Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-4910

Invalid KDC signature encryption type for PAC [rhel-8]

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-8.7.0
    • krb5
    • sst_idm_ipa
    • ssg_idm
    • False
    • Hide

      None

      Show
      None
    • Known Issue
    • Hide
      .IdM to AD cross-realm TGS requests fail

      The Privilege Attribute Certificate (PAC) information in IdM Kerberos tickets is now signed with AES SHA-2 HMAC encryption, which is not supported by Active Directory (AD).

      Consequently, IdM to AD cross-realm TGS requests, that is, two-way trust setups, are failing with the following error:

      ----
      Generic error (see e-text) while getting credentials for <service principal>
      ----
      Show
      .IdM to AD cross-realm TGS requests fail The Privilege Attribute Certificate (PAC) information in IdM Kerberos tickets is now signed with AES SHA-2 HMAC encryption, which is not supported by Active Directory (AD). Consequently, IdM to AD cross-realm TGS requests, that is, two-way trust setups, are failing with the following error: ---- Generic error (see e-text) while getting credentials for <service principal> ----
    • Done

      +++ This bug was initially created as a clone of Bug #2060421 +++

      Description of problem:

      [root@master ~]# ipa trust-find
      ---------------
      1 trust matched
      ---------------
      Realm name: win19-13r8.test
      Domain NetBIOS name: WIN19-13R8
      Domain Security Identifier: S-1-5-21-3829174166-1252505095-3327585824
      Trust type: Active Directory domain
      ----------------------------
      Number of entries returned 1
      ----------------------------

      [root@master ~]# klist -e
      Ticket cache: KCM:0
      Default principal: admin@TESTREALM1WAY.TEST

      Valid starting Expires Service principal
      03/03/2022 08:42:50 03/04/2022 08:19:50 HTTP/master.testrealm1way.test@TESTREALM1WAY.TEST
      Etype (skey, tkt): aes256-cts-hmac-sha384-192, aes256-cts-hmac-sha384-192
      03/03/2022 08:42:48 03/04/2022 08:19:50 krbtgt/TESTREALM1WAY.TEST@TESTREALM1WAY.TEST
      Etype (skey, tkt): aes256-cts-hmac-sha384-192, aes256-cts-hmac-sha384-192
      [root@master ~]# KRB5_TRACE=/dev/stderr kvno -S cifs ad1-13r8.win19-13r8.test
      [24932] 1646315147.757589: Getting credentials admin@TESTREALM1WAY.TEST -> cifs/ad1-13r8.win19-13r8.test@WIN19-13R8.TEST using ccache KCM:0
      [24932] 1646315147.757590: Retrieving admin@TESTREALM1WAY.TEST -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:0 with result: -1765328243/Matching credential not found
      [24932] 1646315147.757591: Retrieving admin@TESTREALM1WAY.TEST -> cifs/ad1-13r8.win19-13r8.test@WIN19-13R8.TEST from KCM:0 with result: -1765328243/Matching credential not found
      [24932] 1646315147.757592: Retrieving admin@TESTREALM1WAY.TEST -> krbtgt/WIN19-13R8.TEST@WIN19-13R8.TEST from KCM:0 with result: -1765328243/Matching credential not found
      [24932] 1646315147.757593: Retrieving admin@TESTREALM1WAY.TEST -> krbtgt/TESTREALM1WAY.TEST@TESTREALM1WAY.TEST from KCM:0 with result: 0/Success
      [24932] 1646315147.757594: Starting with TGT for client realm: admin@TESTREALM1WAY.TEST -> krbtgt/TESTREALM1WAY.TEST@TESTREALM1WAY.TEST
      [24932] 1646315147.757595: Retrieving admin@TESTREALM1WAY.TEST -> krbtgt/WIN19-13R8.TEST@WIN19-13R8.TEST from KCM:0 with result: -1765328243/Matching credential not found
      [24932] 1646315147.757596: Requesting TGT krbtgt/WIN19-13R8.TEST@TESTREALM1WAY.TEST using TGT krbtgt/TESTREALM1WAY.TEST@TESTREALM1WAY.TEST
      [24932] 1646315147.757597: Generated subkey for TGS request: aes256-sha2/107C
      [24932] 1646315147.757598: etypes requested in TGS request: aes256-sha2, aes256-cts, aes128-sha2, aes128-cts
      [24932] 1646315147.757600: Encoding request body and padata into FAST request
      [24932] 1646315147.757601: Sending request (1948 bytes) to TESTREALM1WAY.TEST
      [24932] 1646315147.757602: Initiating TCP connection to stream 10.0.199.42:88
      [24932] 1646315147.757603: Sending TCP request to stream 10.0.199.42:88
      [24932] 1646315147.757604: Received answer (1804 bytes) from stream 10.0.199.42:88
      [24932] 1646315147.757605: Terminating TCP connection to stream 10.0.199.42:88
      [24932] 1646315147.757606: Response was from primary KDC
      [24932] 1646315147.757607: Decoding FAST response
      [24932] 1646315147.757608: FAST reply key: aes256-sha2/3569
      [24932] 1646315147.757609: TGS reply is for admin@TESTREALM1WAY.TEST -> krbtgt/WIN19-13R8.TEST@TESTREALM1WAY.TEST with session key aes256-cts/349C
      [24932] 1646315147.757610: TGS request result: 0/Success
      [24932] 1646315147.757611: Received TGT for WIN19-13R8.TEST; advancing current realm
      [24932] 1646315147.757612: Retrieving admin@TESTREALM1WAY.TEST -> krbtgt/WIN19-13R8.TEST@WIN19-13R8.TEST from KCM:0 with result: -1765328243/Matching credential not found
      [24932] 1646315147.757613: Requesting TGT krbtgt/WIN19-13R8.TEST@WIN19-13R8.TEST using TGT krbtgt/WIN19-13R8.TEST@TESTREALM1WAY.TEST
      [24932] 1646315147.757614: Generated subkey for TGS request: aes256-cts/6248
      [24932] 1646315147.757615: etypes requested in TGS request: aes256-sha2, aes256-cts, aes128-sha2, aes128-cts
      [24932] 1646315147.757617: Encoding request body and padata into FAST request
      [24932] 1646315147.757618: Sending request (1812 bytes) to WIN19-13R8.TEST
      [24932] 1646315147.757619: Initiating TCP connection to stream 10.0.199.57:88
      [24932] 1646315147.757620: Sending TCP request to stream 10.0.199.57:88
      [24932] 1646315147.757621: Received answer (331 bytes) from stream 10.0.199.57:88
      [24932] 1646315147.757622: Terminating TCP connection to stream 10.0.199.57:88
      [24932] 1646315147.757623: Response was from primary KDC
      [24932] 1646315147.757624: Decoding FAST response
      [24932] 1646315147.757625: TGS request result: -1765328324/Generic error (see e-text)
      kvno: Generic error (see e-text) while getting credentials for cifs/ad1-13r8.win19-13r8.test@WIN19-13R8.TEST

      From krb5kdc.log:
      Mar 03 08:45:47 master.testrealm1way.test krb5kdc[24353](info): TGS_REQ (4 etypes

      {aes256-cts-hmac-sha384-192(20), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}

      ) 10.0.199.42: ISSUE: authtime 1646314968, etypes

      {rep=aes256-cts-hmac-sha384-192(20), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}

      , admin@TESTREALM1WAY.TEST for krbtgt/WIN19-13R8.TEST@TESTREALM1WAY.TEST

      I think we've seen this issue when developing krb5 1.20 upstream, so it needs to be re-verified with 1.20 when rebase happens.

            jrische@redhat.com Julien Rische
            rhn-support-amore Anuja More
            Julien Rische Julien Rische
            Michal Polovka Michal Polovka
            Louise McGarry Louise McGarry
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: