-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
rhel-9.1.0
-
None
-
Moderate
-
rhel-sst-idm-ipa
-
ssg_idm
-
None
-
False
-
-
None
-
None
-
None
-
None
-
Known Issue
-
-
Done
-
-
Unspecified
-
None
Description of problem:
Heimdal client fails to authenticate a user against MIT krb5 KDC.
Version-Release number of selected component (if applicable):
krb5-server-1.19.1-22.el9.x86_64
heimdal-workstation-7.7.0-8.fc34.x86_64
crypto-policies=DEFAULT
RHEL-9.1.0-20220708.0
How reproducible:
Steps to Reproduce:
1. Install MIT krb5 KDC and add user (with REQUIRES_PRE_AUTH attribute)
(conf file kdc.conf was attached)
Generate certificates for client and KDC with the help of this script:
https://gitlab.cee.redhat.com/identity-management/krb5-tests/-/blob/RHEL9.1/tests/Sanity/heimdal-sanity/make_pkinit_cert.sh
./make_pkinit_cert.sh ca ca
server certs:
./make_pkinit_cert.sh kdc kdc CA=ca CN=$HostName REALM=TEST.REDHAT.COM CLIENT=$HostName
client certs:
./make_pkinit_cert.sh client $krb5User CA=ca CN=$krb5User"
./make_pkinit_cert.sh client-sign $krb5User CA=ca CN=$krb5User REALM=TEST.REDHAT.COM CLIENT=$krb5User"
2. Set Heimdal client
(conf file heimdal-kdc.conf was attached)
3. try kinit alice:
#KRB5_CONFIG=/tmp/heimdal_krb5.conf heimdal-kinit -C FILE:/tmp/alice.pem,/tmp/alicekey.pem alice@TEST.REDHAT.COM
Actual results:
#KRB5_CONFIG=/tmp/tmp.i1QDKE5BV9/heimdal_krb5.conf heimdal-kinit -C FILE:/tmp/tmp.i1QDKE5BV9/alice.pem,/tmp/tmp.i1QDKE5BV9/alicekey.pem alice@TEST.REDHAT.COM
heimdal-kinit: krb5_get_init_creds: PREAUTH_FAILED
krb5kdc log:
Jul 12 03:40:22 ci-vm-10-0-138-184.hosted.upshift.rdu2.redhat.com krb5kdc[18481](info): preauth (pkinit) verify failure: Key parameters not accepted
Jul 12 03:40:22 ci-vm-10-0-138-184.hosted.upshift.rdu2.redhat.com krb5kdc[18481](info): AS_REQ (2 etypes
) 10.0.138.184: PREAUTH_FAILED: alice@TEST.REDHAT.COM for krbtgt/TEST.REDHAT.COM@TEST.REDHAT.COM, Key parameters not accepted
Expected results:
heimdal-kinit should passed with MIT krb5 KDC
Additional info:
NOTE: Heimdal client can be authenticate without PKINIT against Heimdal KDC
NOTE: the certificates should be correct because PKINIT works and user was authenticated when Heimdal client and Heimdal KDC was used.
- KRB5_CONFIG=/tmp/tmp.DYLNOriJro/heimdal_krb5.conf heimdal-kinit -C FILE:/tmp/tmp.DYLNOriJro/alice.pem,/tmp/tmp.DYLNOriJro/alicekey.pem alice
- KRB5_CONFIG=/tmp/tmp.DYLNOriJro/heimdal_krb5.conf heimdal-klist
Credentials cache: FILE:/tmp/heimdal_ccache
Principal: alice@TEST.REDHAT.COM
Issued Expires Principal
Jul 12 04:11:31 2022 Jul 13 04:11:31 2022 krbtgt/TEST.REDHAT.COM@TEST.REDHAT.COM
heimdal-kdc.log
2022-07-12T04:11:01 KDC started master process pid=24225
2022-07-12T04:11:01 KDC worker process started: 24226
2022-07-12T04:11:31 AS-REQ alice@TEST.REDHAT.COM from IPv4:10.0.138.184 for krbtgt/TEST.REDHAT.COM@TEST.REDHAT.COM
2022-07-12T04:11:31 Client sent patypes: PK-INIT(ietf), 132, REQ-ENC-PA-REP
2022-07-12T04:11:31 Looking for PK-INIT(ietf) pa-data – alice@TEST.REDHAT.COM
2022-07-12T04:11:31 PK-INIT request of type PK-INIT-IETF
2022-07-12T04:11:31 Trying to authorize PK-INIT subject DN CN=alice,OU=dummyunit,O=DummyCompany Ltd,L=Brno,S=Moravia,C=CZ
2022-07-12T04:11:31 Found matching PK-INIT SAN in certificate
2022-07-12T04:11:31 PKINIT pre-authentication succeeded – alice@TEST.REDHAT.COM using CN=alice,OU=dummyunit,O=DummyCompany Ltd,L=Brno,S=Moravia,C=CZ
2022-07-12T04:11:31 PK-INIT using dh RFC2412-MODP-group2
2022-07-12T04:11:31 PK-INIT(ietf) pre-authentication succeeded – alice@TEST.REDHAT.COM
2022-07-12T04:11:31 AS-REQ authtime: 2022-07-12T04:11:31 starttime: unset endtime: 2022-07-13T04:11:31 renew till: unset
2022-07-12T04:11:31 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, aes128-cts-hmac-sha256-128, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2022-07-12T04:11:31 Requested flags: forwardable
2022-07-12T04:11:31 sending 2668 bytes to IPv4:10.0.138.184
