Bug 1683745
Summary: | Issue is that with arcfour-hmac as first encryption type in the config lines, adcli will pick arcfour-hmac to check which kind of salt should be used to encrypt the keys. But since arcfour-hmac does not use salts, all salt types will work and a wrong one | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Abhijit Roy <abroy> | |
Component: | adcli | Assignee: | Sumit Bose <sbose> | |
Status: | CLOSED ERRATA | QA Contact: | sssd-qe <sssd-qe> | |
Severity: | medium | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 7.4 | CC: | jhrozek, pcech, sgadekar, sgoveas | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | sync-to-jira | |||
Fixed In Version: | adcli-0.8.1-11.el7 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1745932 (view as bug list) | Environment: | ||
Last Closed: | 2020-03-31 19:45:16 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1710435, 1745932 |
Description
Abhijit Roy
2019-02-27 17:29:48 UTC
How to reproduce: - add the following lines to /etc/krb5.conf permitted_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac default_tgs_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac default_tkt_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac they do not have to look exactly the same, but 'arcfout-hmac-md5' has to come first in each of the line. - join a domain while collecting the Kerberos trace output: $ KRB5_TRACE=/dev/stdout KRB5_CONFIG=/tmp/test_krb5.conf /usr/sbin/adcli join -K /tmp/test_krb5.keytab -D child.ad.devel -S 192.168.122.151 -v * Using domain name: child.ad.devel * Calculated computer account name from fqdn: P50 * Calculated domain realm from name: CHILD.AD.DEVEL * Sending netlogon pings to domain controller: cldap://192.168.122.151 * Received NetLogon info from: Child-Server.ChIlD.ad.devel * Wrote out krb5.conf snippet to /tmp/adcli-krb5-MKFcnv/krb5.d/adcli-krb5-conf-1vjsUW ... [12182] 1566808422.85181: Getting initial credentials for P50$@CHILD.AD.DEVEL [12182] 1566808422.85182: Looked up etypes in keytab: aes256-cts, aes128-cts, rc4-hmac, des, des-cbc-crc, des-cbc-crc [12182] 1566808422.85184: Sending unauthenticated request [12182] 1566808422.85185: Sending request (204 bytes) to CHILD.AD.DEVEL [12182] 1566808422.85186: Resolving hostname 192.168.122.151 [12182] 1566808422.85187: Sending initial UDP request to dgram 192.168.122.151:88 [12182] 1566808422.85188: Received answer (208 bytes) from dgram 192.168.122.151:88 [12182] 1566808422.85189: Response was from master KDC [12182] 1566808422.85190: Received error from KDC: -1765328359/Additional pre-authentication required [12182] 1566808422.85193: Preauthenticating using KDC method data [12182] 1566808422.85194: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2) [12182] 1566808422.85195: Selected etype info: etype rc4-hmac, salt "", params "" [12182] 1566808422.85196: PKINIT client has no configured identity; giving up [12182] 1566808422.85197: PKINIT client has no configured identity; giving up [12182] 1566808422.85198: Preauth module