Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-19943

Wrong salt in keytab file for user with a password starting in underscore

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-8.8.0
    • krb5
    • None
    • None
    • Low
    • rhel-sst-idm-ipa
    • ssg_idm
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • x86_64
    • None

      What were you trying to do that didn't work? Create a keytab file for an AD user

      Please provide the package NVR for which bug is seen: 

      1. cat /etc/redhat-release
        Red Hat Enterprise Linux release 8.8 (Ootpa)
      2. rpm -qa |grep krb5
        krb5-workstation-1.18.2-25.el8_8.x86_64
        krb5-devel-1.18.2-25.el8_8.x86_64
        krb5-libs-1.18.2-25.el8_8.x86_64
        sssd-krb5-common-2.8.2-3.el8_8.x86_64
        sssd-krb5-2.8.2-3.el8_8.x86_64

        How reproducible:

        Steps to reproduce

      3. create an AD user tpprecdpadm with a password starting in underscore
      4. create a keytab file with ktutil:  addent -password -p tpprecdpadm -k 1 -e aes256-cts
      5. kinit -kt file.keytab tpprecdpadm

      Expected results

      Working keytab file

      Actual results

      The created keytab contains a wrong salt, the name of the user is getting modify from tpprecdpadm to tcpprecdpadm.

       

      KRB5_TRACE=/dev/stdout kinit -kt /tmp/test2.keytab tpprecdpadm@REALM

      [486446] 1702974090.916016: Getting initial credentials for tpprecdpadm@REALM

      [486446] 1702974090.916017: Looked up etypes in keytab: aes256-cts

      [486446] 1702974090.916019: Sending unauthenticated request

      [486446] 1702974090.916020: Sending request (222 bytes) to REALM

      [486446] 1702974090.916021: Sending initial UDP request to dgram IP:88

      [486446] 1702974091.922125: Sending initial UDP request to dgram IP:88

      [486446] 1702974091.922126: Received answer (212 bytes) from dgram IP:88

      [486446] 1702974091.922127: Response was from master KDC

      [486446] 1702974091.922128: Received error from KDC: -1765328359/Additional pre-authentication required

      [486446] 1702974091.922131: Preauthenticating using KDC method data

      [486446] 1702974091.922132: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)

      [486446] 1702974091.922133: Selected etype info: etype aes256-cts, salt “REALMtcpprecdpadm", params ""

      [486446] 1702974091.922134: Retrieving tpprecdpadm@REALM from FILE:/tmp/test2.keytab (vno 0, enctype aes256-cts) with result: 0/Success

      [486446] 1702974091.922135: AS key obtained for encrypted timestamp: aes256-cts/0842

      [486446] 1702974091.922137: Encrypted timestamp (for 1702974091.988556): plain 301AA011180F32303233313231393038323133315AA10502030F158C, encrypted 1F0A86C2E3667403654BA1E6026FEB8B0686707DB21C056CDA2C6E953FB4D25E2AA9096C877589E2F506D3164533EF65ABC9E5DBB2621D7D

      [486446] 1702974091.922138: Preauth module encrypted_timestamp (2) (real) returned: 0/Success

      [486446] 1702974091.922139: Produced preauth for next request: PA-ENC-TIMESTAMP (2)

      [486446] 1702974091.922140: Sending request (302 bytes) to REALM

      [486446] 1702974091.922141: Sending initial UDP request to dgram IP:88

      [486446] 1702974092.007687: Received answer (178 bytes) from dgram IP:88

      [486446] 1702974092.007688: Response was from master KDC

      [486446] 1702974092.007689: Received error from KDC: -1765328360/Preauthentication failed

      kinit: Preauthentication failed while getting initial credentials 

              jrische@redhat.com Julien Rische
              gerardovr Gerardo Vázquez Rodŕiguez (Inactive)
              Julien Rische Julien Rische
              IPA QE Bot IPA QE Bot
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: