Bug 2060421 - Invalid KDC signature encryption type for PAC [rhel-9]
Summary: Invalid KDC signature encryption type for PAC [rhel-9]
Keywords:
Status: VERIFIED
Alias: None
Deadline: 2023-06-05
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: krb5
Version: 9.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Julien Rische
QA Contact: Ganna Kaihorodova
lmcgarry
URL:
Whiteboard:
Depends On: 2016312 2027125 2124463
Blocks: 2209621
TreeView+ depends on / blocked
 
Reported: 2022-03-03 13:57 UTC by Alexander Bokovoy
Modified: 2023-08-17 09:49 UTC (History)
5 users (show)

Fixed In Version: krb5-1.21.1-1.el9
Doc Type: Known Issue
Doc Text:
.IdM to AD cross-realm TGS requests fail The Privilege Attribute Certificate (PAC) information in IdM Kerberos tickets is now signed with AES SHA-2 HMAC encryption, which is not supported by Active Directory (AD). Consequently, IdM to AD cross-realm TGS requests, that is, two-way trust setups, are failing with the following error: ---- Generic error (see e-text) while getting credentials for <service principal> ----
Clone Of:
: 2125182 2209621 (view as bug list)
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
freeipa-4.10.2-1.fc38 no support for enctype on S4U2Proxy (55.57 KB, text/plain)
2023-07-28 12:39 UTC, Julien Rische 		no flags Details
freeipa-4.10.2-1.fc38 enctype accepted by AD with S4U2Proxy (633.32 KB, text/plain)
2023-07-31 08:35 UTC, Julien Rische 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github krb5 krb5 pull 1268 0 None open Use non-RFC 8009 enctypes to sign KDC checksum in PAC structure 2022-09-23 15:56:00 UTC
Gitlab redhat/centos-stream/rpms krb5 merge_requests 40 0 None opened New upstream version (1.21.1) 2023-08-02 14:41:34 UTC
Red Hat Issue Tracker FREEIPA-7926 0 None None None 2022-03-03 14:02:38 UTC
Red Hat Issue Tracker RHELPLAN-114373 0 None None None 2022-10-03 08:29:41 UTC

Description Alexander Bokovoy 2022-03-03 13:57:09 UTC 
[root@master ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: win19-13r8.test
  Domain NetBIOS name: WIN19-13R8
  Domain Security Identifier: S-1-5-21-3829174166-1252505095-3327585824
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------


