) -- Alan Cox

devel / comp.protocols.kerberos / Re: kinit without dns

SubjectAuthor
o Re: kinit without dnsMichael B Allen

1
Re: kinit without dns

<mailman.9.1706130577.2322.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=460&group=comp.protocols.kerberos#460

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!rocksolid2!news.neodome.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ioplex@gmail.com (Michael B Allen)
Newsgroups: comp.protocols.kerberos
Subject: Re: kinit without dns
Date: Wed, 24 Jan 2024 16:09:19 -0500
Organization: TNet Consulting
Lines: 47
Message-ID: <mailman.9.1706130577.2322.kerberos@mit.edu>
References: <CAGMFw4hwaL50oe4zzxU7F2L9BVZG_DG8CuMG47utmQxQ8CBM0w@mail.gmail.com>
<202401242034.40OKYMTT023485@hedwig.cmf.nrl.navy.mil>
<CAGMFw4j7kL1HpBDs4GcawuewDChXDE9QfWXpEKM=2ivEuL9T7Q@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="22754"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos <kerberos@mit.edu>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=eEGIj5WO;
dkim=pass (2048-bit key,
unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
header.s=20230601 header.b=D0aTPmXm
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=fMjip7Qfj7RmB6ZHB2I4nrD5ADhiC+jQs1W14jg0MNOnR42ztNzo+xN9hElTTovPoNOHL9Xd87DzK6ZwKKi/mFW/v2/woUrd6knLME/OukEacI+159DQ1iesio+V8UM6P8np/uP4UjGSO7XYeuhbAC+IFfjEhaiXM1I2puv6IsbcOrgCFaEmo2CSXnNFOsEuL4KJCyTHmlQ1aqW5kvvP7Ql79pGzJjHOH4pGaMCzvX5fIJN4NSlFnk7mRim/HENHcpB7tDrCVxmJy9phaX5q1JUMX6TYKiRcPuctfVTJ2C+v1buSFTI6v3Gn1/whs1llVk8fXAkkDUifQ6jb12xifQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=/E9GH4WDsCA7W9e7c/ZYe+MSAXQhRJeF4qbzmW6sH6k=;
b=T71lEpru9nk49ujuEK8IWxIkyDXqk7JcCr2Q4GAVqfYf+qqkivq9dkpsj5N/1kn0EmKiuGxuzJyBi9N3o20u26+VnIvpbr0JPP/XYrFVsvQ9gdPQddV4iD6tQDQ1YuHaJqDj8ev+FGGxs6ZmAbFkT76vTj9b14rAwZ87qV+Hd0CzNHyl4S2EMRhGOU02gqIEqcu2Chu1x1bQy/UgvqiCtkj5QPS054p9iKQNd3bjUdwzdkMhVoMbGue1QNjk2jDF9wHWSUwypUXFARS2jWzkxY3YVX1n74fSCltazFzsKQ2rxZ+X7ZZeoQ+QyxYAHW3YfHoMBTXR1E/frxUlfc45YA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
209.85.208.169) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass
(p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass
(signature was verified) header.d=gmail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=/E9GH4WDsCA7W9e7c/ZYe+MSAXQhRJeF4qbzmW6sH6k=;
b=eEGIj5WOCBdXHcR/JpWqrUzKY4KXcsYwBYlKGSAJ+4PIg1XX9C2krLl+3woGVBqGz0IzTmgoNlLkxfilSq+D7VkJPapU44VGoaBwNPggFSJHBMlniKrhPowk0HwGp17zLWk02A91okQbleqA8ndpEocHJ7t/qex/a3fqO+A9Vgs=
Authentication-Results: spf=pass (sender IP is 209.85.208.169)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.208.169 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.208.169; helo=mail-lj1-f169.google.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1706130571; x=1706735371; darn=mit.edu;
h=content-transfer-encoding:to:subject:message-id:date:from
:in-reply-to:references:mime-version:from:to:cc:subject:date
:message-id:reply-to;
bh=/E9GH4WDsCA7W9e7c/ZYe+MSAXQhRJeF4qbzmW6sH6k=;
b=D0aTPmXm3gf9NCu0a5DaJKs7Oos35OATbHU8eSR2iAf9UJSTBdBgGg2Y+AWcxKZEwc
a81aaP+GxJ8oNGvGCk6EQK8orTo8jUZCzW+Mtnc43bUF7W+e1DpB4XFU3Y21iQ7y/HJy
iPup9u2OAT719PnZDVKCcBHn9pD/WIGFQ0Ui9JHWZmfolkLBDoNXqSFcE5jrmhZ+Icef
85a7W3q+BFVR3LcKecVvVT9lBEukeRhDN6e+Cdn+cbMyzQxxetdklUuJE9NGBTm3nQuU
QzhXHNeQZGi1tepVoGBRhVBVRmCtuMk0lpSYcVd3fGwZnC0S1pA1eZjw2DebkTr5KgUP
IvJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1706130571; x=1706735371;
h=content-transfer-encoding:to:subject:message-id:date:from
:in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=/E9GH4WDsCA7W9e7c/ZYe+MSAXQhRJeF4qbzmW6sH6k=;
b=Jhm57HEbweGHkiSc2a2/DfN8jOpG7MvLtETG2JsXYHeJm1bsgJFXNCYQDdSHgeXAlt
mNDZ2IOuKfKYp6X4lpo/E9DSiTtj6fqMBXYRo55PM0nBWj0xmnhvk8xPRLNWd29wD7R5
v9pxVJJ4fdz9nOoyv1tEd4GX9mpKWrdt4H6adZFV7r2tws91yZEPmlG0lj9tqE5QwmjJ
sq7w+aj3IVAfxXLNYSFSKbPl2gZNrliS8/12VnLN1DlfvOX1ClMKOPNrpKhvTwETWA2Q
V+d93Kx6pjMwyKinnGHlozZwuABLEfNiw94jcp4p301YpMbAkN+EG6Y9CcDY79tRqMAu
E9uQ==
X-Gm-Message-State: AOJu0YzxxomLq3ucqbQ2hk30zrhq3PV2yWSbvDKoRqPJQ7W+GQn56kxD
QF8afsjh4tZO6hhwNz28SeR8rfxUxouLn2WySbcLgWFPNet6Zfwqn6OTN99FVm1TCQXj+vtHCQj
QZYh/zmI/NrYPrN/SC02l37ieKGngrmZ1RLU=
X-Google-Smtp-Source: AGHT+IG6dv6jgdEk84nw1+hK0m2huSnRwejdoSDwdHFPrG5OQ9uCW8e/jt5pYa/oRrh5HjhGdZurMKmZcvj0ncgV/Mc=
X-Received: by 2002:a2e:bb9f:0:b0:2ce:708:ae85 with SMTP id
y31-20020a2ebb9f000000b002ce0708ae85mr938218lje.47.1706130571025; Wed, 24 Jan
2024 13:09:31 -0800 (PST)
In-Reply-To: <202401242034.40OKYMTT023485@hedwig.cmf.nrl.navy.mil>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SN1PEPF00026369:EE_|DS7PR01MB7734:EE_
X-MS-Office365-Filtering-Correlation-Id: fc8e8fae-2b22-41f2-a1b5-08dc1d20c33b
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: lq1+gHYx30Uz6I9RPw3tUYmkaZ+6oAnTnhqNGDcKOvhN7KO7kCH/asZ2cRvMcFIdlKa9CORmxFxHzuryii5Q/2YsXXMh/pUlL18lvJERg6j03xU0RiyMmrOp8LnRb2Flg1qjrncu95fW1Q95d/Ns1RHiH0pSClCx3JKhBR3tfHwxL4B2eDMt10Er+uPA28splPJzUmeBy8FPGoJiCbf4RMBck8AUQHKjIWiVBKu7BPSuOSIywSBfFF3bbiU3LUySEF7rQSgLaMj10v31DYmFPU4lXDfFaA0vlfkhKBXBK9QnjhnMbtC276rtCb1jtpuaQ20T6ey8EyLoCCUpF6BbkGJQpnA6thItLWKczDwtrU9Ee3wOmwStos+0B2CGL5ySTpg2l3DM9IUiRNooPHj8H0xHBtPojqhsGrIQZfhbzdaC7qvbevHH7cmMWUIGc0op+9VBmbCh1w7KkJH9VzSJ2ediZyGedlOvIY8bT1RHYvDfqM/YSC9GohVqUBV5jBJwFVEho59qpOswb0cfwsL8zILtYxeFetJqj5itfxrlUpNy/vPpgniY2Ct3AFmzCbPBXw/EzLfScQ4GPb4IzzQJTQKlYPVqj8Jo1boMwnXjzZOV4nnrZylHl+FfYhf1dOFl
X-Forefront-Antispam-Report: CIP:209.85.208.169; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-lj1-f169.google.com; PTR:mail-lj1-f169.google.com;
CAT:NONE;
SFS:(13230031)(4636009)(376002)(396003)(39860400002)(136003)(346002)(48200799006)(61400799012)(451199024)(64100799003)(73392003)(66574015)(82202003)(83380400001)(76482006)(86362001)(7636003)(356005)(55446002)(7596003)(5660300002)(6862004)(26005)(68406010)(336012)(7116003)(3480700007)(786003)(316002)(8676002)(70586007)(2906002)(53546011)(6666004)(966005)(42186006)(498600001);
DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Jan 2024 21:09:33.1079 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: fc8e8fae-2b22-41f2-a1b5-08dc1d20c33b
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: SN1PEPF00026369.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR01MB7734
X-MIME-Autoconverted: from quoted-printable to 8bit by mailman.mit.edu id
40OL9Z1s242188
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CAGMFw4j7kL1HpBDs4GcawuewDChXDE9QfWXpEKM=2ivEuL9T7Q@mail.gmail.com>
X-Mailman-Original-References: <CAGMFw4hwaL50oe4zzxU7F2L9BVZG_DG8CuMG47utmQxQ8CBM0w@mail.gmail.com>
<202401242034.40OKYMTT023485@hedwig.cmf.nrl.navy.mil>
 by: Michael B Allen - Wed, 24 Jan 2024 21:09 UTC

On Wed, Jan 24, 2024 at 3:34 PM Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
>
> You MIGHT be better served by turning on Kerberos tracing to see what the
> library is doing. Prefixing that kinit with:
>
> env KRB5_TRACE=/dev/stdout
>
> would be useful.

Hi Ken,

Indeed. Unfortunately my stock packages on CentOS 9 Stream are 1.21
but the KRB5_TRACE feature was introduced in 1.9.

At any rate, of course I figured out the problem right after posting this ...

Even though the following AD account attribute was set to:

msDS-SupportedEncryptionTypes: 0x8 (AES128_CTS_HMAC_SHA1_96)

apparently this is not applicable to getting a TGT.
I noticed the AP-REQ KRB5KDC_ERR_PREAUTH_REQUIRED PA-DATA listed
AES256 as the etype.
My keytab only had an AES128 key.
Changing the key to AES256 fixed the issue and kinit now runs
successfully (without modifying DNS since dc1.gogo.loco is listed in
router DNS proxy local tables).
^^^TLDR

So I guess the "Invalid argument" was that there was no key matching
the desired etype.
It probably didn't help that there was obviously an AES256 key on the
account and it's only because I'm screwing around with that
msDS-SupportedEncryptionTypes attr trying to pin AES128 that I'm
dancing outside the lines of sanity at this point.

Really glad to see KRB5_TRACE was added.

Thanks for your support.

Mike

--
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor