Discussion:
kinit without dns
(too old to reply)
Michael B Allen
2024-01-24 19:45:11 UTC
Permalink
Hello,

I use linux almost exclusively for everything.
DNS points to my Internet router.
However, I also have VMs running AD and various Windows instances just
for testing my software.
All of these test hosts use AD for DNS which forwards to said Internet router.

If I use the following krb5.conf with MIT krb5 packages on CentOS:

[libdefaults]
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt

[realms]
GOGO.LOCO = {
kdc = dc1.gogo.loco
}

where dc1.gogo.loco is AD, trying to run kinit fails:

$ kinit -k -t java31.keytab 'java31$@GOGO.LOCO'
kinit: Pre-authentication failed: Invalid argument while getting
initial credentials

Looking at the network shows:

Protocol Length Info
DNS 80 Standard query 0xd8af A dc1.gogo.loco
DNS 96 Standard query response 0xd8af A dc1.gogo.loco A 10.15.15.22
KRB5 221 AS-REQ
KRB5 234 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
DNS 79 Standard query 0x314d URI _kerberos.GOGO.LOCO
DNS 154 Standard query response 0x314d No such name URI
_kerberos.GOGO.LOCO SOA a.root-servers.net
DNS 91 Standard query 0xfc89 SRV _kerberos-master._udp.GOGO.LOCO
DNS 166 Standard query response 0xfc89 No such name SRV
_kerberos-master._udp.GOGO.LOCO SOA a.root-servers.net
DNS 91 Standard query 0xe601 SRV _kerberos-master._tcp.GOGO.LOCO
DNS 166 Standard query response 0xe601 No such name SRV
_kerberos-master._tcp.GOGO.LOCO SOA a.root-servers.net
DNS 79 Standard query 0x37d8 URI _kerberos.GOGO.LOCO
DNS 154 Standard query response 0x37d8 No such name URI
_kerberos.GOGO.LOCO SOA a.root-servers.net
DNS 91 Standard query 0x54e2 SRV _kerberos-master._udp.GOGO.LOCO
DNS 166 Standard query response 0x54e2 No such name SRV
_kerberos-master._udp.GOGO.LOCO SOA a.root-servers.net
DNS 91 Standard query 0xc1d3 SRV _kerberos-master._tcp.GOGO.LOCO
DNS 166 Standard query response 0xc1d3 No such name SRV
_kerberos-master._tcp.GOGO.LOCO SOA a.root-servers.net

As you can see, kinit successfully communicates with the KDC but then
fails over to querying DNS to find one.

Is there any way to get kinit to work without DNS?

Temporarily hacking my prod machines to use DNS for test machines is not ideal.

Ideas?

Mike
--
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/
Ken Hornstein
2024-01-24 20:34:22 UTC
Permalink
You MIGHT be better served by turning on Kerberos tracing to see what the
library is doing. Prefixing that kinit with:

env KRB5_TRACE=/dev/stdout

would be useful. However, assuming these are in order ...
Post by Michael B Allen
Protocol Length Info
DNS 80 Standard query 0xd8af A dc1.gogo.loco
DNS 96 Standard query response 0xd8af A dc1.gogo.loco A 10.15.15.22
KRB5 221 AS-REQ
KRB5 234 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
This looks like the basic exchange with the KDC did not do any DNS lookups
(other than the hostname).
Post by Michael B Allen
DNS 79 Standard query 0x314d URI _kerberos.GOGO.LOCO
DNS 154 Standard query response 0x314d No such name URI
_kerberos.GOGO.LOCO SOA a.root-servers.net
DNS 91 Standard query 0xfc89 SRV _kerberos-master._udp.GOGO.LOCO
DNS 166 Standard query response 0xfc89 No such name SRV
_kerberos-master._udp.GOGO.LOCO SOA a.root-servers.net
This looks like it is trying to find the name of the primary KDC. You could
put a line "master_kdc = dc1.gogo.logo" under the [realms] stanza and I
believe it would suppress these lookups (the preferred relation name was
changed to "primary_kdc" in 1.19 but it is still supposed to fall back
to the older name). I think that should get rid of all of the lookups
I see (I believe the PREAUTH_REQUIRED error makes it want to find the primary
KDC).

--Ken
Michael B Allen
2024-01-24 21:09:19 UTC
Permalink
Post by Ken Hornstein
You MIGHT be better served by turning on Kerberos tracing to see what the
env KRB5_TRACE=/dev/stdout
would be useful.
Hi Ken,

Indeed. Unfortunately my stock packages on CentOS 9 Stream are 1.21
but the KRB5_TRACE feature was introduced in 1.9.

At any rate, of course I figured out the problem right after posting this ...

Even though the following AD account attribute was set to:

msDS-SupportedEncryptionTypes: 0x8 (AES128_CTS_HMAC_SHA1_96)

apparently this is not applicable to getting a TGT.
I noticed the AP-REQ KRB5KDC_ERR_PREAUTH_REQUIRED PA-DATA listed
AES256 as the etype.
My keytab only had an AES128 key.
Changing the key to AES256 fixed the issue and kinit now runs
successfully (without modifying DNS since dc1.gogo.loco is listed in
router DNS proxy local tables).
^^^TLDR

So I guess the "Invalid argument" was that there was no key matching
the desired etype.
It probably didn't help that there was obviously an AES256 key on the
account and it's only because I'm screwing around with that
msDS-SupportedEncryptionTypes attr trying to pin AES128 that I'm
dancing outside the lines of sanity at this point.

Really glad to see KRB5_TRACE was added.

Thanks for your support.

Mike
--
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/
Ken Hornstein
2024-01-24 21:19:31 UTC
Permalink
Post by Michael B Allen
Indeed. Unfortunately my stock packages on CentOS 9 Stream are 1.21
but the KRB5_TRACE feature was introduced in 1.9.
Ummm ... 21 > 9, I think? :-)
Post by Michael B Allen
At any rate, of course I figured out the problem right after posting this ...
Glad you figured it out.

--Ken
Sam Hartman
2024-01-24 21:27:51 UTC
Permalink
Michael> Hi Ken,

Michael> Indeed. Unfortunately my stock packages on CentOS 9 Stream
Michael> are 1.21 but the KRB5_TRACE feature was introduced in 1.9.

Last time I checked, 1.21 > 1.9.
Michael B Allen
2024-01-25 00:37:15 UTC
Permalink
Post by Sam Hartman
Michael> Hi Ken,
Michael> Indeed. Unfortunately my stock packages on CentOS 9 Stream
Michael> are 1.21 but the KRB5_TRACE feature was introduced in 1.9.
Last time I checked, 1.21 > 1.9.
Good point and, after some fiddling, it does indeed work and would
have revealed the issue:

$ KRB5_TRACE=trace.txt kinit -k -t java31.keytab 'java31$@GOGO.LOCO'
kinit: Pre-authentication failed: Invalid argument while getting
initial credentials
$ cat trace.txt
850878: Matching java31$@GOGO.LOCO in collection with result: 0/Success
850879: Getting initial credentials for java31$@GOGO.LOCO
850880: Found entries for java31$@GOGO.LOCO in keytab: aes128-cts
850882: Sending unauthenticated request
850883: Sending request (189 bytes) to GOGO.LOCO
850884: Resolving hostname dc1.gogo.loco
850885: Sending initial UDP request to dgram 10.11.12.22:88
850886: Received answer (185 bytes) from dgram 10.11.12.22:88
850887: Response was from primary KDC
850888: Received error from KDC: -1765328359/Additional
pre-authentication required
850891: Preauthenticating using KDC method data
850892: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD
(15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
850893: Selected etype info: etype aes256-cts, salt
"GOGO.LOCOhostjava31.gogo.loco", params ""
850894: PKINIT client has no configured identity; giving up
850895: PKINIT client has no configured identity; giving up
850896: Preauth module pkinit (16) (real) returned: 22/Invalid argument
850897: Retrieving java31$@GOGO.LOCO from FILE:java31.keytab (vno 0,
enctype aes256-cts) with result: -1765328203/No key table entry found
for java31$@GOGO.LOCO
850898: Preauth module encrypted_timestamp (2) (real) returned:
-1765328203/No key table entry found for java31$@GOGO.LOCO

Second to last line is pretty clear. Kinit was looking for an
aes256-cts key but the keytab only had an aes128-cts entry.

Mike
--
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/
Loading...