[root@master ~]# klist -e
Ticket cache: KCM:0
Default principal: admin

Valid starting       Expires              Service principal
03/03/2022 08:42:50  03/04/2022 08:19:50  HTTP/master.testrealm1way.test
	Etype (skey, tkt): aes256-cts-hmac-sha384-192, aes256-cts-hmac-sha384-192 
03/03/2022 08:42:48  03/04/2022 08:19:50  krbtgt/TESTREALM1WAY.TEST
	Etype (skey, tkt): aes256-cts-hmac-sha384-192, aes256-cts-hmac-sha384-192 
[root@master ~]# KRB5_TRACE=/dev/stderr kvno -S cifs ad1-13r8.win19-13r8.test
[24932] 1646315147.757589: Getting credentials admin -> cifs/ad1-13r8.win19-13r8.test using ccache KCM:0
[24932] 1646315147.757590: Retrieving admin -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:0 with result: -1765328243/Matching credential not found
[24932] 1646315147.757591: Retrieving admin -> cifs/ad1-13r8.win19-13r8.test from KCM:0 with result: -1765328243/Matching credential not found
[24932] 1646315147.757592: Retrieving admin -> krbtgt/WIN19-13R8.TEST from KCM:0 with result: -1765328243/Matching credential not found
[24932] 1646315147.757593: Retrieving admin -> krbtgt/TESTREALM1WAY.TEST from KCM:0 with result: 0/Success
[24932] 1646315147.757594: Starting with TGT for client realm: admin -> krbtgt/TESTREALM1WAY.TEST
[24932] 1646315147.757595: Retrieving admin -> krbtgt/WIN19-13R8.TEST from KCM:0 with result: -1765328243/Matching credential not found
[24932] 1646315147.757596: Requesting TGT krbtgt/WIN19-13R8.TEST using TGT krbtgt/TESTREALM1WAY.TEST
[24932] 1646315147.757597: Generated subkey for TGS request: aes256-sha2/107C
[24932] 1646315147.757598: etypes requested in TGS request: aes256-sha2, aes256-cts, aes128-sha2, aes128-cts
[24932] 1646315147.757600: Encoding request body and padata into FAST request
[24932] 1646315147.757601: Sending request (1948 bytes) to TESTREALM1WAY.TEST
[24932] 1646315147.757602: Initiating TCP connection to stream 10.0.199.42:88
[24932] 1646315147.757603: Sending TCP request to stream 10.0.199.42:88
[24932] 1646315147.757604: Received answer (1804 bytes) from stream 10.0.199.42:88
[24932] 1646315147.757605: Terminating TCP connection to stream 10.0.199.42:88
[24932] 1646315147.757606: Response was from primary KDC
[24932] 1646315147.757607: Decoding FAST response
[24932] 1646315147.757608: FAST reply key: aes256-sha2/3569
[24932] 1646315147.757609: TGS reply is for admin -> krbtgt/WIN19-13R8.TEST with session key aes256-cts/349C
[24932] 1646315147.757610: TGS request result: 0/Success
[24932] 1646315147.757611: Received TGT for WIN19-13R8.TEST; advancing current realm
[24932] 1646315147.757612: Retrieving admin -> krbtgt/WIN19-13R8.TEST from KCM:0 with result: -1765328243/Matching credential not found
[24932] 1646315147.757613: Requesting TGT krbtgt/WIN19-13R8.TEST using TGT krbtgt/WIN19-13R8.TEST
[24932] 1646315147.757614: Generated subkey for TGS request: aes256-cts/6248
[24932] 1646315147.757615: etypes requested in TGS request: aes256-sha2, aes256-cts, aes128-sha2, aes128-cts
[24932] 1646315147.757617: Encoding request body and padata into FAST request
[24932] 1646315147.757618: Sending request (1812 bytes) to WIN19-13R8.TEST
[24932] 1646315147.757619: Initiating TCP connection to stream 10.0.199.57:88
[24932] 1646315147.757620: Sending TCP request to stream 10.0.199.57:88
[24932] 1646315147.757621: Received answer (331 bytes) from stream 10.0.199.57:88
[24932] 1646315147.757622: Terminating TCP connection to stream 10.0.199.57:88
[24932] 1646315147.757623: Response was from primary KDC
[24932] 1646315147.757624: Decoding FAST response
[24932] 1646315147.757625: TGS request result: -1765328324/Generic error (see e-text)
kvno: Generic error (see e-text) while getting credentials for cifs/ad1-13r8.win19-13r8.test

From krb5kdc.log:
Mar 03 08:45:47 master.testrealm1way.test krb5kdc[24353](info): TGS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.0.199.42: ISSUE: authtime 1646314968, etypes {rep=aes256-cts-hmac-sha384-192(20), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, admin for krbtgt/WIN19-13R8.TEST

I think we've seen this issue when developing krb5 1.20 upstream, so it needs to be re-verified with 1.20 when rebase happens.
Comment 1 Alexander Bokovoy 2022-03-03 13:58:56 UTC 
This is for two-way trust between IPA and Active Directory.
Comment 2 Alexander Bokovoy 2022-03-03 15:34:40 UTC 
Reproduction steps:

1. Install RHEL in FIPS mode
2. Run 'update-crypto-policies --set FIPS:AD-SUPPORT'
3. Install RHEL IdM in FIPS mode and enable for trust (ipa-server-install --setup-adtrust --setup-dns ...)
4. Establish trust with AD (ipa trust-add ad.domain --two-way=true)
5. Try to acquire a ticket to a service on AD side like in the description.
Comment 6 Julien Rische 2022-03-16 12:00:51 UTC 
According to the Windows documentation[1], the root cause of KRB_ERR_GENERIC (0x3C) can be one of the following ones:

* Group membership has overloaded the PAC.
* Multiple recent password changes have not propagated.
* Crypto subsystem error caused by running out of memory.
* SPN too long.
* SPN has too many parts.

I guess here, it's probably a cryptographic error. I still have to figure out how I can get this kind of logs on Windows Server.

[1] https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769
Comment 27 Julien Rische 2022-09-23 15:56:00 UTC 
Cross-realm IPA/AD TGS and S4U2Self requests are failing because the PAC "KDC (privilege server)" checksum (which is in fact a signature) generated by MIT krb5 is using the strongest encryption type permitted by the Kerberos configuration. In IPA's case, since support for RFC8009[1]'s encryption types was added[2], this encryption type is AES256-CTS-HMAC-SHA384-192.

However, the only supported encryption types allowed for this purpose by MS-PAC[3] are:

 * RC4-HMAC (which is no longer allowed by RHEL MIT krb5)
 * AES128-CTS-HMAC-SHA1-96
 * AES256-CTS-HMAC-SHA1-96

As a consequence, AD rejects the PACs generated by IPA since they contain unsupported checksum types. A way to filter encryption types used for PAC signatures has to be added to MIT krb5. This is being discussed upstream[4].


Kerberos
    Record Mark: 2605 bytes
    tgs-req
        pvno: 5
        msg-type: krb-tgs-req (12)
        padata: 4 items
            PA-DATA pA-TGS-REQ
                padata-type: pA-TGS-REQ (1)
                    padata-value: 6e8206ab308206a7a003020105a10302010ea20703050000000000a38205bc618205b830…
                        ap-req
                            pvno: 5
                            msg-type: krb-ap-req (14)
                            Padding: 0
                            ap-options: 00000000
                            ticket
                                tkt-vno: 5
                                realm: TESTREALM.TEST
                                sname
                                enc-part
                                    etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                                    kvno: 1
                                    cipher: 7dffe293c57e857d0467a517d247a0380bfddc9e3b102bd2607da2d7e704b91ecdc8e675…
                                        Decrypted keytype 18 usage 2 using keytab principal krbtgt/AD-5NXB.TEST (id=keytab.79 same=0) (422399f7...)
                                        encTicketPart
                                            Padding: 0
                                            flags: 40290000
                                            key
                                            crealm: TESTREALM.TEST
                                            cname
                                            transited
                                            authtime: 2022-09-21 13:29:22 (UTC)
                                            endtime: 2022-09-22 13:04:45 (UTC)
                                            authorization-data: 2 items
                                                AuthorizationData item
                                                    ad-type: aD-IF-RELEVANT (1)
                                                    ad-data: 308203fa308203f6a00402020080a18203ec048203e80700000000000000010000000002…
                                                        AuthorizationData item
                                                            ad-type: aD-WIN2K-PAC (128)
                                                            ad-data: 0700000000000000010000000002000078000000000000000c000000d600000078020000…
                                                                Verified Server checksum 16 keytype 18 using keytab principal krbtgt/AD-5NXB.TEST (id=keytab.79 same=0) (422399f7...)
                                                                Verified KDC checksum 20 keytype 20 using keytab principal krbtgt/TESTREALM.TEST (id=keytab.6 same=0) (ed71e537...)
                                                                Num Entries: 7
                                                                Version: 0
                                                                Type: Logon Info (1)
                                                                Type: UPN DNS Info (12)
                                                                Type: Unknown (17)
                                                                Type: Unknown (18)
                                                                Type: Client Info Type (10)
                                                                Type: Server Checksum (6)
                                                                Type: Privsvr Checksum (7)
                                                                    Size: 28
                                                                    Offset: 968
                                                                    PAC_PRIVSVR_CHECKSUM: 14000000023601ab62a5ea65a8221c6683a38000eab07a107d34d385
                                                                        Type: 20
                                                                        Signature: 023601ab62a5ea65a8221c6683a38000eab07a107d34d385


[1] https://datatracker.ietf.org/doc/html/rfc8009
[2] https://pagure.io/freeipa/c/09d5b938c128d8bb01ae40b5d736a266c6075b39
[3] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/3122bf00-ea87-4c3f-92a0-91c0a99f5eec
[4] https://github.com/krb5/krb5/pull/1268
Comment 28 Julien Rische 2022-09-23 16:17:38 UTC 
(In reply to Julien Rische from comment #27)
> Cross-realm IPA/AD TGS and S4U2Self requests are failing because the PAC
> "KDC (privilege server)" checksum (which is in fact a signature) generated
> by MIT krb5 is using the strongest encryption type permitted by the Kerberos
> configuration.

Actually it is not based on the strongest permitted encryption type setting, but on the strongest encryption type key of the krbtgt/<realm>@<realm> entry.
Comment 49 Julien Rische 2023-07-28 12:39:35 UTC 
Created attachment 1980434 [details]
freeipa-4.10.2-1.fc38 no support for enctype on S4U2Proxy

The pac_privsvr_enctype string attribute allowing to configure the encryption type of the KDC signature should fix this issue in krb5 1.21. However I face the following error on Fedora 38 with the freeipa-4.10.2-1.fc38 update[1]:

$ KRB5_TRACE=/dev/stderr kvno -U admin -P cifs/dc-ut96.ad-ut96.test
[13475] 1690302326.763953: Getting credentials admin\@IPA.TEST -> host/cli.ipa.test using ccache KCM:0
[13475] 1690302326.763954: Retrieving host/cli.ipa.test -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:0 with result: -1765328243/Matching credential not found
[13475] 1690302326.763955: Retrieving admin\@IPA.TEST -> host/cli.ipa.test from KCM:0 with result: 0/Success
cifs/dc-ut96.ad-ut96.test: kvno = 1
[13475] 1690302326.763956: Retrieving  -> cifs/dc-ut96.ad-ut96.test from KCM:0 with result: -1765328243/Matching credential not found
[13475] 1690302326.763957: Getting credentials host/cli.ipa.test -> krbtgt/IPA.TEST using ccache KCM:0
[13475] 1690302326.763958: Retrieving host/cli.ipa.test -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:0 with result: -1765328243/Matching credential not found
[13475] 1690302326.763959: Retrieving host/cli.ipa.test -> krbtgt/IPA.TEST from KCM:0 with result: 0/Success
[13475] 1690302326.763960: Get cred via TGT krbtgt/IPA.TEST after requesting cifs/dc-ut96.ad-ut96.test (canonicalize on)
[13475] 1690302326.763961: Generated subkey for TGS request: aes256-cts/7285
[13475] 1690302326.763962: etypes requested in TGS request: aes256-cts, aes256-sha2, camellia256-cts, aes128-sha2, aes128-cts, camellia128-cts
[13475] 1690302326.763964: Encoding request body and padata into FAST request
[13475] 1690302326.763965: Sending request (4518 bytes) to AD-UT96.TEST
[13475] 1690302326.763966: Sending DNS URI query for _kerberos.AD-UT96.TEST.
[13475] 1690302326.763967: No URI records found
[13475] 1690302326.763968: Sending DNS SRV query for _kerberos._udp.AD-UT96.TEST.
[13475] 1690302326.763969: SRV answer: 0 100 88 "dc-ut96.ad-ut96.test."
[13475] 1690302326.763970: Sending DNS SRV query for _kerberos._tcp.AD-UT96.TEST.
[13475] 1690302326.763971: SRV answer: 0 100 88 "dc-ut96.ad-ut96.test."
[13475] 1690302326.763972: Resolving hostname dc-ut96.ad-ut96.test.
[13475] 1690302326.763973: Resolving hostname dc-ut96.ad-ut96.test.
[13475] 1690302326.763974: Initiating TCP connection to stream 10.0.197.117:88
[13475] 1690302326.763975: Sending TCP request to stream 10.0.197.117:88
[13475] 1690302326.763976: Received answer (96 bytes) from stream 10.0.197.117:88
[13475] 1690302326.763977: Terminating TCP connection to stream 10.0.197.117:88
[13475] 1690302326.763978: Sending DNS URI query for _kerberos.AD-UT96.TEST.
[13475] 1690302326.763979: No URI records found
[13475] 1690302326.763980: Sending DNS SRV query for _kerberos-master._tcp.AD-UT96.TEST.
[13475] 1690302326.763981: No SRV records found
[13475] 1690302326.763982: Response was not from primary KDC
[13475] 1690302326.763983: Got cred; -1765328370/KDC has no support for encryption type
kvno: KDC has no support for encryption type cifs/dc-ut96.ad-ut96.test: constrained delegation failed

The network trace is in attachment.

[1] https://bodhi.fedoraproject.org/updates/FEDORA-2023-95e3fe4d76
Comment 50 Julien Rische 2023-07-31 08:35:28 UTC 
Created attachment 1980834 [details]
freeipa-4.10.2-1.fc38 enctype accepted by AD with S4U2Proxy

Alexander told me this was caused by the fact I was providing the realm explicitly for the target principal in the kvno command. Indeed, using the "@" without the realm name causes the client to not skip the cross-realm TGT request:

$ kvno -U admin -P cifs/dc-xk57.ad-xk57.test@
Comment 51 Julien Rische 2023-08-02 14:41:35 UTC 
CentOS Stream 9 merge request:
https://gitlab.com/redhat/centos-stream/rpms/krb5/-/merge_requests/40
Note You need to log in before you can comment on or make changes to this bug.