Details
-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-8.7.0
Description
+++ This bug was initially created as a clone of Bug #2060421 +++
Description of problem:
[root@master ~]# ipa trust-find
---------------
1 trust matched
---------------
Realm name: win19-13r8.test
Domain NetBIOS name: WIN19-13R8
Domain Security Identifier: S-1-5-21-3829174166-1252505095-3327585824
Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------
[root@master ~]# klist -e
Ticket cache: KCM:0
Default principal: admin@TESTREALM1WAY.TEST
Valid starting Expires Service principal
03/03/2022 08:42:50 03/04/2022 08:19:50 HTTP/master.testrealm1way.test@TESTREALM1WAY.TEST
Etype (skey, tkt): aes256-cts-hmac-sha384-192, aes256-cts-hmac-sha384-192
03/03/2022 08:42:48 03/04/2022 08:19:50 krbtgt/TESTREALM1WAY.TEST@TESTREALM1WAY.TEST
Etype (skey, tkt): aes256-cts-hmac-sha384-192, aes256-cts-hmac-sha384-192
[root@master ~]# KRB5_TRACE=/dev/stderr kvno -S cifs ad1-13r8.win19-13r8.test
[24932] 1646315147.757589: Getting credentials admin@TESTREALM1WAY.TEST -> cifs/ad1-13r8.win19-13r8.test@WIN19-13R8.TEST using ccache KCM:0
[24932] 1646315147.757590: Retrieving admin@TESTREALM1WAY.TEST -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:0 with result: -1765328243/Matching credential not found
[24932] 1646315147.757591: Retrieving admin@TESTREALM1WAY.TEST -> cifs/ad1-13r8.win19-13r8.test@WIN19-13R8.TEST from KCM:0 with result: -1765328243/Matching credential not found
[24932] 1646315147.757592: Retrieving admin@TESTREALM1WAY.TEST -> krbtgt/WIN19-13R8.TEST@WIN19-13R8.TEST from KCM:0 with result: -1765328243/Matching credential not found
[24932] 1646315147.757593: Retrieving admin@TESTREALM1WAY.TEST -> krbtgt/TESTREALM1WAY.TEST@TESTREALM1WAY.TEST from KCM:0 with result: 0/Success
[24932] 1646315147.757594: Starting with TGT for client realm: admin@TESTREALM1WAY.TEST -> krbtgt/TESTREALM1WAY.TEST@TESTREALM1WAY.TEST
[24932] 1646315147.757595: Retrieving admin@TESTREALM1WAY.TEST -> krbtgt/WIN19-13R8.TEST@WIN19-13R8.TEST from KCM:0 with result: -1765328243/Matching credential not found
[24932] 1646315147.757596: Requesting TGT krbtgt/WIN19-13R8.TEST@TESTREALM1WAY.TEST using TGT krbtgt/TESTREALM1WAY.TEST@TESTREALM1WAY.TEST
[24932] 1646315147.757597: Generated subkey for TGS request: aes256-sha2/107C
[24932] 1646315147.757598: etypes requested in TGS request: aes256-sha2, aes256-cts, aes128-sha2, aes128-cts
[24932] 1646315147.757600: Encoding request body and padata into FAST request
[24932] 1646315147.757601: Sending request (1948 bytes) to TESTREALM1WAY.TEST
[24932] 1646315147.757602: Initiating TCP connection to stream 10.0.199.42:88
[24932] 1646315147.757603: Sending TCP request to stream 10.0.199.42:88
[24932] 1646315147.757604: Received answer (1804 bytes) from stream 10.0.199.42:88
[24932] 1646315147.757605: Terminating TCP connection to stream 10.0.199.42:88
[24932] 1646315147.757606: Response was from primary KDC
[24932] 1646315147.757607: Decoding FAST response
[24932] 1646315147.757608: FAST reply key: aes256-sha2/3569
[24932] 1646315147.757609: TGS reply is for admin@TESTREALM1WAY.TEST -> krbtgt/WIN19-13R8.TEST@TESTREALM1WAY.TEST with session key aes256-cts/349C
[24932] 1646315147.757610: TGS request result: 0/Success
[24932] 1646315147.757611: Received TGT for WIN19-13R8.TEST; advancing current realm
[24932] 1646315147.757612: Retrieving admin@TESTREALM1WAY.TEST -> krbtgt/WIN19-13R8.TEST@WIN19-13R8.TEST from KCM:0 with result: -1765328243/Matching credential not found
[24932] 1646315147.757613: Requesting TGT krbtgt/WIN19-13R8.TEST@WIN19-13R8.TEST using TGT krbtgt/WIN19-13R8.TEST@TESTREALM1WAY.TEST
[24932] 1646315147.757614: Generated subkey for TGS request: aes256-cts/6248
[24932] 1646315147.757615: etypes requested in TGS request: aes256-sha2, aes256-cts, aes128-sha2, aes128-cts
[24932] 1646315147.757617: Encoding request body and padata into FAST request
[24932] 1646315147.757618: Sending request (1812 bytes) to WIN19-13R8.TEST
[24932] 1646315147.757619: Initiating TCP connection to stream 10.0.199.57:88
[24932] 1646315147.757620: Sending TCP request to stream 10.0.199.57:88
[24932] 1646315147.757621: Received answer (331 bytes) from stream 10.0.199.57:88
[24932] 1646315147.757622: Terminating TCP connection to stream 10.0.199.57:88
[24932] 1646315147.757623: Response was from primary KDC
[24932] 1646315147.757624: Decoding FAST response
[24932] 1646315147.757625: TGS request result: -1765328324/Generic error (see e-text)
kvno: Generic error (see e-text) while getting credentials for cifs/ad1-13r8.win19-13r8.test@WIN19-13R8.TEST
From krb5kdc.log:
Mar 03 08:45:47 master.testrealm1way.test krb5kdc[24353](info): TGS_REQ (4 etypes
) 10.0.199.42: ISSUE: authtime 1646314968, etypes
{rep=aes256-cts-hmac-sha384-192(20), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, admin@TESTREALM1WAY.TEST for krbtgt/WIN19-13R8.TEST@TESTREALM1WAY.TEST
I think we've seen this issue when developing krb5 1.20 upstream, so it needs to be re-verified with 1.20 when rebase happens.
