Bug 811375

Summary: Use keytab to select etypes for krb5_get_init_creds_keytab()
Product: [Fedora] Fedora Reporter: Stef Walter <stefw>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: jhrozek, ondrejv, sbose, sgallagh, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 956766 (view as bug list) Environment:
Last Closed: 2012-06-15 00:34:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 956766    
Attachments:
Description Flags
Patch which fixes the problem none

Description Stef Walter 2012-04-10 20:26:35 UTC 
It seems that when using krb5_get_init_creds_keytab(), if we don't have
a keytab entry with a key using the first valid etype offered by the server,
then the authentication fails.

For example the keytab created by samba using 'net ads keytab create' contains:

   3 STEF-DESKTOP$@AD.THEWALTER.LAN (des-cbc-crc)
   3 STEF-DESKTOP$@AD.THEWALTER.LAN (des-cbc-md5)
   3 STEF-DESKTOP$@AD.THEWALTER.LAN (arcfour-hmac)

However when I try to use this keytab with SSSD and my Windows 2008 Server, I get the following failure:

(Tue Apr 10 22:21:54 2012) [[sssd[ldap_child[9108]]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab
(Tue Apr 10 22:21:54 2012) [[sssd[ldap_child[9108]]]] [find_principal_in_keytab] (0x0080): No principal matching stef-desktop.thewalter.lan$@AD.THEWALTER.LAN found in keytab.
(Tue Apr 10 22:21:54 2012) [[sssd[ldap_child[9108]]]] [select_principal_from_keytab] (0x0200): Selected principal: STEF-DESKTOP$@AD.THEWALTER.LAN
(Tue Apr 10 22:21:54 2012) [[sssd[ldap_child[9108]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [STEF-DESKTOP$@AD.THEWALTER.LAN]
[9108] 1334089314.79075: Getting initial credentials for STEF-DESKTOP$@AD.THEWALTER.LAN
[9108] 1334089314.79235: Sending request (196 bytes) to AD.THEWALTER.LAN
[9108] 1334089314.80090: Resolving hostname dc.ad.thewalter.lan.
[9108] 1334089314.80804: Sending initial UDP request to dgram 192.168.12.10:88
[9108] 1334089314.82538: Received answer from dgram 192.168.12.10:88
[9108] 1334089314.82777: Response was not from master KDC
[9108] 1334089314.82798: Received error from KDC: -1765328359/Additional pre-authentication required
[9108] 1334089314.82834: Processing preauth types: 16, 15, 19, 2
[9108] 1334089314.82847: Selected etype info: etype aes256-cts, salt "AD.THEWALTER.LANhoststef-desktop.ad.thewalter.lan", params ""
[9108] 1334089314.100867: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN from FILE:/etc/krb5.keytab (vno 0, enctype aes256-cts) with result: -1765328203/No key table entry found for STEF-DESKTOP$@AD.THEWALTER.LAN
[9108] 1334089314.100973: Preauth module encrypted_timestamp (2) (flags=1) returned: -1765328203/No key table entry found for STEF-DESKTOP$@AD.THEWALTER.LAN
[9108] 1334089314.101033: Produced preauth for next request: (empty)
[9108] 1334089314.101101: Getting initial credentials for STEF-DESKTOP$@AD.THEWALTER.LAN
[9108] 1334089314.101199: Sending request (196 bytes) to AD.THEWALTER.LAN (master)
(Tue Apr 10 22:21:54 2012) [[sssd[ldap_child[9108]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Generic preauthentication failure

As you'll note kerberos selected the aes256-cts enctype as that was the first one offered by the server. However our keytab didn't contain that enctype.

After applying the patch we see the following behavior:

(Tue Apr 10 22:21:30 2012) [[sssd[ldap_child[8434]]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab
(Tue Apr 10 22:21:30 2012) [[sssd[ldap_child[8434]]]] [find_principal_in_keytab] (0x0080): No principal matching stef-desktop.thewalter.lan$@AD.THEWALTER.LAN found in keytab.
(Tue Apr 10 22:21:30 2012) [[sssd[ldap_child[8434]]]] [select_principal_from_keytab] (0x0200): Selected principal: STEF-DESKTOP$@AD.THEWALTER.LAN
(Tue Apr 10 22:21:30 2012) [[sssd[ldap_child[8434]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [STEF-DESKTOP$@AD.THEWALTER.LAN]
(Tue Apr 10 22:21:30 2012) [[sssd[ldap_child[8434]]]] [ldap_child_get_tgt_sync] (0x0200): Loaded 3 enctypes from keytab for STEF-DESKTOP$@AD.THEWALTER.LAN
[8434] 1334089290.741565: Getting initial credentials for STEF-DESKTOP$@AD.THEWALTER.LAN
[8434] 1334089290.741696: Sending request (193 bytes) to AD.THEWALTER.LAN
[8434] 1334089290.742423: Resolving hostname dc.ad.thewalter.lan.
[8434] 1334089290.743722: Sending initial UDP request to dgram 192.168.12.10:88
[8434] 1334089290.745430: Received answer from dgram 192.168.12.10:88
[8434] 1334089290.745716: Response was not from master KDC
[8434] 1334089290.745745: Received error from KDC: -1765328359/Additional pre-authentication required
[8434] 1334089290.745783: Processing preauth types: 16, 15, 11, 19, 2
[8434] 1334089290.745805: Selected etype info: etype rc4-hmac, salt "", params ""
[8434] 1334089290.745820: Selected etype info: etype rc4-hmac, salt "", params ""
[8434] 1334089290.760170: Retrieving STEF-DESKTOP$@AD.THEWALTER.LAN from FILE:/etc/krb5.keytab (vno 0, enctype rc4-hmac) with result: 0/Success
[8434] 1334089290.760229: AS key obtained for encrypted timestamp: rc4-hmac/470C
[8434] 1334089290.760291: Encrypted timestamp (for 1334089290.760238): plain 301AA011180F32303132303431303230323133305AA10502030B99AE, encrypted 546748A09B97ED96144527146CA931F16256EB5C918CBA546E5983AEBDF09E274134A0D41423F5F2A409BEC3A4D1172A2069407B
[8434] 1334089290.760309: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success
[8434] 1334089290.760319: Produced preauth for next request: 2
[8434] 1334089290.760340: Sending request (269 bytes) to AD.THEWALTER.LAN
[8434] 1334089290.760964: Resolving hostname dc.ad.thewalter.lan.
[8434] 1334089290.761391: Sending initial UDP request to dgram 192.168.12.10:88
[8434] 1334089290.762394: Received answer from dgram 192.168.12.10:88
[8434] 1334089290.762586: Response was not from master KDC
[8434] 1334089290.762620: AS key determined by preauth: rc4-hmac/470C
[8434] 1334089290.762658: Decrypted AS reply; session key is: rc4-hmac/2600
[8434] 1334089290.762666: FAST negotiation: unavailable
[8434] 1334089290.762707: Initializing FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with default princ STEF-DESKTOP$@AD.THEWALTER.LAN

Version-Release number of selected component (if applicable):

git master as of today. 1.8.90 is in version.m4

I also posted a patch upstream, in case the mit krb5 guys think that they should be doing this automatically. But in any case this is a fix we want for RHEL7, whether upstream or here in sssd.
Comment 1 Stef Walter 2012-04-10 20:28:55 UTC 
Created attachment 576590 [details]
Patch which fixes the problem
Comment 2 Jakub Hrozek 2012-04-10 20:46:27 UTC 
Hi Stef,
first, thank you very much for the patch!

I haven't tested it, but from casual read it seems quite good. Would you be willing to tailor it so that it conforms to our coding style? The full document can be seen at http://www.freeipa.org/page/Coding_Style There are two things that would be nice to have changed:

* the temporary memory context allocated on NULL is usually called tmp_ctx
* we tend to use curly brackets even if there is only one statement after a loop or an if (not always, but usually, exceptions being shorthands such as if(!ptr) return ENOMEM)
Comment 3 Stephen Gallagher 2012-04-10 22:42:35 UTC 
Thanks for the patch, Stef.

I have a few additional comments:

* As a general style preference, please don't increment at the same time as assignment. Prefer:
etypes[count] = entry.key.enctype;
count++;
over
etypes[count++] = entry.key.enctype;

While they are functionally identical, the former is easier to grok at a quick glance.

* Please keep lines to 79 characters

* Please open an RFE against Kerberos to export the internal function to identify which enctypes are stronger.

* You're returning type krb5_error_code, but you also return ENOMEM in one place. Please replace this with an appropriate krb5_error_code value.

