2209621 – Invalid KDC signature encryption type for PAC [rawhide]

Bug 2209621 - Invalid KDC signature encryption type for PAC [rawhide]

Summary: Invalid KDC signature encryption type for PAC [rawhide]

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	krb5
Sub Component:
Version:	39
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Julien Rische
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	2016312 2027125 2060421 2124463
Blocks:
TreeView+	depends on / blocked

Reported:	2023-05-24 09:27 UTC by Julien Rische
Modified:	2024-02-19 17:00 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	2060421
Environment:
Last Closed:	2024-02-19 16:59:10 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-9915	0	None	None	None	2023-05-24 09:28:34 UTC

Description Julien Rische 2023-05-24 09:27:32 UTC

+++ This bug was initially created as a clone of Bug #2060421 +++

[root@master ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: win19-13r8.test
  Domain NetBIOS name: WIN19-13R8
  Domain Security Identifier: S-1-5-21-3829174166-1252505095-3327585824
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------


[root@master ~]# klist -e
Ticket cache: KCM:0
Default principal: admin

Valid starting       Expires              Service principal
03/03/2022 08:42:50  03/04/2022 08:19:50  HTTP/master.testrealm1way.test
	Etype (skey, tkt): aes256-cts-hmac-sha384-192, aes256-cts-hmac-sha384-192 
03/03/2022 08:42:48  03/04/2022 08:19:50  krbtgt/TESTREALM1WAY.TEST
	Etype (skey, tkt): aes256-cts-hmac-sha384-192, aes256-cts-hmac-sha384-192 
[root@master ~]# KRB5_TRACE=/dev/stderr kvno -S cifs ad1-13r8.win19-13r8.test
[24932] 1646315147.757589: Getting credentials admin -> cifs/ad1-13r8.win19-13r8.test using ccache KCM:0
[24932] 1646315147.757590: Retrieving admin -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:0 with result: -1765328243/Matching credential not found
[24932] 1646315147.757591: Retrieving admin -> cifs/ad1-13r8.win19-13r8.test from KCM:0 with result: -1765328243/Matching credential not found
[24932] 1646315147.757592: Retrieving admin -> krbtgt/WIN19-13R8.TEST from KCM:0 with result: -1765328243/Matching credential not found
[24932] 1646315147.757593: Retrieving admin -> krbtgt/TESTREALM1WAY.TEST from KCM:0 with result: 0/Success
[24932] 1646315147.757594: Starting with TGT for client realm: admin -> krbtgt/TESTREALM1WAY.TEST
[24932] 1646315147.757595: Retrieving admin -> krbtgt/WIN19-13R8.TEST from KCM:0 with result: -1765328243/Matching credential not found
[24932] 1646315147.757596: Requesting TGT krbtgt/WIN19-13R8.TEST using TGT krbtgt/TESTREALM1WAY.TEST
[24932] 1646315147.757597: Generated subkey for TGS request: aes256-sha2/107C
[24932] 1646315147.757598: etypes requested in TGS request: aes256-sha2, aes256-cts, aes128-sha2, aes128-cts
[24932] 1646315147.757600: Encoding request body and padata into FAST request
[24932] 1646315147.757601: Sending request (1948 bytes) to TESTREALM1WAY.TEST
[24932] 1646315147.757602: Initiating TCP connection to stream 10.0.199.42:88
[24932] 1646315147.757603: Sending TCP request to stream 10.0.199.42:88
[24932] 1646315147.757604: Received answer (1804 bytes) from stream 10.0.199.42:88
[24932] 1646315147.757605: Terminating TCP connection to stream 10.0.199.42:88
[24932] 1646315147.757606: Response was from primary KDC
[24932] 1646315147.757607: Decoding FAST response
[24932] 1646315147.757608: FAST reply key: aes256-sha2/3569
[24932] 1646315147.757609: TGS reply is for admin -> krbtgt/WIN19-13R8.TEST with session key aes256-cts/349C
[24932] 1646315147.757610: TGS request result: 0/Success
[24932] 1646315147.757611: Received TGT for WIN19-13R8.TEST; advancing current realm
[24932] 1646315147.757612: Retrieving admin -> krbtgt/WIN19-13R8.TEST from KCM:0 with result: -1765328243/Matching credential not found
[24932] 1646315147.757613: Requesting TGT krbtgt/WIN19-13R8.TEST using TGT krbtgt/WIN19-13R8.TEST
[24932] 1646315147.757614: Generated subkey for TGS request: aes256-cts/6248
[24932] 1646315147.757615: etypes requested in TGS request: aes256-sha2, aes256-cts, aes128-sha2, aes128-cts
[24932] 1646315147.757617: Encoding request body and padata into FAST request
[24932] 1646315147.757618: Sending request (1812 bytes) to WIN19-13R8.TEST
[24932] 1646315147.757619: Initiating TCP connection to stream 10.0.199.57:88
[24932] 1646315147.757620: Sending TCP request to stream 10.0.199.57:88
[24932] 1646315147.757621: Received answer (331 bytes) from stream 10.0.199.57:88
[24932] 1646315147.757622: Terminating TCP connection to stream 10.0.199.57:88
[24932] 1646315147.757623: Response was from primary KDC
[24932] 1646315147.757624: Decoding FAST response
[24932] 1646315147.757625: TGS request result: -1765328324/Generic error (see e-text)
kvno: Generic error (see e-text) while getting credentials for cifs/ad1-13r8.win19-13r8.test

From krb5kdc.log:
Mar 03 08:45:47 master.testrealm1way.test krb5kdc[24353](info): TGS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.0.199.42: ISSUE: authtime 1646314968, etypes {rep=aes256-cts-hmac-sha384-192(20), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, admin for krbtgt/WIN19-13R8.TEST

I think we've seen this issue when developing krb5 1.20 upstream, so it needs to be re-verified with 1.20 when rebase happens.

Comment 1 Fedora Update System 2023-06-13 13:41:25 UTC

FEDORA-2023-5cd7789569 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5cd7789569

Comment 2 Fedora Update System 2023-06-13 13:55:32 UTC

FEDORA-2023-5cd7789569 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 3 Fedora Release Engineering 2023-08-16 07:14:28 UTC

This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.

Note You need to log in before you can comment on or make changes to this bug.