Bug 1683745 - Issue is that with arcfour-hmac as first encryption type in the config lines, adcli will pick arcfour-hmac to check which kind of salt should be used to encrypt the keys. But since arcfour-hmac does not use salts, all salt types will work and a wrong one
Summary: Issue is that with arcfour-hmac as first encryption type in the config lines,...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: adcli
Version: 7.4
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Sumit Bose
QA Contact: sssd-qe
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks: 1710435 1745932
TreeView+ depends on / blocked
 
Reported: 2019-02-27 17:29 UTC by Abhijit Roy
Modified: 2020-04-24 12:24 UTC (History)
4 users (show)

Fixed In Version: adcli-0.8.1-11.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1745932 (view as bug list)
Environment:
Last Closed: 2020-03-31 19:45:16 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:1055 None None None 2020-03-31 19:45:29 UTC

Description Abhijit Roy 2019-02-27 17:29:48 UTC
Description of problem:

issue is that with arcfour-hmac as first encryption type in the config lines, adcli will pick arcfour-hmac to check which kind of salt should be used to encrypt the keys. But since arcfour-hmac does not use salts, all salt types will work and a wrong one is picket for the encryption types which depends on salts. 

keytab does renew automatically but old keytab still remain in the keytab which cause authentication failure.

Below error has been observed in logs


(Wed Jan 9 14:14:56 2019) [[sssd[krb5_child[98347]]]] [validate_tgt] (0x0020): TGT failed verification using key for [restrictedkrbhost/dnacloud-q-vm08.edis.test.com@EDIS.test.COM].
(Wed Jan 9 14:14:56 2019) [[sssd[krb5_child[98347]]]] [get_and_save_tgt] (0x0020): 1581: [-1765328353][Cannot decrypt ticket for restrictedkrbhost/dnacloud-q-vm08.edis.test.com@EDIS.test.COM using keytab key for restrictedkrbhost/dnacloud-q-vm08.edis.test.com@EDIS.test.COM]
(Wed Jan 9 14:14:56 2019) [[sssd[krb5_child[98347]]]] [map_krb5_error] (0x0020): 1657: [-1765328353][Cannot decrypt ticket for restrictedkrbhost/dnacloud-q-vm08.edis.test.com@EDIS.test.COM using keytab key for restrictedkrbhost/dnacloud-q-vm08.edis.test.com@EDIS.test.COM]
(Wed Jan 9 14:14:56 2019) [[sssd[krb5_child[98347]]]] [k5c_send_data] (0x0200): Received error code 1432158226

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Sumit Bose 2019-08-26 08:58:11 UTC
How to reproduce:

- add the following lines to /etc/krb5.conf

    permitted_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
    default_tgs_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
    default_tkt_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac

  they do not have to look exactly the same, but 'arcfout-hmac-md5' has to come first in each of the line.

- join a domain while collecting the Kerberos trace output:

$ KRB5_TRACE=/dev/stdout KRB5_CONFIG=/tmp/test_krb5.conf /usr/sbin/adcli join -K /tmp/test_krb5.keytab -D child.ad.devel -S 192.168.122.151 -v                                                                               
 * Using domain name: child.ad.devel                                                                                                                                                                                                          
 * Calculated computer account name from fqdn: P50                                                                                                                                                                                            
 * Calculated domain realm from name: CHILD.AD.DEVEL                                                                                                                                                                                          
 * Sending netlogon pings to domain controller: cldap://192.168.122.151                                                                                                                                                                       
 * Received NetLogon info from: Child-Server.ChIlD.ad.devel                                                                                                                                                                                   
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-MKFcnv/krb5.d/adcli-krb5-conf-1vjsUW  
...
[12182] 1566808422.85181: Getting initial credentials for P50$@CHILD.AD.DEVEL                               
[12182] 1566808422.85182: Looked up etypes in keytab: aes256-cts, aes128-cts, rc4-hmac, des, des-cbc-crc, des-cbc-crc                                                                                                                         
[12182] 1566808422.85184: Sending unauthenticated request                                                              
[12182] 1566808422.85185: Sending request (204 bytes) to CHILD.AD.DEVEL                        
[12182] 1566808422.85186: Resolving hostname 192.168.122.151                                                    
[12182] 1566808422.85187: Sending initial UDP request to dgram 192.168.122.151:88                               
[12182] 1566808422.85188: Received answer (208 bytes) from dgram 192.168.122.151:88                                                                                                                                                           
[12182] 1566808422.85189: Response was from master KDC                                                                 
[12182] 1566808422.85190: Received error from KDC: -1765328359/Additional pre-authentication required  
[12182] 1566808422.85193: Preauthenticating using KDC method data                                                                                                                                                                             
[12182] 1566808422.85194: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
[12182] 1566808422.85195: Selected etype info: etype rc4-hmac, salt "", params ""                                                                                                                                                             
[12182] 1566808422.85196: PKINIT client has no configured identity; giving up                               
[12182] 1566808422.85197: PKINIT client has no configured identity; giving up                               
[12182] 1566808422.85198: Preauth module pkinit (16) (real) returned: 22/Invalid argument                                                                                                                                                     
[12182] 1566808422.85199: PKINIT client ignoring draft 9 offer from RFC 4556 KDC                                                                                                                                                              
[12182] 1566808422.85200: Preauth module pkinit (15) (real) returned: -1765328360/Preauthentication failed                                                                                                                                    
[12182] 1566808422.85201: Retrieving P50$@CHILD.AD.DEVEL from MEMORY:adcli-discover-salt (vno 0, enctype rc4-hmac) with result: 0/Success             <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
[12182] 1566808422.85202: AS key obtained for encrypted timestamp: rc4-hmac/2410                                                                      <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
[12182] 1566808422.85204: Encrypted timestamp (for 1566808421.856774): plain 301AA011180F32303139303832363038333334315AA10502030D12C6, encrypted B9D6543D6EB61084334C40A71AE69D6525DF9C1C2957646D966ED7F5D633131935774AB906EEF1D9AA25F378D4AF$
8198C1E9585                                                                                                                                                                                                                                   
[12182] 1566808422.85205: Preauth module encrypted_timestamp (2) (real) returned: 0/Success                                                                                                                                                   
[12182] 1566808422.85206: Produced preauth for next request: PA-ENC-TIMESTAMP (2)
[12182] 1566808422.85207: Sending request (280 bytes) to CHILD.AD.DEVEL
[12182] 1566808422.85208: Resolving hostname 192.168.122.151
[12182] 1566808422.85209: Sending initial UDP request to dgram 192.168.122.151:88
[12182] 1566808422.85210: Received answer (1338 bytes) from dgram 192.168.122.151:88
[12182] 1566808422.85211: Response was from master KDC
[12182] 1566808422.85212: Salt derived from principal: CHILD.AD.DEVELP50$
[12182] 1566808422.85213: AS key determined by preauth: rc4-hmac/2410
[12182] 1566808422.85214: Decrypted AS reply; session key is: rc4-hmac/5A33
[12182] 1566808422.85215: FAST negotiation: unavailable
 * Discovered which keytab salt to use
...

As can be seen by the 2 marked lines from the Kerberos trace output before the 'Discovered which keytab salt to use' message the encryption type 'rc4-hmac' is use. As a result after the join the new keytab will look like:

$ klist -keKt /tmp/test_krb5.keytab 
Keytab name: FILE:/tmp/test_krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 26.08.2019 10:33:41 P50$@CHILD.AD.DEVEL (DEPRECATED:arcfour-hmac)  (0x3af33b02e0a8547348a943b4ff49fad4)
   2 26.08.2019 10:33:41 P50$@CHILD.AD.DEVEL (aes128-cts-hmac-sha1-96)  (0x9e00cb3ddec7f2e0afb61021ea29c7f6)
   2 26.08.2019 10:33:41 P50$@CHILD.AD.DEVEL (aes256-cts-hmac-sha1-96)  (0x910f7bf04711ea6aba1bdd695e6f57f2097c1bf472f3b3509ba4e07bfffd9045)
   2 26.08.2019 10:33:41 host/P50@CHILD.AD.DEVEL (DEPRECATED:arcfour-hmac)  (0x3af33b02e0a8547348a943b4ff49fad4)
   2 26.08.2019 10:33:41 host/P50@CHILD.AD.DEVEL (aes128-cts-hmac-sha1-96)  (0x063f5b4f8343be6373cd61d9334a5a5e)
   2 26.08.2019 10:33:41 host/P50@CHILD.AD.DEVEL (aes256-cts-hmac-sha1-96)  (0x5b39b8ca99a536ec45d56b308cb98840ddc5f6cb29210eca328f5c4a679976c3)
   2 26.08.2019 10:33:41 host/p50.abc.def@CHILD.AD.DEVEL (DEPRECATED:arcfour-hmac)  (0x3af33b02e0a8547348a943b4ff49fad4)
   2 26.08.2019 10:33:41 host/p50.abc.def@CHILD.AD.DEVEL (aes128-cts-hmac-sha1-96)  (0x81a8a3d4f7da541b9c615cc26a58ce87)
   2 26.08.2019 10:33:41 host/p50.abc.def@CHILD.AD.DEVEL (aes256-cts-hmac-sha1-96)  (0x5c4e22bd3c966b26c3a3e095e6665553fdbb1dd3cec4d0f9061827b3d4ff4479)
   2 26.08.2019 10:33:41 RestrictedKrbHost/P50@CHILD.AD.DEVEL (DEPRECATED:arcfour-hmac)  (0x3af33b02e0a8547348a943b4ff49fad4)
   2 26.08.2019 10:33:41 RestrictedKrbHost/P50@CHILD.AD.DEVEL (aes128-cts-hmac-sha1-96)  (0xa1326438329090651a42ea6426b85901)
   2 26.08.2019 10:33:41 RestrictedKrbHost/P50@CHILD.AD.DEVEL (aes256-cts-hmac-sha1-96)  (0x131ef3b589644fa91e3d927d9aec795e73b4071c99f13ab2bb749ca47032172f)
   2 26.08.2019 10:33:41 RestrictedKrbHost/p50.abc.def@CHILD.AD.DEVEL (DEPRECATED:arcfour-hmac)  (0x3af33b02e0a8547348a943b4ff49fad4)
   2 26.08.2019 10:33:41 RestrictedKrbHost/p50.abc.def@CHILD.AD.DEVEL (aes128-cts-hmac-sha1-96)  (0x9c6007397be85e04b464e42d8f8caaa2)
   2 26.08.2019 10:33:41 RestrictedKrbHost/p50.abc.def@CHILD.AD.DEVEL (aes256-cts-hmac-sha1-96)  (0x403543c3837689a93519f240347c3c43a2a0f55286db640561105993db0229af)

As can be seen the 'arcfour-hmac' keys are the same for all principals, since no salt is used here. But e.g. the 'aes128-cts-hmac-sha1-96' for the different principals are all different because the wrong salt was picked. Same for 'aes256-cts-hmac-sha1-96'.


With the fixed version and the same /etc/krb5.conf the join output will look like:


....
[11976] 1566808302.397651: Retrieving P50$@CHILD.AD.DEVEL from MEMORY:adcli-discover-salt (vno 0, enctype aes256-cts) with result: 0/Success                <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
[11976] 1566808302.397652: AS key obtained for encrypted timestamp: aes256-cts/66BA                                                                         <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
[11976] 1566808302.397654: Encrypted timestamp (for 1566808301.825524): plain 301AA011180F32303139303832363038333134315AA10502030C98B4, encrypted 5AC00C2ECD3E80006D06E032717AFE63199D4F3BE0C622E48AF57D77E3B05DDB63410691C51F193BDD94507AADBF
312AFC167F961061102E
[11976] 1566808302.397655: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[11976] 1566808302.397656: Produced preauth for next request: PA-ENC-TIMESTAMP (2)
[11976] 1566808302.397657: Sending request (284 bytes) to CHILD.AD.DEVEL
[11976] 1566808302.397658: Resolving hostname 192.168.122.151
[11976] 1566808302.397659: Sending initial UDP request to dgram 192.168.122.151:88
[11976] 1566808302.397660: Received answer (1438 bytes) from dgram 192.168.122.151:88
[11976] 1566808302.397661: Response was from master KDC
[11976] 1566808302.397662: Processing preauth types: PA-ETYPE-INFO2 (19)
[11976] 1566808302.397663: Selected etype info: etype aes256-cts, salt "CHILD.AD.DEVELhostp50.child.ad.devel", params ""
[11976] 1566808302.397664: Produced preauth for next request: (empty)
[11976] 1566808302.397665: AS key determined by preauth: aes256-cts/66BA
[11976] 1566808302.397666: Decrypted AS reply; session key is: aes256-cts/56D9
[11976] 1566808302.397667: FAST negotiation: unavailable
 * Discovered which keytab salt to use
....

Now the 2 marked lines show the AES was used. Other encryption types are ok as well, as long as it is not 'rc4-hmac'. The keytab now looks like

$ klist -keKt /tmp/test_krb5.keytab                                                                   
Keytab name: FILE:/tmp/test_krb5.keytab                                                                                                                                                                                                       
KVNO Timestamp           Principal                                                                                     
---- ------------------- ------------------------------------------------------                                        
   2 26.08.2019 10:31:41 P50$@CHILD.AD.DEVEL (DEPRECATED:arcfour-hmac)  (0xabdc5031d439ef5be9aea6cfe1ebf622)
   2 26.08.2019 10:31:41 P50$@CHILD.AD.DEVEL (aes128-cts-hmac-sha1-96)  (0x3c8a529ece239132aac3fbdf097a9925)           
   2 26.08.2019 10:31:41 P50$@CHILD.AD.DEVEL (aes256-cts-hmac-sha1-96)  (0xae038d09b6e6c4231f8b98362adfbe37152efc8fa925c930429502400593ebb8)
   2 26.08.2019 10:31:41 host/P50@CHILD.AD.DEVEL (DEPRECATED:arcfour-hmac)  (0xabdc5031d439ef5be9aea6cfe1ebf622)                                                                                                                              
   2 26.08.2019 10:31:41 host/P50@CHILD.AD.DEVEL (aes128-cts-hmac-sha1-96)  (0x3c8a529ece239132aac3fbdf097a9925)       
   2 26.08.2019 10:31:41 host/P50@CHILD.AD.DEVEL (aes256-cts-hmac-sha1-96)  (0xae038d09b6e6c4231f8b98362adfbe37152efc8fa925c930429502400593ebb8)                                                                                              
   2 26.08.2019 10:31:41 host/p50.Speedport_W_724V_Typ_A_05011603_05_020@CHILD.AD.DEVEL (DEPRECATED:arcfour-hmac)  (0xabdc5031d439ef5be9aea6cfe1ebf622)
   2 26.08.2019 10:31:41 host/p50.Speedport_W_724V_Typ_A_05011603_05_020@CHILD.AD.DEVEL (aes128-cts-hmac-sha1-96)  (0x3c8a529ece239132aac3fbdf097a9925)                                                                                       
   2 26.08.2019 10:31:41 host/p50.Speedport_W_724V_Typ_A_05011603_05_020@CHILD.AD.DEVEL (aes256-cts-hmac-sha1-96)  (0xae038d09b6e6c4231f8b98362adfbe37152efc8fa925c930429502400593ebb8)                                                       
   2 26.08.2019 10:31:41 RestrictedKrbHost/P50@CHILD.AD.DEVEL (DEPRECATED:arcfour-hmac)  (0xabdc5031d439ef5be9aea6cfe1ebf622)                                                                                                                 
   2 26.08.2019 10:31:41 RestrictedKrbHost/P50@CHILD.AD.DEVEL (aes128-cts-hmac-sha1-96)  (0x3c8a529ece239132aac3fbdf097a9925)                                                                                                                 
   2 26.08.2019 10:31:41 RestrictedKrbHost/P50@CHILD.AD.DEVEL (aes256-cts-hmac-sha1-96)  (0xae038d09b6e6c4231f8b98362adfbe37152efc8fa925c930429502400593ebb8)                                                                                 
   2 26.08.2019 10:31:41 RestrictedKrbHost/p50.Speedport_W_724V_Typ_A_05011603_05_020@CHILD.AD.DEVEL (DEPRECATED:arcfour-hmac)  (0xabdc5031d439ef5be9aea6cfe1ebf622)
   2 26.08.2019 10:31:41 RestrictedKrbHost/p50.Speedport_W_724V_Typ_A_05011603_05_020@CHILD.AD.DEVEL (aes128-cts-hmac-sha1-96)  (0x3c8a529ece239132aac3fbdf097a9925)
   2 26.08.2019 10:31:41 RestrictedKrbHost/p50.Speedport_W_724V_Typ_A_05011603_05_020@CHILD.AD.DEVEL (aes256-cts-hmac-sha1-96)  (0xae038d09b6e6c4231f8b98362adfbe37152efc8fa925c930429502400593ebb8)

Now the keys for the different principals are the same for the same encryption type.

Comment 3 Sumit Bose 2019-08-26 09:07:41 UTC
Master:
 - 158468507bb723aa62196846749c23c121d4b298

Comment 5 shridhar 2019-11-22 12:45:25 UTC
Issue is reproduced with old version(test failing) 
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   TEST PROTOCOL
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

    Test run ID   : 22397001
    Package       : adcli
    Installed     : adcli-0.8.1-9.el7.x86_64
    beakerlib RPM : beakerlib-1.18-7.el7bkr.noarch
    bl-redhat RPM : beakerlib-redhat-1-32.el7bkr.noarch
    Test name     : /CoreOS/adcli/Regression/bz1683745-issue-with-arcfour-hmac-as-first-encryption-type


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Issue with arcfour-hmac
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 07:36:51 ] :: [  BEGIN   ] :: Running 'cat /etc/krb5.conf'
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
:: [ 07:36:51 ] :: [   PASS   ] :: Command 'cat /etc/krb5.conf' (Expected 0, got 0)
:: [ 07:36:51 ] :: [  BEGIN   ] :: Running 'cat /tmp/test_krb5.conf'
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 permitted_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
 default_tgs_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
 default_tkt_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
:: [ 07:36:51 ] :: [   PASS   ] :: Command 'cat /tmp/test_krb5.conf' (Expected 0, got 0)
:: [ 07:36:51 ] :: [  BEGIN   ] :: Running 'echo Pass2012! | KRB5_TRACE=/dev/stdout KRB5_CONFIG=/tmp/test_krb5.conf /usr/sbin/adcli join --verbose -K /tmp/test_krb5.keytab --stdin-password -U Amy-admin -S ad2.baseos.qe -S 10.37.152.15 > /tmp/tmp_1 2>&1'
:: [ 07:36:55 ] :: [   PASS   ] :: Command 'echo Pass2012! | KRB5_TRACE=/dev/stdout KRB5_CONFIG=/tmp/test_krb5.conf /usr/sbin/adcli join --verbose -K /tmp/test_krb5.keytab --stdin-password -U Amy-admin -S ad2.baseos.qe -S 10.37.152.15 > /tmp/tmp_1 2>&1' (Expected 0, got 0)
:: [ 07:36:55 ] :: [  BEGIN   ] :: Running 'klist -keKt /tmp/test_krb5.keytab > /tmp/tmp_1 2>&1'
:: [ 07:36:55 ] :: [   PASS   ] :: Command 'klist -keKt /tmp/test_krb5.keytab > /tmp/tmp_1 2>&1' (Expected 0, got 0)
Total encryption-types : 
(aes128-cts-hmac-sha1-96)
(aes256-cts-hmac-sha1-96)
(arcfour-hmac)
Total keys: 
(aes128-cts-hmac-sha1-96) (0x0d53c67363e31339127ae4df91857fab)
(aes128-cts-hmac-sha1-96) (0x5c800c9dfb793b3c742749fb39f36bbb)
(aes128-cts-hmac-sha1-96) (0x70f28a3f5c50010beecae7eb211d71c9)
(aes128-cts-hmac-sha1-96) (0x8caf2c17241422bd69e5cfab509fcdf3)
(aes128-cts-hmac-sha1-96) (0xbe746e65c9ac64b90d847432cdcb8f0c)
(aes256-cts-hmac-sha1-96) (0x179762206334dac99e285960d3b05c80f31d2ad670fed4eeb1c548c5a1b91efd)
(aes256-cts-hmac-sha1-96) (0x3745dcb780b938939dc196281e0281930e1e552ca9b78574ccaacf9bc3ed254b)
(aes256-cts-hmac-sha1-96) (0x6edb197da2fd10508eb415b669331c08c7e113633a0ac038885c3f29f80d28cb)
(aes256-cts-hmac-sha1-96) (0xe4df359ef8b7dea620d976abf408c9dc6e3386ab8e6cbcf02b9009c0ed94055f)
(aes256-cts-hmac-sha1-96) (0xf28fc7821b0d789771120ee6d6899b3651924f88ba20ae1bdf59a76aacd804bd)
(arcfour-hmac) (0x357bbc11782961efe0a07cc706087503)
Total Number of encryption-types : 3
Total Number of keys: 11
:: [ 07:36:55 ] :: [   FAIL   ] :: All keys with different principals do not have same encryption-type 
:: [ 07:36:55 ] :: [  BEGIN   ] :: Running 'awk -F' ' '{print $5,$6,$4}' /tmp/tmp_1 |sort|awk 'NF'|uniq'
(aes128-cts-hmac-sha1-96) (0x0d53c67363e31339127ae4df91857fab) host/CI-VM-10-0-139-@AD2.BASEOS.QE
(aes128-cts-hmac-sha1-96) (0x5c800c9dfb793b3c742749fb39f36bbb) RestrictedKrbHost/CI-VM-10-0-139-@AD2.BASEOS.QE
(aes128-cts-hmac-sha1-96) (0x70f28a3f5c50010beecae7eb211d71c9) RestrictedKrbHost/ci-vm-10-0-139-.ad2.baseos.qe@AD2.BASEOS.QE
(aes128-cts-hmac-sha1-96) (0x8caf2c17241422bd69e5cfab509fcdf3) CI-VM-10-0-139-$@AD2.BASEOS.QE
(aes128-cts-hmac-sha1-96) (0xbe746e65c9ac64b90d847432cdcb8f0c) host/ci-vm-10-0-139-.ad2.baseos.qe@AD2.BASEOS.QE
(aes256-cts-hmac-sha1-96) (0x179762206334dac99e285960d3b05c80f31d2ad670fed4eeb1c548c5a1b91efd) RestrictedKrbHost/CI-VM-10-0-139-@AD2.BASEOS.QE
(aes256-cts-hmac-sha1-96) (0x3745dcb780b938939dc196281e0281930e1e552ca9b78574ccaacf9bc3ed254b) host/CI-VM-10-0-139-@AD2.BASEOS.QE
(aes256-cts-hmac-sha1-96) (0x6edb197da2fd10508eb415b669331c08c7e113633a0ac038885c3f29f80d28cb) RestrictedKrbHost/ci-vm-10-0-139-.ad2.baseos.qe@AD2.BASEOS.QE
(aes256-cts-hmac-sha1-96) (0xe4df359ef8b7dea620d976abf408c9dc6e3386ab8e6cbcf02b9009c0ed94055f) host/ci-vm-10-0-139-.ad2.baseos.qe@AD2.BASEOS.QE
(aes256-cts-hmac-sha1-96) (0xf28fc7821b0d789771120ee6d6899b3651924f88ba20ae1bdf59a76aacd804bd) CI-VM-10-0-139-$@AD2.BASEOS.QE
(arcfour-hmac) (0x357bbc11782961efe0a07cc706087503) CI-VM-10-0-139-$@AD2.BASEOS.QE
(arcfour-hmac) (0x357bbc11782961efe0a07cc706087503) host/CI-VM-10-0-139-@AD2.BASEOS.QE
(arcfour-hmac) (0x357bbc11782961efe0a07cc706087503) host/ci-vm-10-0-139-.ad2.baseos.qe@AD2.BASEOS.QE
(arcfour-hmac) (0x357bbc11782961efe0a07cc706087503) RestrictedKrbHost/CI-VM-10-0-139-@AD2.BASEOS.QE
(arcfour-hmac) (0x357bbc11782961efe0a07cc706087503) RestrictedKrbHost/ci-vm-10-0-139-.ad2.baseos.qe@AD2.BASEOS.QE
:: [ 07:36:55 ] :: [   PASS   ] :: Command 'awk -F' ' '{print $5,$6,$4}' /tmp/tmp_1 |sort|awk 'NF'|uniq' (Expected 0, got 0)
:: [ 07:36:55 ] :: [  BEGIN   ] :: Running 'rm -rf /tmp/tmp_1'
:: [ 07:36:55 ] :: [   PASS   ] :: Command 'rm -rf /tmp/tmp_1' (Expected 0, got 0)
:: [ 07:36:55 ] :: [   LOG    ] :: Clean up
:: [ 07:36:55 ] :: [   LOG    ] :: File [/etc/krb5.keytab] doesn't exist, so computer isn't connected to the AD domain
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 4s
::   Assertions: 6 good, 1 bad
::   RESULT: FAIL (Issue with arcfour-hmac)