* This function does not handle memory well if it fails at any point. It would be better to allocate on a tmp_ctx and then talloc_steal() onto mem_ctx only just before returning. Right now, if krb5_kt_next_entry() ever returns anything but KRB5_KT_END or if talloc_realloc() fails (after the first one), you'll be effectively leaking any memory that was allocated by talloc_realloc(). (In reality, it will still be attached to mem_ctx but unreachable and unfreeable until mem_ctx is freed).

* You need to check that the final talloc_realloc() succeeds.

* I feel like it would be a cleaner interface if sss_krb5_read_etypes_for_keytab() returns the number of entries in the etype_list, rather than using talloc_array_length(), which will include the NULL entry.

* On a related note, you have a comment stating that you will NULL-terminate the list, but never do. Either the comment or logic is wrong.

Finally, we generally prefer that patches are submitted to upstream via https://fedorahosted.org/mailman/listinfo/sssd-devel so they are more visible.
Comment 4 Dmitri Pal 2012-04-11 16:14:23 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1297
Comment 5 Simo Sorce 2012-04-11 16:33:30 UTC 
Stef,
how did you create the keytab in the first place ?
Although I am find making SSSD more robust, keytabs are supposed to contin exclusively kys available also on the KDC.
so having an ecntype not available there is a bug in the keytab creation more than a bug in applications using it.
Comment 6 Stef Walter 2012-04-11 16:59:00 UTC 
The keytab was created with samba3's: net ads keytab create

The keytab contains:

Keytab name: FILE:/data/build/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/stef-desktop.thewalter.lan.LAN (des-cbc-crc) 
   2 host/stef-desktop.thewalter.lan.LAN (des-cbc-md5) 
   2 host/stef-desktop.thewalter.lan.LAN (arcfour-hmac) 
   2 host/stef-desktop.LAN (des-cbc-crc) 
   2 host/stef-desktop.LAN (des-cbc-md5) 
   2 host/stef-desktop.LAN (arcfour-hmac) 
   2 STEF-DESKTOP$@AD.THEWALTER.LAN (des-cbc-crc) 
   2 STEF-DESKTOP$@AD.THEWALTER.LAN (des-cbc-md5) 
   2 STEF-DESKTOP$@AD.THEWALTER.LAN (arcfour-hmac) 
   3 host/stef-desktop.thewalter.lan.LAN (des-cbc-crc) 
   3 host/stef-desktop.thewalter.lan.LAN (des-cbc-md5) 
   3 host/stef-desktop.thewalter.lan.LAN (arcfour-hmac) 
   3 host/stef-desktop.LAN (des-cbc-crc) 
   3 host/stef-desktop.LAN (des-cbc-md5) 
   3 host/stef-desktop.LAN (arcfour-hmac) 
   3 STEF-DESKTOP$@AD.THEWALTER.LAN (des-cbc-crc) 
   3 STEF-DESKTOP$@AD.THEWALTER.LAN (des-cbc-md5) 
   3 STEF-DESKTOP$@AD.THEWALTER.LAN (arcfour-hmac) 

Even if the keytab is not 'technically' correct, I'd like to see this become less brittle and more maintenance free. Barely anyone understands these Kerberos issues and terminology, especially the AD admins and users we're targetting. So issues like this shouldn't come up in the wild.
Comment 7 Stef Walter 2012-04-17 16:56:02 UTC 
Btw Stephen, thanks for the review. Doing some work upstream on this. Will complete that before continuing on this bug.
Comment 8 Ondrej Valousek 2012-04-26 09:38:02 UTC 
Verified this bug still exists in F17
Comment 9 Stephen Gallagher 2012-05-07 14:32:05 UTC 
Fix committed upstream.
Comment 10 Fedora Update System 2012-05-30 19:58:29 UTC 
sssd-1.8.4-12.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/sssd-1.8.4-12.fc17
Comment 11 Fedora Update System 2012-05-30 20:11:41 UTC 
sssd-1.8.4-12.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/sssd-1.8.4-12.fc16
Comment 12 Fedora Update System 2012-06-01 17:01:20 UTC 
Package sssd-1.8.4-12.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.8.4-12.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-8700/sssd-1.8.4-12.fc16
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2012-06-15 00:34:35 UTC 
sssd-1.8.4-12.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2012-06-15 00:35:06 UTC 
sssd-1.8.4-12.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.