pkinit (16) (real) returned: 22/Invalid argument [12182] 1566808422.85199: PKINIT client ignoring draft 9 offer from RFC 4556 KDC [12182] 1566808422.85200: Preauth module pkinit (15) (real) returned: -1765328360/Preauthentication failed [12182] 1566808422.85201: Retrieving P50$@CHILD.AD.DEVEL from MEMORY:adcli-discover-salt (vno 0, enctype rc4-hmac) with result: 0/Success <<<<<<<<<<<<<<<<<<<<<<<<<<<<<< [12182] 1566808422.85202: AS key obtained for encrypted timestamp: rc4-hmac/2410 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<< [12182] 1566808422.85204: Encrypted timestamp (for 1566808421.856774): plain 301AA011180F32303139303832363038333334315AA10502030D12C6, encrypted B9D6543D6EB61084334C40A71AE69D6525DF9C1C2957646D966ED7F5D633131935774AB906EEF1D9AA25F378D4AF$ 8198C1E9585 [12182] 1566808422.85205: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [12182] 1566808422.85206: Produced preauth for next request: PA-ENC-TIMESTAMP (2) [12182] 1566808422.85207: Sending request (280 bytes) to CHILD.AD.DEVEL [12182] 1566808422.85208: Resolving hostname 192.168.122.151 [12182] 1566808422.85209: Sending initial UDP request to dgram 192.168.122.151:88 [12182] 1566808422.85210: Received answer (1338 bytes) from dgram 192.168.122.151:88 [12182] 1566808422.85211: Response was from master KDC [12182] 1566808422.85212: Salt derived from principal: CHILD.AD.DEVELP50$ [12182] 1566808422.85213: AS key determined by preauth: rc4-hmac/2410 [12182] 1566808422.85214: Decrypted AS reply; session key is: rc4-hmac/5A33 [12182] 1566808422.85215: FAST negotiation: unavailable * Discovered which keytab salt to use ... As can be seen by the 2 marked lines from the Kerberos trace output before the 'Discovered which keytab salt to use' message the encryption type 'rc4-hmac' is use. As a result after the join the new keytab will look like: $ klist -keKt /tmp/test_krb5.keytab Keytab name: FILE:/tmp/test_krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 26.08.2019 10:33:41 P50$@CHILD.AD.DEVEL (DEPRECATED:arcfour-hmac) (0x3af33b02e0a8547348a943b4ff49fad4) 2 26.08.2019 10:33:41 P50$@CHILD.AD.DEVEL (aes128-cts-hmac-sha1-96) (0x9e00cb3ddec7f2e0afb61021ea29c7f6) 2 26.08.2019 10:33:41 P50$@CHILD.AD.DEVEL (aes256-cts-hmac-sha1-96) (0x910f7bf04711ea6aba1bdd695e6f57f2097c1bf472f3b3509ba4e07bfffd9045) 2 26.08.2019 10:33:41 host/P50.DEVEL (DEPRECATED:arcfour-hmac) (0x3af33b02e0a8547348a943b4ff49fad4) 2 26.08.2019 10:33:41 host/P50.DEVEL (aes128-cts-hmac-sha1-96) (0x063f5b4f8343be6373cd61d9334a5a5e) 2 26.08.2019 10:33:41 host/P50.DEVEL (aes256-cts-hmac-sha1-96) (0x5b39b8ca99a536ec45d56b308cb98840ddc5f6cb29210eca328f5c4a679976c3) 2 26.08.2019 10:33:41 host/p50.abc.def.DEVEL (DEPRECATED:arcfour-hmac) (0x3af33b02e0a8547348a943b4ff49fad4) 2 26.08.2019 10:33:41 host/p50.abc.def.DEVEL (aes128-cts-hmac-sha1-96) (0x81a8a3d4f7da541b9c615cc26a58ce87) 2 26.08.2019 10:33:41 host/p50.abc.def.DEVEL (aes256-cts-hmac-sha1-96) (0x5c4e22bd3c966b26c3a3e095e6665553fdbb1dd3cec4d0f9061827b3d4ff4479) 2 26.08.2019 10:33:41 