Bug 1683745
| Summary: | Issue is that with arcfour-hmac as first encryption type in the config lines, adcli will pick arcfour-hmac to check which kind of salt should be used to encrypt the keys. But since arcfour-hmac does not use salts, all salt types will work and a wrong one | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Abhijit Roy <abroy> | |
| Component: | adcli | Assignee: | Sumit Bose <sbose> | |
| Status: | CLOSED ERRATA | QA Contact: | sssd-qe <sssd-qe> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 7.4 | CC: | jhrozek, pcech, sgadekar, sgoveas | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | sync-to-jira | |||
| Fixed In Version: | adcli-0.8.1-11.el7 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1745932 (view as bug list) | Environment: | ||
| Last Closed: | 2020-03-31 19:45:16 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1710435, 1745932 | |||
|
Description
Abhijit Roy
2019-02-27 17:29:48 UTC
How to reproduce:
- add the following lines to /etc/krb5.conf
permitted_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
default_tgs_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
default_tkt_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
they do not have to look exactly the same, but 'arcfout-hmac-md5' has to come first in each of the line.
- join a domain while collecting the Kerberos trace output:
$ KRB5_TRACE=/dev/stdout KRB5_CONFIG=/tmp/test_krb5.conf /usr/sbin/adcli join -K /tmp/test_krb5.keytab -D child.ad.devel -S 192.168.122.151 -v
* Using domain name: child.ad.devel
* Calculated computer account name from fqdn: P50
* Calculated domain realm from name: CHILD.AD.DEVEL
* Sending netlogon pings to domain controller: cldap://192.168.122.151
* Received NetLogon info from: Child-Server.ChIlD.ad.devel
* Wrote out krb5.conf snippet to /tmp/adcli-krb5-MKFcnv/krb5.d/adcli-krb5-conf-1vjsUW
...
[12182] 1566808422.85181: Getting initial credentials for P50$@CHILD.AD.DEVEL
[12182] 1566808422.85182: Looked up etypes in keytab: aes256-cts, aes128-cts, rc4-hmac, des, des-cbc-crc, des-cbc-crc
[12182] 1566808422.85184: Sending unauthenticated request
[12182] 1566808422.85185: Sending request (204 bytes) to CHILD.AD.DEVEL
[12182] 1566808422.85186: Resolving hostname 192.168.122.151
[12182] 1566808422.85187: Sending initial UDP request to dgram 192.168.122.151:88
[12182] 1566808422.85188: Received answer (208 bytes) from dgram 192.168.122.151:88
[12182] 1566808422.85189: Response was from master KDC
[12182] 1566808422.85190: Received error from KDC: -1765328359/Additional pre-authentication required
[12182] 1566808422.85193: Preauthenticating using KDC method data
[12182] 1566808422.85194: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
[12182] 1566808422.85195: Selected etype info: etype rc4-hmac, salt "", params ""
[12182] 1566808422.85196: PKINIT client has no configured identity; giving up
[12182] 1566808422.85197: PKINIT client has no configured identity; giving up
[12182] 1566808422.85198: Preauth module pkinit (16) (real) returned: 22/Invalid argument
[12182] 1566808422.85199: PKINIT client ignoring draft 9 offer from RFC 4556 KDC
[12182] 1566808422.85200: Preauth module pkinit (15) (real) returned: -1765328360/Preauthentication failed
[12182] 1566808422.85201: Retrieving P50$@CHILD.AD.DEVEL from MEMORY:adcli-discover-salt (vno 0, enctype rc4-hmac) with result: 0/Success <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
[12182] 1566808422.85202: AS key obtained for encrypted timestamp: rc4-hmac/2410 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
[12182] 1566808422.85204: Encrypted timestamp (for 1566808421.856774): plain 301AA011180F32303139303832363038333334315AA10502030D12C6, encrypted B9D6543D6EB61084334C40A71AE69D6525DF9C1C2957646D966ED7F5D633131935774AB906EEF1D9AA25F378D4AF$
8198C1E9585
[12182] 1566808422.85205: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[12182] 1566808422.85206: Produced preauth for next request: PA-ENC-TIMESTAMP (2)
[12182] 1566808422.85207: Sending request (280 bytes) to CHILD.AD.DEVEL
[12182] 1566808422.85208: Resolving hostname 192.168.122.151
[12182] 1566808422.85209: Sending initial UDP request to dgram 192.168.122.151:88
[12182] 1566808422.85210: Received answer (1338 bytes) from dgram 192.168.122.151:88
[12182] 1566808422.85211: Response was from master KDC
[12182] 1566808422.85212: Salt derived from principal: CHILD.AD.DEVELP50$
[12182] 1566808422.85213: AS key determined by preauth: rc4-hmac/2410
[12182] 1566808422.85214: Decrypted AS reply; session key is: rc4-hmac/5A33
[12182] 1566808422.85215: FAST negotiation: unavailable
* Discovered which keytab salt to use
...