=================================================================
Verified with following data:
Test is passing with
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   TEST PROTOCOL
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

    Test run ID   : 22641001
    Package       : adcli
    Installed     : adcli-0.8.1-12.el7.x86_64
    beakerlib RPM : beakerlib-1.18-7.el7bkr.noarch
    bl-redhat RPM : beakerlib-redhat-1-32.el7bkr.noarch
    Test name     : /CoreOS/adcli/Regression/bz1683745-issue-with-arcfour-hmac-as-first-encryption-type
    Test version  : 0.1
    Test started  : 2019-11-22 07:44:00 EST


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Issue with arcfour-hmac
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 07:44:10 ] :: [  BEGIN   ] :: Running 'cat /etc/krb5.conf'
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
:: [ 07:44:10 ] :: [   PASS   ] :: Command 'cat /etc/krb5.conf' (Expected 0, got 0)
:: [ 07:44:10 ] :: [  BEGIN   ] :: Running 'cat /tmp/test_krb5.conf'
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 permitted_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
 default_tgs_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
 default_tkt_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
:: [ 07:44:10 ] :: [   PASS   ] :: Command 'cat /tmp/test_krb5.conf' (Expected 0, got 0)
:: [ 07:44:10 ] :: [  BEGIN   ] :: Running 'echo Pass2012! | KRB5_TRACE=/dev/stdout KRB5_CONFIG=/tmp/test_krb5.conf /usr/sbin/adcli join --verbose -K /tmp/test_krb5.keytab --stdin-password -U Amy-admin -S ad2.baseos.qe -S 10.37.152.15 > /tmp/tmp_1 2>&1'
:: [ 07:44:15 ] :: [   PASS   ] :: Command 'echo Pass2012! | KRB5_TRACE=/dev/stdout KRB5_CONFIG=/tmp/test_krb5.conf /usr/sbin/adcli join --verbose -K /tmp/test_krb5.keytab --stdin-password -U Amy-admin -S ad2.baseos.qe -S 10.37.152.15 > /tmp/tmp_1 2>&1' (Expected 0, got 0)
:: [ 07:44:15 ] :: [  BEGIN   ] :: Running 'klist -keKt /tmp/test_krb5.keytab > /tmp/tmp_1 2>&1'
:: [ 07:44:15 ] :: [   PASS   ] :: Command 'klist -keKt /tmp/test_krb5.keytab > /tmp/tmp_1 2>&1' (Expected 0, got 0)
Total encryption-types : 
(aes128-cts-hmac-sha1-96)
(aes256-cts-hmac-sha1-96)
(arcfour-hmac)
Total keys: 
(aes128-cts-hmac-sha1-96) (0x3d8419ee20f81e2392c42478681c124d)
(aes256-cts-hmac-sha1-96) (0xe2862062d6d149bbd332344fa77d3e21f9107c67e83348a8704f472878abdada)
(arcfour-hmac) (0x592e80e859d85b162a3d73a60088a135)
Total Number of encryption-types : 3
Total Number of keys: 3
:: [ 07:44:15 ] :: [   PASS   ] :: All keys with different principals have same encryption-type 