RestrictedKrbHost/P50.DEVEL (DEPRECATED:arcfour-hmac) (0x3af33b02e0a8547348a943b4ff49fad4) 2 26.08.2019 10:33:41 RestrictedKrbHost/P50.DEVEL (aes128-cts-hmac-sha1-96) (0xa1326438329090651a42ea6426b85901) 2 26.08.2019 10:33:41 RestrictedKrbHost/P50.DEVEL (aes256-cts-hmac-sha1-96) (0x131ef3b589644fa91e3d927d9aec795e73b4071c99f13ab2bb749ca47032172f) 2 26.08.2019 10:33:41 RestrictedKrbHost/p50.abc.def.DEVEL (DEPRECATED:arcfour-hmac) (0x3af33b02e0a8547348a943b4ff49fad4) 2 26.08.2019 10:33:41 RestrictedKrbHost/p50.abc.def.DEVEL (aes128-cts-hmac-sha1-96) (0x9c6007397be85e04b464e42d8f8caaa2) 2 26.08.2019 10:33:41 RestrictedKrbHost/p50.abc.def.DEVEL (aes256-cts-hmac-sha1-96) (0x403543c3837689a93519f240347c3c43a2a0f55286db640561105993db0229af) As can be seen the 'arcfour-hmac' keys are the same for all principals, since no salt is used here. But e.g. the 'aes128-cts-hmac-sha1-96' for the different principals are all different because the wrong salt was picked. Same for 'aes256-cts-hmac-sha1-96'. With the fixed version and the same /etc/krb5.conf the join output will look like: .... [11976] 1566808302.397651: Retrieving P50$@CHILD.AD.DEVEL from MEMORY:adcli-discover-salt (vno 0, enctype aes256-cts) with result: 0/Success <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< [11976] 1566808302.397652: AS key obtained for encrypted timestamp: aes256-cts/66BA <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< [11976] 1566808302.397654: Encrypted timestamp (for 1566808301.825524): plain 301AA011180F32303139303832363038333134315AA10502030C98B4, encrypted 5AC00C2ECD3E80006D06E032717AFE63199D4F3BE0C622E48AF57D77E3B05DDB63410691C51F193BDD94507AADBF 312AFC167F961061102E [11976] 1566808302.397655: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [11976] 1566808302.397656: Produced preauth for next request: PA-ENC-TIMESTAMP (2) [11976] 1566808302.397657: Sending request (284 bytes) to CHILD.AD.DEVEL [11976] 1566808302.397658: Resolving hostname 192.168.122.151 [11976] 1566808302.397659: Sending initial UDP request to dgram 192.168.122.151:88 [11976] 1566808302.397660: Received answer (1438 bytes) from dgram 192.168.122.151:88 [11976] 1566808302.397661: Response was from master KDC [11976] 1566808302.397662: Processing preauth types: PA-ETYPE-INFO2 (19) [11976] 1566808302.397663: Selected etype info: etype aes256-cts, salt "CHILD.AD.DEVELhostp50.child.ad.devel", params "" [11976] 1566808302.397664: Produced preauth for next request: (empty) [11976] 1566808302.397665: AS key determined by preauth: aes256-cts/66BA [11976] 1566808302.397666: Decrypted AS reply; session key is: aes256-cts/56D9 [11976] 1566808302.397667: FAST negotiation: unavailable * Discovered which keytab salt to use .... Now the 2 marked lines show the AES was used. Other encryption types are ok as well, as long as it is not 'rc4-hmac'. The keytab now looks like $ klist -keKt /tmp/test_krb5.keytab Keytab name: FILE:/tmp/test_krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 26.08.2019 10:31:41 P50$@CHILD.AD.DEVEL (DEPRECATED:arcfour-hmac) (0xabdc5031d439ef5be9aea6cfe1ebf622) 2 26.08.2019 10:31:41 P50$@CHILD.AD.DEVEL (aes128-cts-hmac-sha1-96) (0x3c8a529ece239132aac3fbdf097a9925) 2 26.08.2019 10:31:41 P50$@CHILD.AD.DEVEL (aes256-cts-hmac-sha1-96) (0xae038d09b6e6c4231f8b98362adfbe37152efc8fa925c930429502400593ebb8) 2 26.08.2019 10:31:41 host/P50.DEVEL (DEPRECATED:arcfour-hmac) (0xabdc5031d439ef5be9aea6cfe1ebf622) 2 26.08.2019 10:31:41 host/P50.DEVEL (aes128-cts-hmac-sha1-96) (0x3c8a529ece239132aac3fbdf097a9925) 2 26.08.2019 10:31:41 host/P50.DEVEL (aes256-cts-hmac-sha1-96) (0xae038d09b6e6c4231f8b98362adfbe37152efc8fa925c930429502400593ebb8) 2 26.08.2019 10:31:41 host/p50.Speedport_W_724V_Typ_A_05011603_05_020.DEVEL (DEPRECATED:arcfour-hmac) (0xabdc5031d439ef5be9aea6cfe1ebf622) 2 26.08.2019 10:31:41 host/p50.Speedport_W_724V_Typ_A_05011603_05_020.DEVEL (aes128-cts-hmac-sha1-96) (0x3c8a529ece239132aac3fbdf097a9925) 2 26.08.2019 10:31:41 host/p50.Speedport_W_724V_Typ_A_05011603_05_020.DEVEL (aes256-cts-hmac-sha1-96) (0xae038d09b6e6c4231f8b98362adfbe37152efc8fa925c930429502400593ebb8) 2 26.08.2019 10:31:41 RestrictedKrbHost/P50.DEVEL (DEPRECATED:arcfour-hmac) (0xabdc5031d439ef5be9aea6cfe1ebf622) 2 26.08.2019 10:31:41 RestrictedKrbHost/P50.DEVEL (aes128-cts-hmac-sha1-96) (0x3c8a529ece239132aac3fbdf097a9925) 2 26.08.2019 10:31:41 RestrictedKrbHost/P50.DEVEL (aes256-cts-hmac-sha1-96) (0xae038d09b6e6c4231f8b98362adfbe37152efc8fa925c930429502400593ebb8) 2 26.08.2019 10:31:41 RestrictedKrbHost/p50.Speedport_W_724V_Typ_A_05011603_05_020.DEVEL (DEPRECATED:arcfour-hmac) (0xabdc5031d439ef5be9aea6cfe1ebf622) 2 26.08.2019 10:31:41 RestrictedKrbHost/p50.Speedport_W_724V_Typ_A_05011603_05_020.DEVEL (aes128-cts-hmac-sha1-96) (0x3c8a529ece239132aac3fbdf097a9925) 2 26.08.2019 10:31:41 RestrictedKrbHost/p50.Speedport_W_724V_Typ_A_05011603_05_020.DEVEL (aes256-cts-hmac-sha1-96) (0xae038d09b6e6c4231f8b98362adfbe37152efc8fa925c930429502400593ebb8) Now the keys for the different principals are the same for the same encryption type. Master: - 158468507bb723aa62196846749c23c121d4b298 Issue is reproduced with old version(test failing) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: TEST PROTOCOL :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Test run ID : 22397001 Package : adcli Installed : adcli-0.8.1-9.el7.x86_64 beakerlib RPM : beakerlib-1.18-7.el7bkr.noarch bl-redhat RPM : beakerlib-redhat-1-32.el7bkr.noarch Test name : /CoreOS/adcli/Regression/bz1683745-issue-with-arcfour-hmac-as-first-encryption-type :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Issue with arcfour-hmac :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 07:36:51 ] :: [ BEGIN ] :: Running 'cat /etc/krb5.conf' # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM :: [ 07:36:51 ] :: [ PASS ] :: Command 'cat /etc/krb5.conf' (Expected 0, got 0) :: [ 07:36:51 ] :: [ BEGIN ] :: Running 'cat /tmp/test_krb5.conf' # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] permitted_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac default_tgs_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac default_tkt_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM :: [ 07:36:51 ] :: [ PASS ] :: Command 'cat /tmp/test_krb5.conf' (Expected 0, got 0) :: [ 07:36:51 ] :: [ BEGIN ] :: Running 'echo Pass2012! | KRB5_TRACE=/dev/stdout KRB5_CONFIG=/tmp/test_krb5.conf /usr/sbin/adcli join --verbose -K /tmp/test_krb5.keytab --stdin-password -U Amy-admin -S ad2.baseos.qe -S 10.37.152.15 > /tmp/tmp_1 2>&1' :: [ 07:36:55 ] :: [ PASS ] :: Command 'echo Pass2012! | KRB5_TRACE=/dev/stdout KRB5_CONFIG=/tmp/test_krb5.conf /usr/sbin/adcli join --verbose -K /tmp/test_krb5.keytab --stdin-password -U Amy-admin -S ad2.baseos.qe -S 10.37.152.15 > /tmp/tmp_1 2>&1' (Expected 0, got 0) :: [ 07:36:55 ] :: [ BEGIN ] :: Running 'klist -keKt /tmp/test_krb5.keytab > /tmp/tmp_1 2>&1' :: [ 07:36:55 ] :: [ PASS ] :: Command 'klist -keKt /tmp/test_krb5.keytab > /tmp/tmp_1 2>&1' (Expected 0, got 0) Total encryption-types : (aes128-cts-hmac-sha1-96) (aes256-cts-hmac-sha1-96) (arcfour-hmac) Total keys: (aes128-cts-hmac-sha1-96) (0x0d53c67363e31339127ae4df91857fab) (aes128-cts-hmac-sha1-96) (0x5c800c9dfb793b3c742749fb39f36bbb) (aes128-cts-hmac-sha1-96) (0x70f28a3f5c50010beecae7eb211d71c9) (aes128-cts-hmac-sha1-96) (0x8caf2c17241422bd69e5cfab509fcdf3) (aes128-cts-hmac-sha1-96) (0xbe746e65c9ac64b90d847432cdcb8f0c) (aes256-cts-hmac-sha1-96) (0x179762206334dac99e285960d3b05c80f31d2ad670fed4eeb1c548c5a1b91efd) (aes256-cts-hmac-sha1-96) (0x3745dcb780b938939dc196281e0281930e1e552ca9b78574ccaacf9bc3ed254b) (aes256-cts-hmac-sha1-96) (0x6edb197da2fd10508eb415b669331c08c7e113633a0ac038885c3f29f80d28cb) (aes256-cts-hmac-sha1-96) (0xe4df359ef8b7dea620d976abf408c9dc6e3386ab8e6cbcf02b9009c0ed94055f) (aes256-cts-hmac-sha1-96) (0xf28fc7821b0d789771120ee6d6899b3651924f88ba20ae1bdf59a76aacd804bd) (arcfour-hmac) (0x357bbc11782961efe0a07cc706087503) Total Number of encryption-types : 3 Total Number of keys: 11 :: [ 07:36:55 ] :: [ FAIL ] :: All keys with different principals do not have same encryption-type :: [ 07:36:55 ] :: [ BEGIN ] :: Running 'awk -F' ' '{print $5,$6,$4}' /tmp/tmp_1 |sort|awk 'NF'|uniq' (aes128-cts-hmac-sha1-96) (0x0d53c67363e31339127ae4df91857fab) host/CI-VM-10-0-139-.QE (aes128-cts-hmac-sha1-96) (0x5c800c9dfb793b3c742749fb39f36bbb) RestrictedKrbHost/CI-VM-10-0-139-.QE (aes128-cts-hmac-sha1-96) (0x70f28a3f5c50010beecae7eb211d71c9) RestrictedKrbHost/ci-vm-10-0-139-.ad2.baseos.qe.QE (aes128-cts-hmac-sha1-96) (0x8caf2c17241422bd69e5cfab509fcdf3) CI-VM-10-0-139-$@AD2.BASEOS.QE (aes128-cts-hmac-sha1-96) (0xbe746e65c9ac64b90d847432cdcb8f0c) host/ci-vm-10-0-139-.ad2.baseos.qe.QE (aes256-cts-hmac-sha1-96) (0x179762206334dac99e285960d3b05c80f31d2ad670fed4eeb1c548c5a1b91efd) RestrictedKrbHost/CI-VM-10-0-139-.QE (aes256-cts-hmac-sha1-96) (0x3745dcb780b938939dc196281e0281930e1e552ca9b78574ccaacf9bc3ed254b) host/CI-VM-10-0-139-.QE (aes256-cts-hmac-sha1-96) (0x6edb197da2fd10508eb415b669331c08c7e113633a0ac038885c3f29f80d28cb) RestrictedKrbHost/ci-vm-10-0-139-.ad2.baseos.qe.QE (aes256-cts-hmac-sha1-96) (0xe4df359ef8b7dea620d976abf408c9dc6e3386ab8e6cbcf02b9009c0ed94055f) host/ci-vm-10-0-139-.ad2.baseos.qe.QE (aes256-cts-hmac-sha1-96) (0xf28fc7821b0d789771120ee6d6899b3651924f88ba20ae1bdf59a76aacd804bd) CI-VM-10-0-139-$@AD2.BASEOS.QE (arcfour-hmac) (0x357bbc11782961efe0a07cc706087503) CI-VM-10-0-139-$@AD2.BASEOS.QE (arcfour-hmac) (0x357bbc11782961efe0a07cc706087503) host/CI-VM-10-0-139-.QE (arcfour-hmac) (0x357bbc11782961efe0a07cc706087503) host/ci-vm-10-0-139-.ad2.baseos.qe.QE (arcfour-hmac) (0x357bbc11782961efe0a07cc706087503) RestrictedKrbHost/CI-VM-10-0-139-.QE (arcfour-hmac) (0x357bbc11782961efe0a07cc706087503) RestrictedKrbHost/ci-vm-10-0-139-.ad2.baseos.qe.QE :: [ 07:36:55 ] :: [ PASS ] :: Command 'awk -F' ' '{print $5,$6,$4}' /tmp/tmp_1 |sort|awk 'NF'|uniq' (Expected 0, got 0) :: [ 07:36:55 ] :: [ BEGIN ] :: Running 'rm -rf /tmp/tmp_1' :: [ 07:36:55 ] :: [ PASS ] :: Command 'rm -rf /tmp/tmp_1' (Expected 0, got 0) :: [ 07:36:55 ] :: [ LOG ] :: Clean up :: [ 07:36:55 ] :: [ LOG ] :: File [/etc/krb5.keytab] doesn't exist, so computer isn't connected to the AD domain :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 4s :: Assertions: 6 good, 1 bad :: RESULT: FAIL (Issue with arcfour-hmac) ================================================================= Verified with following data: Test is passing with :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: TEST PROTOCOL :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Test run ID : 22641001 Package : adcli Installed : adcli-0.8.1-12.el7.x86_64 beakerlib RPM : beakerlib-1.18-7.el7bkr.noarch bl-redhat RPM : beakerlib-redhat-1-32.el7bkr.noarch Test name : /CoreOS/adcli/Regression/bz1683745-issue-with-arcfour-hmac-as-first-encryption-type Test version : 0.1 Test started : 2019-11-22 07:44:00 EST :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Issue with arcfour-hmac :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 07:44:10 ] :: [ BEGIN ] :: Running 'cat /etc/krb5.conf' # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM :: [ 07:44:10 ] :: [ PASS ] :: Command 'cat /etc/krb5.conf' (Expected 0, got 0) :: [ 07:44:10 ] :: [ BEGIN ] :: Running 'cat /tmp/test_krb5.conf' # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] permitted_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac default_tgs_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac default_tkt_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM :: [ 07:44:10 ] :: [ PASS ] :: Command 'cat /tmp/test_krb5.conf' (Expected 0, got 0) :: [ 07:44:10 ] :: [ BEGIN ] :: Running 'echo Pass2012! | KRB5_TRACE=/dev/stdout KRB5_CONFIG=/tmp/test_krb5.conf /usr/sbin/adcli join --verbose -K /tmp/test_krb5.keytab --stdin-password -U Amy-admin -S ad2.baseos.qe -S 10.37.152.15 > /tmp/tmp_1 2>&1' :: [ 07:44:15 ] :: [ PASS ] :: Command 'echo Pass2012! | KRB5_TRACE=/dev/stdout KRB5_CONFIG=/tmp/test_krb5.conf /usr/sbin/adcli join --verbose -K /tmp/test_krb5.keytab --stdin-password -U Amy-admin -S ad2.baseos.qe -S 10.37.152.15 > /tmp/tmp_1 2>&1' (Expected 0, got 0) :: [ 07:44:15 ] :: [ BEGIN ] :: Running 'klist -keKt /tmp/test_krb5.keytab > /tmp/tmp_1 2>&1' :: [ 07:44:15 ] :: [ PASS ] :: Command 'klist -keKt /tmp/test_krb5.keytab > /tmp/tmp_1 2>&1' (Expected 0, got 0) Total encryption-types : (aes128-cts-hmac-sha1-96) (aes256-cts-hmac-sha1-96) (arcfour-hmac) Total keys: (aes128-cts-hmac-sha1-96) (0x3d8419ee20f81e2392c42478681c124d) (aes256-cts-hmac-sha1-96) (0xe2862062d6d149bbd332344fa77d3e21f9107c67e83348a8704f472878abdada) (arcfour-hmac) (0x592e80e859d85b162a3d73a60088a135) Total Number of encryption-types : 3 Total Number of keys: 3 :: [ 07:44:15 ] :: [ PASS ] :: All keys with different principals have same encryption-type :: [ 07:44:15 ] :: [ BEGIN ] :: Running 'awk -F' ' '{print $5,$6,$4}' /tmp/tmp_1 |sort|awk 'NF'|uniq' (aes128-cts-hmac-sha1-96) (0x3d8419ee20f81e2392c42478681c124d) CI-VM-10-0-138-$@AD2.BASEOS.QE (aes128-cts-hmac-sha1-96) (0x3d8419ee20f81e2392c42478681c124d) host/CI-VM-10-0-138-.QE (aes128-cts-hmac-sha1-96) (0x3d8419ee20f81e2392c42478681c124d) host/ci-vm-10-0-138-.ad2.baseos.qe.QE (aes128-cts-hmac-sha1-96) (0x3d8419ee20f81e2392c42478681c124d) RestrictedKrbHost/CI-VM-10-0-138-.QE (aes128-cts-hmac-sha1-96) (0x3d8419ee20f81e2392c42478681c124d) RestrictedKrbHost/ci-vm-10-0-138-.ad2.baseos.qe.QE (aes256-cts-hmac-sha1-96) (0xe2862062d6d149bbd332344fa77d3e21f9107c67e83348a8704f472878abdada) CI-VM-10-0-138-$@AD2.BASEOS.QE (aes256-cts-hmac-sha1-96) (0xe2862062d6d149bbd332344fa77d3e21f9107c67e83348a8704f472878abdada) host/CI-VM-10-0-138-.QE (aes256-cts-hmac-sha1-96) (0xe2862062d6d149bbd332344fa77d3e21f9107c67e83348a8704f472878abdada) host/ci-vm-10-0-138-.ad2.baseos.qe.QE (aes256-cts-hmac-sha1-96) (0xe2862062d6d149bbd332344fa77d3e21f9107c67e83348a8704f472878abdada) RestrictedKrbHost/CI-VM-10-0-138-.QE (aes256-cts-hmac-sha1-96) (0xe2862062d6d149bbd332344fa77d3e21f9107c67e83348a8704f472878abdada) RestrictedKrbHost/ci-vm-10-0-138-.ad2.baseos.qe.QE (arcfour-hmac) (0x592e80e859d85b162a3d73a60088a135) CI-VM-10-0-138-$@AD2.BASEOS.QE (arcfour-hmac) (0x592e80e859d85b162a3d73a60088a135) host/CI-VM-10-0-138-.QE (arcfour-hmac) (0x592e80e859d85b162a3d73a60088a135) host/ci-vm-10-0-138-.ad2.baseos.qe.QE (arcfour-hmac) (0x592e80e859d85b162a3d73a60088a135) RestrictedKrbHost/CI-VM-10-0-138-.QE (arcfour-hmac) (0x592e80e859d85b162a3d73a60088a135) RestrictedKrbHost/ci-vm-10-0-138-.ad2.baseos.qe.QE :: [ 07:44:15 ] :: [ PASS ] :: Command 'awk -F' ' '{print $5,$6,$4}' /tmp/tmp_1 |sort|awk 'NF'|uniq' (Expected 0, got 0) :: [ 07:44:15 ] :: [ BEGIN ] :: Running 'rm -rf /tmp/tmp_1' :: [ 07:44:15 ] :: [ PASS ] :: Command 'rm -rf /tmp/tmp_1' (Expected 0, got 0) :: [ 07:44:15 ] :: [ LOG ] :: Clean up :: [ 07:44:15 ] :: [ LOG ] :: File [/etc/krb5.keytab] doesn't exist, so computer isn't connected to the AD domain :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 5s :: Assertions: 7 good, 0 bad :: RESULT: PASS (Issue with arcfour-hmac) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1055 |