Bug 1745932

Summary: Issue is that with arcfour-hmac as first encryption type in the config lines, adcli will pick arcfour-hmac to check which kind of salt should be used to encrypt the keys. But since arcfour-hmac does not use salts, all salt types will work and a wrong one
Product: Red Hat Enterprise Linux 8 Reporter: Sumit Bose <sbose>
Component: adcliAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: sssd-qe <sssd-qe>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.2CC: abroy, jhrozek, pcech, sgadekar, sgoveas, sssd-qe, tscherf
Target Milestone: rc   
Target Release: 8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: adcli-0.8.2-4.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1683745 Environment:
Last Closed: 2020-04-28 16:58:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1683745    
Bug Blocks: 1710435    

Comment 4 shridhar 2020-01-08 14:48:48 UTC 
Verified on 

adcli-0.8.2-4.el8.x86_64

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   bz1683745 Issue with arcfour-hmac as first encryption
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 09:41:44 ] :: [  BEGIN   ] :: Running 'cat /etc/krb5.conf'
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
#    default_realm = EXAMPLE.COM
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]
# EXAMPLE.COM = {
#     kdc = kerberos.example.com
#     admin_server = kerberos.example.com
# }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
:: [ 09:41:44 ] :: [   PASS   ] :: Command 'cat /etc/krb5.conf' (Expected 0, got 0)
:: [ 09:41:44 ] :: [  BEGIN   ] :: Running 'cat /tmp/test_krb5.conf'
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 permitted_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
 default_tgs_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
 default_tkt_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
#    default_realm = EXAMPLE.COM
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]
# EXAMPLE.COM = {
#     kdc = kerberos.example.com
#     admin_server = kerberos.example.com
# }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
:: [ 09:41:44 ] :: [   PASS   ] :: Command 'cat /tmp/test_krb5.conf' (Expected 0, got 0)
:: [ 09:41:44 ] :: [  BEGIN   ] :: Running 'echo ADMIN_PASS! | KRB5_TRACE=/dev/stdout KRB5_CONFIG=/tmp/test_krb5.conf /usr/sbin/adcli join --verbose -K /tmp/test_krb5.keytab --stdin-password -U Amy-admin -S ad2.baseos.qe -S 10.37.152.15 > /tmp/tmp_1 2>&1'
:: [ 09:41:49 ] :: [   PASS   ] :: Command 'echo ADMIN_PASS! | KRB5_TRACE=/dev/stdout KRB5_CONFIG=/tmp/test_krb5.conf /usr/sbin/adcli join --verbose -K /tmp/test_krb5.keytab --stdin-password -U Amy-admin -S ad2.baseos.qe -S 10.37.152.15 > /tmp/tmp_1 2>&1' (Expected 0, got 0)
:: [ 09:41:49 ] :: [  BEGIN   ] :: Running 'klist -keKt /tmp/test_krb5.keytab > /tmp/tmp_1 2>&1'
:: [ 09:41:49 ] :: [   PASS   ] :: Command 'klist -keKt /tmp/test_krb5.keytab > /tmp/tmp_1 2>&1' (Expected 0, got 0)
Total encryption-types : 
(aes128-cts-hmac-sha1-96)
(aes256-cts-hmac-sha1-96)
Total keys: 
(aes128-cts-hmac-sha1-96) (0x13c7cb08e7935378ea4e40b167294a12)
(aes256-cts-hmac-sha1-96) (0x0feca3fd38712fd45fcdc76b4aaad407e45c04527b065fb0e5d4ebef408b1b2f)
Total Number of encryption-types : 2
Total Number of keys: 2
:: [ 09:41:49 ] :: [   PASS   ] :: All keys with different principals have same encryption-type 
:: [ 09:41:49 ] :: [  BEGIN   ] :: Running 'awk -F' ' '{print $5,$6,$4}' /tmp/tmp_1 |sort|awk 'NF'|uniq'
(aes128-cts-hmac-sha1-96) (0x13c7cb08e7935378ea4e40b167294a12) CI-VM-10-0-137-$@AD2.BASEOS.QE
(aes128-cts-hmac-sha1-96) (0x13c7cb08e7935378ea4e40b167294a12) host/CI-VM-10-0-137-@AD2.BASEOS.QE
(aes128-cts-hmac-sha1-96) (0x13c7cb08e7935378ea4e40b167294a12) host/ci-vm-10-0-137-.ad2.baseos.qe@AD2.BASEOS.QE
(aes128-cts-hmac-sha1-96) (0x13c7cb08e7935378ea4e40b167294a12) RestrictedKrbHost/CI-VM-10-0-137-@AD2.BASEOS.QE
(aes128-cts-hmac-sha1-96) (0x13c7cb08e7935378ea4e40b167294a12) RestrictedKrbHost/ci-vm-10-0-137-.ad2.baseos.qe@AD2.BASEOS.QE
(aes256-cts-hmac-sha1-96) (0x0feca3fd38712fd45fcdc76b4aaad407e45c04527b065fb0e5d4ebef408b1b2f) CI-VM-10-0-137-$@AD2.BASEOS.QE
(aes256-cts-hmac-sha1-96) (0x0feca3fd38712fd45fcdc76b4aaad407e45c04527b065fb0e5d4ebef408b1b2f) host/CI-VM-10-0-137-@AD2.BASEOS.QE
(aes256-cts-hmac-sha1-96) (0x0feca3fd38712fd45fcdc76b4aaad407e45c04527b065fb0e5d4ebef408b1b2f) host/ci-vm-10-0-137-.ad2.baseos.qe@AD2.BASEOS.QE
(aes256-cts-hmac-sha1-96) (0x0feca3fd38712fd45fcdc76b4aaad407e45c04527b065fb0e5d4ebef408b1b2f) RestrictedKrbHost/CI-VM-10-0-137-@AD2.BASEOS.QE
(aes256-cts-hmac-sha1-96) (0x0feca3fd38712fd45fcdc76b4aaad407e45c04527b065fb0e5d4ebef408b1b2f) RestrictedKrbHost/ci-vm-10-0-137-.ad2.baseos.qe@AD2.BASEOS.QE
:: [ 09:41:49 ] :: [   PASS   ] :: Command 'awk -F' ' '{print $5,$6,$4}' /tmp/tmp_1 |sort|awk 'NF'|uniq' (Expected 0, got 0)
:: [ 09:41:49 ] :: [  BEGIN   ] :: Running 'rm -rf /tmp/tmp_1'
:: [ 09:41:49 ] :: [   PASS   ] :: Command 'rm -rf /tmp/tmp_1' (Expected 0, got 0)
:: [ 09:41:49 ] :: [   LOG    ] :: Clean up
:: [ 09:41:49 ] :: [   LOG    ] :: File [/etc/krb5.keytab] doesn't exist, so computer isn't connected to the AD domain
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 6s
::   Assertions: 7 good, 0 bad
::   RESULT: PASS (bz1683745 Issue with arcfour-hmac as first encryption)
Comment 6 errata-xmlrpc 2020-04-28 16:58:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1874