Bug 2125182

Summary: Invalid KDC signature encryption type for PAC [rhel-8]
Product: Red Hat Enterprise Linux 8 Reporter: anuja <amore>
Component: krb5Assignee: Julien Rische <jrische>
Status: CLOSED MIGRATED QA Contact: Michal Polovka <mpolovka>
Severity: unspecified Docs Contact: lmcgarry
Priority: unspecified    
Version: 8.7CC: aperotti, fhanzelk, frenaud, lmcgarry, pasik, sumenon
Target Milestone: rcKeywords: MigratedToJIRA, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
.IdM to AD cross-realm TGS requests fail The Privilege Attribute Certificate (PAC) information in IdM Kerberos tickets is now signed with AES SHA-2 HMAC encryption, which is not supported by Active Directory (AD). Consequently, IdM to AD cross-realm TGS requests, that is, two-way trust setups, are failing with the following error: ---- Generic error (see e-text) while getting credentials for <service principal> ----
 Story Points: ---
Clone Of: 2060421 Environment:
Last Closed: 2023-09-18 20:38:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2089955    

Description anuja 2022-09-08 08:59:28 UTC 
+++ This bug was initially created as a clone of Bug #2060421 +++

Description of problem:

[root@master ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: win19-13r8.test
  Domain NetBIOS name: WIN19-13R8
  Domain Security Identifier: S-1-5-21-3829174166-1252505095-3327585824
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------


[root@master ~]# klist -e
Ticket cache: KCM:0
Default principal: admin

Valid starting       Expires              Service principal
03/03/2022 08:42:50  03/04/2022 08:19:50  HTTP/master.testrealm1way.test
	Etype (skey, tkt): aes256-cts-hmac-sha384-192, aes256-cts-hmac-sha384-192 
03/03/2022 08:42:48  03/04/2022 08:19:50  krbtgt/TESTREALM1WAY.TEST
	Etype (skey, tkt): aes256-cts-hmac-sha384-192, aes256-cts-hmac-sha384-192 
[root@master ~]# KRB5_TRACE=/dev/stderr kvno -S cifs ad1-13r8.win19-13r8.test
[24932] 1646315147.757589: Getting credentials admin -> cifs/ad1-13r8.win19-13r8.test using ccache KCM:0
[24932] 1646315147.757590: Retrieving admin -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:0 with result: -1765328243/Matching credential not found
[24932] 1646315147.757591: Retrieving admin -> cifs/ad1-13r8.win19-13r8.test from KCM:0 with result: -1765328243/Matching credential not found
[24932] 1646315147.757592: Retrieving admin -> krbtgt/WIN19-13R8.TEST from KCM:0 with result: -1765328243/Matching credential not found
[24932] 1646315147.757593: Retrieving admin -> krbtgt/TESTREALM1WAY.TEST from KCM:0 with result: 0/Success
[24932] 1646315147.757594: Starting with TGT for client realm: admin -> krbtgt/TESTREALM1WAY.TEST
[24932] 1646315147.757595: Retrieving admin -> krbtgt/WIN19-13R8.TEST from KCM:0 with result: -1765328243/Matching credential not found
[24932] 1646315147.757596: Requesting TGT krbtgt/WIN19-13R8.TEST using TGT krbtgt/TESTREALM1WAY.TEST
[24932] 1646315147.757597: Generated subkey for TGS request: aes256-sha2/107C
[24932] 1646315147.757598: etypes requested in TGS request: aes256-sha2, aes256-cts, aes128-sha2, aes128-cts
[24932] 1646315147.757600: Encoding request body and padata into FAST request
[24932] 1646315147.757601: Sending request (1948 bytes) to TESTREALM1WAY.TEST
[24932] 1646315147.757602: Initiating TCP connection to stream 10.0.199.42:88
[24932] 1646315147.757603: Sending TCP request to stream 10.0.199.42:88
[24932] 1646315147.757604: Received answer (1804 bytes) from stream 10.0.199.42:88
[24932] 1646315147.757605: Terminating TCP connection to stream 10.0.199.42:88
[24932] 1646315147.757606: Response was from primary KDC
[24932] 1646315147.757607: Decoding FAST response
[24932] 1646315147.757608: FAST reply key: aes256-sha2/3569
[24932] 1646315147.757609: TGS reply is for admin -> krbtgt/WIN19-13R8.TEST with session key aes256-cts/349C
[24932] 1646315147.757610: TGS request result: 0/Success
[24932] 1646315147.757611: Received TGT for WIN19-13R8.TEST; advancing current realm
[24932] 1646315147.757612: Retrieving admin -> krbtgt/WIN19-13R8.TEST from KCM:0 with result: -1765328243/Matching credential not found
[24932] 1646315147.757613: Requesting TGT krbtgt/WIN19-13R8.TEST using TGT krbtgt/WIN19-13R8.TEST
[24932] 1646315147.757614: Generated subkey for TGS request: aes256-cts/6248
[24932] 1646315147.757615: etypes requested in TGS request: aes256-sha2, aes256-cts, aes128-sha2, aes128-cts
[24932] 1646315147.757617: Encoding request body and padata into FAST request
[24932] 1646315147.757618: Sending request (1812 bytes) to WIN19-13R8.TEST
[24932] 1646315147.757619: Initiating TCP connection to stream 10.0.199.57:88
[24932] 1646315147.757620: Sending TCP request to stream 10.0.199.57:88
[24932] 1646315147.757621: Received answer (331 bytes) from stream 10.0.199.57:88
[24932] 1646315147.757622: Terminating TCP connection to stream 10.0.199.57:88
[24932] 1646315147.757623: Response was from primary KDC
[24932] 1646315147.757624: Decoding FAST response
[24932] 1646315147.757625: TGS request result: -1765328324/Generic error (see e-text)
kvno: Generic error (see e-text) while getting credentials for cifs/ad1-13r8.win19-13r8.test

From krb5kdc.log:
Mar 03 08:45:47 master.testrealm1way.test krb5kdc[24353](info): TGS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.0.199.42: ISSUE: authtime 1646314968, etypes {rep=aes256-cts-hmac-sha384-192(20), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, admin for krbtgt/WIN19-13R8.TEST

I think we've seen this issue when developing krb5 1.20 upstream, so it needs to be re-verified with 1.20 when rebase happens.
Comment 8 RHEL Program Management 2023-09-18 20:35:55 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.
Comment 9 RHEL Program Management 2023-09-18 20:38:02 UTC 
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.