As can be seen by the 2 marked lines from the Kerberos trace output before the 'Discovered which keytab salt to use' message the encryption type 'rc4-hmac' is use. As a result after the join the new keytab will look like:
$ klist -keKt /tmp/test_krb5.keytab
Keytab name: FILE:/tmp/test_krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 26.08.2019 10:33:41 P50$@CHILD.AD.DEVEL (DEPRECATED:arcfour-hmac) (0x3af33b02e0a8547348a943b4ff49fad4)
2 26.08.2019 10:33:41 P50$@CHILD.AD.DEVEL (aes128-cts-hmac-sha1-96) (0x9e00cb3ddec7f2e0afb61021ea29c7f6)
2 26.08.2019 10:33:41 P50$@CHILD.AD.DEVEL (aes256-cts-hmac-sha1-96) (0x910f7bf04711ea6aba1bdd695e6f57f2097c1bf472f3b3509ba4e07bfffd9045)
2 26.08.2019 10:33:41 host/P50.DEVEL (DEPRECATED:arcfour-hmac) (0x3af33b02e0a8547348a943b4ff49fad4)
2 26.08.2019 10:33:41 host/P50.DEVEL (aes128-cts-hmac-sha1-96) (0x063f5b4f8343be6373cd61d9334a5a5e)
2 26.08.2019 10:33:41 host/P50.DEVEL (aes256-cts-hmac-sha1-96) (0x5b39b8ca99a536ec45d56b308cb98840ddc5f6cb29210eca328f5c4a679976c3)
2 26.08.2019 10:33:41 host/p50.abc.def.DEVEL (DEPRECATED:arcfour-hmac) (0x3af33b02e0a8547348a943b4ff49fad4)
2 26.08.2019 10:33:41 host/p50.abc.def.DEVEL (aes128-cts-hmac-sha1-96) (0x81a8a3d4f7da541b9c615cc26a58ce87)
2 26.08.2019 10:33:41 host/p50.abc.def.DEVEL (aes256-cts-hmac-sha1-96) (0x5c4e22bd3c966b26c3a3e095e6665553fdbb1dd3cec4d0f9061827b3d4ff4479)
2 26.08.2019 10:33:41 RestrictedKrbHost/P50.DEVEL (DEPRECATED:arcfour-hmac) (0x3af33b02e0a8547348a943b4ff49fad4)
2 26.08.2019 10:33:41 RestrictedKrbHost/P50.DEVEL (aes128-cts-hmac-sha1-96) (0xa1326438329090651a42ea6426b85901)
2 26.08.2019 10:33:41 RestrictedKrbHost/P50.DEVEL (aes256-cts-hmac-sha1-96) (0x131ef3b589644fa91e3d927d9aec795e73b4071c99f13ab2bb749ca47032172f)
2 26.08.2019 10:33:41 RestrictedKrbHost/p50.abc.def.DEVEL (DEPRECATED:arcfour-hmac) (0x3af33b02e0a8547348a943b4ff49fad4)
2 26.08.2019 10:33:41 RestrictedKrbHost/p50.abc.def.DEVEL (aes128-cts-hmac-sha1-96) (0x9c6007397be85e04b464e42d8f8caaa2)
2 26.08.2019 10:33:41 RestrictedKrbHost/p50.abc.def.DEVEL (aes256-cts-hmac-sha1-96) (0x403543c3837689a93519f240347c3c43a2a0f55286db640561105993db0229af)
As can be seen the 'arcfour-hmac' keys are the same for all principals, since no salt is used here. But e.g. the 'aes128-cts-hmac-sha1-96' for the different principals are all different because the wrong salt was picked. Same for 'aes256-cts-hmac-sha1-96'.
With the fixed version and the same /etc/krb5.conf the join output will look like:
....
[11976] 1566808302.397651: Retrieving P50$@CHILD.AD.DEVEL from MEMORY:adcli-discover-salt (vno 0, enctype aes256-cts) with result: 0/Success <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
[11976] 1566808302.397652: AS key obtained for encrypted timestamp: aes256-cts/66BA <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
[11976] 1566808302.397654: Encrypted timestamp (for 1566808301.825524): plain 301AA011180F32303139303832363038333134315AA10502030C98B4, encrypted 5AC00C2ECD3E80006D06E032717AFE63199D4F3BE0C622E48AF57D77E3B05DDB63410691C51F193BDD94507AADBF
312AFC167F961061102E
[11976] 1566808302.397655: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[11976] 1566808302.397656: Produced preauth for next request: PA-ENC-TIMESTAMP (2)
[11976] 1566808302.397657: Sending request (284 bytes) to CHILD.AD.DEVEL
[11976] 1566808302.397658: Resolving hostname 192.168.122.151
[11976] 1566808302.397659: Sending initial UDP request to dgram 192.168.122.151:88
[11976] 1566808302.397660: Received answer (1438 bytes) from dgram 192.168.122.151:88
[11976] 1566808302.397661: Response was from master KDC
[11976] 1566808302.397662: Processing preauth types: PA-ETYPE-INFO2 (19)
[11976] 1566808302.397663: Selected etype info: etype aes256-cts, salt "CHILD.AD.DEVELhostp50.child.ad.devel", params ""
[11976] 1566808302.397664: Produced preauth for next request: (empty)
[11976] 1566808302.397665: AS key determined by preauth: aes256-cts/66BA
[11976] 1566808302.397666: Decrypted AS reply; session key is: aes256-cts/56D9
[11976] 1566808302.397667: FAST negotiation: unavailable
* Discovered which keytab salt to use
....
Now the 2 marked lines show the AES was used. Other encryption types are ok as well, as long as it is not 'rc4-hmac'. The keytab now looks like
$ klist -keKt /tmp/test_krb5.keytab
Keytab name: FILE:/tmp/test_krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 26.08.2019 10:31:41 P50$@CHILD.AD.DEVEL (DEPRECATED:arcfour-hmac) (0xabdc5031d439ef5be9aea6cfe1ebf622)
2 26.08.2019 10:31:41 P50$@CHILD.AD.DEVEL (aes128-cts-hmac-sha1-96) (0x3c8a529ece239132aac3fbdf097a9925)
2 26.08.2019 10:31:41 P50$@CHILD.AD.DEVEL (aes256-cts-hmac-sha1-96) (0xae038d09b6e6c4231f8b98362adfbe37152efc8fa925c930429502400593ebb8)
2 26.08.2019 10:31:41 host/P50.DEVEL (DEPRECATED:arcfour-hmac) (0xabdc5031d439ef5be9aea6cfe1ebf622)
2 26.08.2019 10:31:41 host/P50.DEVEL (aes128-cts-hmac-sha1-96) (0x3c8a529ece239132aac3fbdf097a9925)
2 26.08.2019 10:31:41 host/P50.DEVEL (aes256-cts-hmac-sha1-96) (0xae038d09b6e6c4231f8b98362adfbe37152efc8fa925c930429502400593ebb8)
2 26.08.2019 10:31:41 host/p50.Speedport_W_724V_Typ_A_05011603_05_020.DEVEL (DEPRECATED:arcfour-hmac) (0xabdc5031d439ef5be9aea6cfe1ebf622)
2 26.08.2019 10:31:41 host/p50.Speedport_W_724V_Typ_A_05011603_05_020.DEVEL (aes128-cts-hmac-sha1-96) (0x3c8a529ece239132aac3fbdf097a9925)
2 26.08.2019 10:31:41 host/p50.Speedport_W_724V_Typ_A_05011603_05_020.DEVEL (aes256-cts-hmac-sha1-96) (0xae038d09b6e6c4231f8b98362adfbe37152efc8fa925c930429502400593ebb8)
2 26.08.2019 10:31:41 RestrictedKrbHost/P50.DEVEL (DEPRECATED:arcfour-hmac) (0xabdc5031d439ef5be9aea6cfe1ebf622)
2 26.08.2019 10:31:41 RestrictedKrbHost/P50.DEVEL (aes128-cts-hmac-sha1-96) (0x3c8a529ece239132aac3fbdf097a9925)
2 26.08.2019 10:31:41 RestrictedKrbHost/P50.DEVEL (aes256-cts-hmac-sha1-96) (0xae038d09b6e6c4231f8b98362adfbe37152efc8fa925c930429502400593ebb8)
2 26.08.2019 10:31:41 RestrictedKrbHost/p50.Speedport_W_724V_Typ_A_05011603_05_020.DEVEL (DEPRECATED:arcfour-hmac) (0xabdc5031d439ef5be9aea6cfe1ebf622)
2 26.08.2019 10:31:41 RestrictedKrbHost/p50.Speedport_W_724V_Typ_A_05011603_05_020.DEVEL (aes128-cts-hmac-sha1-96) (0x3c8a529ece239132aac3fbdf097a9925)
2 26.08.2019 10:31:41 RestrictedKrbHost/p50.Speedport_W_724V_Typ_A_05011603_05_020.DEVEL (aes256-cts-hmac-sha1-96) (0xae038d09b6e6c4231f8b98362adfbe37152efc8fa925c930429502400593ebb8)
Now the keys for the different principals are the same for the same encryption type.
Master: - 158468507bb723aa62196846749c23c121d4b298 Issue is reproduced with old version(test failing)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: TEST PROTOCOL
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Test run ID : 22397001
Package : adcli
Installed : adcli-0.8.1-9.el7.x86_64
beakerlib RPM : beakerlib-1.18-7.el7bkr.noarch
bl-redhat RPM : beakerlib-redhat-1-32.el7bkr.noarch
Test name : /CoreOS/adcli/Regression/bz1683745-issue-with-arcfour-hmac-as-first-encryption-type
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Issue with arcfour-hmac
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 07:36:51 ] :: [ BEGIN ] :: Running 'cat /etc/krb5.conf'
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
:: [ 07:36:51 ] :: [ PASS ] :: Command 'cat /etc/krb5.conf' (Expected 0, got 0)
:: [ 07:36:51 ] :: [ BEGIN ] :: Running 'cat /tmp/test_krb5.conf'
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
permitted_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
default_tgs_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
default_tkt_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
:: [ 07:36:51 ] :: [ PASS ] :: Command 'cat /tmp/test_krb5.conf' (Expected 0, got 0)
:: [ 07:36:51 ] :: [ BEGIN ] :: Running 'echo Pass2012! | KRB5_TRACE=/dev/stdout KRB5_CONFIG=/tmp/test_krb5.conf /usr/sbin/adcli join --verbose -K /tmp/test_krb5.keytab --stdin-password -U Amy-admin -S ad2.baseos.qe -S 10.37.152.15 > /tmp/tmp_1 2>&1'
:: [ 07:36:55 ] :: [ PASS ] :: Command 'echo Pass2012! | KRB5_TRACE=/dev/stdout KRB5_CONFIG=/tmp/test_krb5.conf /usr/sbin/adcli join --verbose -K /tmp/test_krb5.keytab --stdin-password -U Amy-admin -S ad2.baseos.qe -S 10.37.152.15 > /tmp/tmp_1 2>&1' (Expected 0, got 0)
:: [ 07:36:55 ] :: [ BEGIN ] :: Running 'klist -keKt /tmp/test_krb5.keytab > /tmp/tmp_1 2>&1'
:: [ 07:36:55 ] :: [ PASS ] :: Command 'klist -keKt /tmp/test_krb5.keytab > /tmp/tmp_1 2>&1' (Expected 0, got 0)
Total encryption-types :
(aes128-cts-hmac-sha1-96)
(aes256-cts-hmac-sha1-96)
(arcfour-hmac)
Total keys:
(aes128-cts-hmac-sha1-96) (0x0d53c67363e31339127ae4df91857fab)
(aes128-cts-hmac-sha1-96) (0x5c800c9dfb793b3c742749fb39f36bbb)
(aes128-cts-hmac-sha1-96) (0x70f28a3f5c50010beecae7eb211d71c9)
(aes128-cts-hmac-sha1-96) (0x8caf2c17241422bd69e5cfab509fcdf3)
(aes128-cts-hmac-sha1-96) (0xbe746e65c9ac64b90d847432cdcb8f0c)
(aes256-cts-hmac-sha1-96) (0x179762206334dac99e285960d3b05c80f31d2ad670fed4eeb1c548c5a1b91efd)
(aes256-cts-hmac-sha1-96) (0x3745dcb780b938939dc196281e0281930e1e552ca9b78574ccaacf9bc3ed254b)
(aes256-cts-hmac-sha1-96) (0x6edb197da2fd10508eb415b669331c08c7e113633a0ac038885c3f29f80d28cb)
(aes256-cts-hmac-sha1-96) (0xe4df359ef8b7dea620d976abf408c9dc6e3386ab8e6cbcf02b9009c0ed94055f)
(aes256-cts-hmac-sha1-96) (0xf28fc7821b0d789771120ee6d6899b3651924f88ba20ae1bdf59a76aacd804bd)
(arcfour-hmac) (0x357bbc11782961efe0a07cc706087503)
Total Number of encryption-types : 3
Total Number of keys: 11
:: [ 07:36:55 ] :: [ FAIL ] :: All keys with different principals do not have same encryption-type
:: [ 07:36:55 ] :: [ BEGIN ] :: Running 'awk -F' ' '{print $5,$6,$4}' /tmp/tmp_1 |sort|awk 'NF'|uniq'
(aes128-cts-hmac-sha1-96) (0x0d53c67363e31339127ae4df91857fab) host/CI-VM-10-0-139-.QE
(aes128-cts-hmac-sha1-96) (0x5c800c9dfb793b3c742749fb39f36bbb) RestrictedKrbHost/CI-VM-10-0-139-.QE
(aes128-cts-hmac-sha1-96) (0x70f28a3f5c50010beecae7eb211d71c9) RestrictedKrbHost/ci-vm-10-0-139-.ad2.baseos.qe.QE
(aes128-cts-hmac-sha1-96) (0x8caf2c17241422bd69e5cfab509fcdf3) CI-VM-10-0-139-$@AD2.BASEOS.QE
(aes128-cts-hmac-sha1-96) (0xbe746e65c9ac64b90d847432cdcb8f0c) host/ci-vm-10-0-139-.ad2.baseos.qe.QE
(aes256-cts-hmac-sha1-96) (0x179762206334dac99e285960d3b05c80f31d2ad670fed4eeb1c548c5a1b91efd) RestrictedKrbHost/CI-VM-10-0-139-.QE
(aes256-cts-hmac-sha1-96) (0x3745dcb780b938939dc196281e0281930e1e552ca9b78574ccaacf9bc3ed254b) host/CI-VM-10-0-139-.QE
(aes256-cts-hmac-sha1-96) (0x6edb197da2fd10508eb415b669331c08c7e113633a0ac038885c3f29f80d28cb) RestrictedKrbHost/ci-vm-10-0-139-.ad2.baseos.qe.QE
(aes256-cts-hmac-sha1-96) (0xe4df359ef8b7dea620d976abf408c9dc6e3386ab8e6cbcf02b9009c0ed94055f) host/ci-vm-10-0-139-.ad2.baseos.qe.QE
(aes256-cts-hmac-sha1-96) (0xf28fc7821b0d789771120ee6d6899b3651924f88ba20ae1bdf59a76aacd804bd) CI-VM-10-0-139-$@AD2.BASEOS.QE
(arcfour-hmac) (0x357bbc11782961efe0a07cc706087503) CI-VM-10-0-139-$@AD2.BASEOS.QE
(arcfour-hmac) (0x357bbc11782961efe0a07cc706087503) host/CI-VM-10-0-139-.QE
(arcfour-hmac) (0x357bbc11782961efe0a07cc706087503) host/ci-vm-10-0-139-.ad2.baseos.qe.QE
(arcfour-hmac) (0x357bbc11782961efe0a07cc706087503) RestrictedKrbHost/CI-VM-10-0-139-.QE
(arcfour-hmac) (0x357bbc11782961efe0a07cc706087503) RestrictedKrbHost/ci-vm-10-0-139-.ad2.baseos.qe.QE
:: [ 07:36:55 ] :: [ PASS ] :: Command 'awk -F' ' '{print $5,$6,$4}' /tmp/tmp_1 |sort|awk 'NF'|uniq' (Expected 0, got 0)
:: [ 07:36:55 ] :: [ BEGIN ] :: Running 'rm -rf /tmp/tmp_1'
:: [ 07:36:55 ] :: [ PASS ] :: Command 'rm -rf /tmp/tmp_1' (Expected 0, got 0)
:: [ 07:36:55 ] :: [ LOG ] :: Clean up
:: [ 07:36:55 ] :: [ LOG ] :: File [/etc/krb5.keytab] doesn't exist, so computer isn't connected to the AD domain
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Duration: 4s
:: Assertions: 6 good, 1 bad
:: RESULT: FAIL (Issue with arcfour-hmac)
=================================================================
Verified with following data:
Test is passing with
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: TEST PROTOCOL
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Test run ID : 22641001
Package : adcli
Installed : adcli-0.8.1-12.el7.x86_64
beakerlib RPM : beakerlib-1.18-7.el7bkr.noarch
bl-redhat RPM : beakerlib-redhat-1-32.el7bkr.noarch
Test name : /CoreOS/adcli/Regression/bz1683745-issue-with-arcfour-hmac-as-first-encryption-type
Test version : 0.1
Test started : 2019-11-22 07:44:00 EST
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Issue with arcfour-hmac
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 07:44:10 ] :: [ BEGIN ] :: Running 'cat /etc/krb5.conf'
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
:: [ 07:44:10 ] :: [ PASS ] :: Command 'cat /etc/krb5.conf' (Expected 0, got 0)
:: [ 07:44:10 ] :: [ BEGIN ] :: Running 'cat /tmp/test_krb5.conf'
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
permitted_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
default_tgs_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
default_tkt_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
:: [ 07:44:10 ] :: [ PASS ] :: Command 'cat /tmp/test_krb5.conf' (Expected 0, got 0)
:: [ 07:44:10 ] :: [ BEGIN ] :: Running 'echo Pass2012! | KRB5_TRACE=/dev/stdout KRB5_CONFIG=/tmp/test_krb5.conf /usr/sbin/adcli join --verbose -K /tmp/test_krb5.keytab --stdin-password -U Amy-admin -S ad2.baseos.qe -S 10.37.152.15 > /tmp/tmp_1 2>&1'
:: [ 07:44:15 ] :: [ PASS ] :: Command 'echo Pass2012! | KRB5_TRACE=/dev/stdout KRB5_CONFIG=/tmp/test_krb5.conf /usr/sbin/adcli join --verbose -K /tmp/test_krb5.keytab --stdin-password -U Amy-admin -S ad2.baseos.qe -S 10.37.152.15 > /tmp/tmp_1 2>&1' (Expected 0, got 0)
:: [ 07:44:15 ] :: [ BEGIN ] :: Running 'klist -keKt /tmp/test_krb5.keytab > /tmp/tmp_1 2>&1'
:: [ 07:44:15 ] :: [ PASS ] :: Command 'klist -keKt /tmp/test_krb5.keytab > /tmp/tmp_1 2>&1' (Expected 0, got 0)
Total encryption-types :
(aes128-cts-hmac-sha1-96)
(aes256-cts-hmac-sha1-96)
(arcfour-hmac)
Total keys:
(aes128-cts-hmac-sha1-96) (0x3d8419ee20f81e2392c42478681c124d)
(aes256-cts-hmac-sha1-96) (0xe2862062d6d149bbd332344fa77d3e21f9107c67e83348a8704f472878abdada)
(arcfour-hmac) (0x592e80e859d85b162a3d73a60088a135)
Total Number of encryption-types : 3
Total Number of keys: 3
:: [ 07:44:15 ] :: [ PASS ] :: All keys with different principals have same encryption-type
:: [ 07:44:15 ] :: [ BEGIN ] :: Running 'awk -F' ' '{print $5,$6,$4}' /tmp/tmp_1 |sort|awk 'NF'|uniq'
(aes128-cts-hmac-sha1-96) (0x3d8419ee20f81e2392c42478681c124d) CI-VM-10-0-138-$@AD2.BASEOS.QE
(aes128-cts-hmac-sha1-96) (0x3d8419ee20f81e2392c42478681c124d) host/CI-VM-10-0-138-.QE
(aes128-cts-hmac-sha1-96) (0x3d8419ee20f81e2392c42478681c124d) host/ci-vm-10-0-138-.ad2.baseos.qe.QE
(aes128-cts-hmac-sha1-96) (0x3d8419ee20f81e2392c42478681c124d) RestrictedKrbHost/CI-VM-10-0-138-.QE
(aes128-cts-hmac-sha1-96) (0x3d8419ee20f81e2392c42478681c124d) RestrictedKrbHost/ci-vm-10-0-138-.ad2.baseos.qe.QE
(aes256-cts-hmac-sha1-96) (0xe2862062d6d149bbd332344fa77d3e21f9107c67e83348a8704f472878abdada) CI-VM-10-0-138-$@AD2.BASEOS.QE
(aes256-cts-hmac-sha1-96) (0xe2862062d6d149bbd332344fa77d3e21f9107c67e83348a8704f472878abdada) host/CI-VM-10-0-138-.QE
(aes256-cts-hmac-sha1-96) (0xe2862062d6d149bbd332344fa77d3e21f9107c67e83348a8704f472878abdada) host/ci-vm-10-0-138-.ad2.baseos.qe.QE
(aes256-cts-hmac-sha1-96) (0xe2862062d6d149bbd332344fa77d3e21f9107c67e83348a8704f472878abdada) RestrictedKrbHost/CI-VM-10-0-138-.QE
(aes256-cts-hmac-sha1-96) (0xe2862062d6d149bbd332344fa77d3e21f9107c67e83348a8704f472878abdada) RestrictedKrbHost/ci-vm-10-0-138-.ad2.baseos.qe.QE
(arcfour-hmac) (0x592e80e859d85b162a3d73a60088a135) CI-VM-10-0-138-$@AD2.BASEOS.QE
(arcfour-hmac) (0x592e80e859d85b162a3d73a60088a135) host/CI-VM-10-0-138-.QE
(arcfour-hmac) (0x592e80e859d85b162a3d73a60088a135) host/ci-vm-10-0-138-.ad2.baseos.qe.QE
(arcfour-hmac) (0x592e80e859d85b162a3d73a60088a135) RestrictedKrbHost/CI-VM-10-0-138-.QE
(arcfour-hmac) (0x592e80e859d85b162a3d73a60088a135) RestrictedKrbHost/ci-vm-10-0-138-.ad2.baseos.qe.QE
:: [ 07:44:15 ] :: [ PASS ] :: Command 'awk -F' ' '{print $5,$6,$4}' /tmp/tmp_1 |sort|awk 'NF'|uniq' (Expected 0, got 0)
:: [ 07:44:15 ] :: [ BEGIN ] :: Running 'rm -rf /tmp/tmp_1'
:: [ 07:44:15 ] :: [ PASS ] :: Command 'rm -rf /tmp/tmp_1' (Expected 0, got 0)
:: [ 07:44:15 ] :: [ LOG ] :: Clean up
:: [ 07:44:15 ] :: [ LOG ] :: File [/etc/krb5.keytab] doesn't exist, so computer isn't connected to the AD domain
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Duration: 5s
:: Assertions: 7 good, 0 bad
:: RESULT: PASS (Issue with arcfour-hmac)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1055 |