:: [ 07:44:15 ] :: [  BEGIN   ] :: Running 'awk -F' ' '{print $5,$6,$4}' /tmp/tmp_1 |sort|awk 'NF'|uniq'
(aes128-cts-hmac-sha1-96) (0x3d8419ee20f81e2392c42478681c124d) CI-VM-10-0-138-$@AD2.BASEOS.QE
(aes128-cts-hmac-sha1-96) (0x3d8419ee20f81e2392c42478681c124d) host/CI-VM-10-0-138-@AD2.BASEOS.QE
(aes128-cts-hmac-sha1-96) (0x3d8419ee20f81e2392c42478681c124d) host/ci-vm-10-0-138-.ad2.baseos.qe@AD2.BASEOS.QE
(aes128-cts-hmac-sha1-96) (0x3d8419ee20f81e2392c42478681c124d) RestrictedKrbHost/CI-VM-10-0-138-@AD2.BASEOS.QE
(aes128-cts-hmac-sha1-96) (0x3d8419ee20f81e2392c42478681c124d) RestrictedKrbHost/ci-vm-10-0-138-.ad2.baseos.qe@AD2.BASEOS.QE
(aes256-cts-hmac-sha1-96) (0xe2862062d6d149bbd332344fa77d3e21f9107c67e83348a8704f472878abdada) CI-VM-10-0-138-$@AD2.BASEOS.QE
(aes256-cts-hmac-sha1-96) (0xe2862062d6d149bbd332344fa77d3e21f9107c67e83348a8704f472878abdada) host/CI-VM-10-0-138-@AD2.BASEOS.QE
(aes256-cts-hmac-sha1-96) (0xe2862062d6d149bbd332344fa77d3e21f9107c67e83348a8704f472878abdada) host/ci-vm-10-0-138-.ad2.baseos.qe@AD2.BASEOS.QE
(aes256-cts-hmac-sha1-96) (0xe2862062d6d149bbd332344fa77d3e21f9107c67e83348a8704f472878abdada) RestrictedKrbHost/CI-VM-10-0-138-@AD2.BASEOS.QE
(aes256-cts-hmac-sha1-96) (0xe2862062d6d149bbd332344fa77d3e21f9107c67e83348a8704f472878abdada) RestrictedKrbHost/ci-vm-10-0-138-.ad2.baseos.qe@AD2.BASEOS.QE
(arcfour-hmac) (0x592e80e859d85b162a3d73a60088a135) CI-VM-10-0-138-$@AD2.BASEOS.QE
(arcfour-hmac) (0x592e80e859d85b162a3d73a60088a135) host/CI-VM-10-0-138-@AD2.BASEOS.QE
(arcfour-hmac) (0x592e80e859d85b162a3d73a60088a135) host/ci-vm-10-0-138-.ad2.baseos.qe@AD2.BASEOS.QE
(arcfour-hmac) (0x592e80e859d85b162a3d73a60088a135) RestrictedKrbHost/CI-VM-10-0-138-@AD2.BASEOS.QE
(arcfour-hmac) (0x592e80e859d85b162a3d73a60088a135) RestrictedKrbHost/ci-vm-10-0-138-.ad2.baseos.qe@AD2.BASEOS.QE
:: [ 07:44:15 ] :: [   PASS   ] :: Command 'awk -F' ' '{print $5,$6,$4}' /tmp/tmp_1 |sort|awk 'NF'|uniq' (Expected 0, got 0)
:: [ 07:44:15 ] :: [  BEGIN   ] :: Running 'rm -rf /tmp/tmp_1'
:: [ 07:44:15 ] :: [   PASS   ] :: Command 'rm -rf /tmp/tmp_1' (Expected 0, got 0)
:: [ 07:44:15 ] :: [   LOG    ] :: Clean up
:: [ 07:44:15 ] :: [   LOG    ] :: File [/etc/krb5.keytab] doesn't exist, so computer isn't connected to the AD domain
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 5s
::   Assertions: 7 good, 0 bad
::   RESULT: PASS (Issue with arcfour-hmac)

Comment 7 errata-xmlrpc 2020-03-31 19:45:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1055


Note You need to log in before you can comment on or make changes to this bug.