Thanks to packit, it's been a while since I had to do fedpkg build, and thus kinit for Fedora. But today for reasons I need to again. But this doesn't work:
fedpkg build
kinit
❱❱❱ KRB5_TRACE=/tmp/t kinit -V martinpitt@FEDORAPROJECT.ORG Using default cache: /tmp/krb5.ccache Using principal: martinpitt@FEDORAPROJECT.ORG kinit: Pre-authentication failed: Invalid argument while getting initial credentials
This doesn't even ask yet for the password, it fails very early on. I tried this in Fedora 36 and Fedora 37 (in toolbox). fedora-packager-kerberos is installed.
fedora-packager-kerberos
trace log:
62884] 1667834588.958818: Getting initial credentials for martinpitt@FEDORAPROJECT.ORG [62884] 1667834588.958820: Sending unauthenticated request [62884] 1667834588.958821: Sending request (213 bytes) to FEDORAPROJECT.ORG [62884] 1667834588.958822: Resolving hostname id.fedoraproject.org [62884] 1667834589.232121: TLS certificate name matched "id.fedoraproject.org" [62884] 1667834589.232122: Sending HTTPS request to https 38.145.60.21:443 [62884] 1667834589.232123: Received answer (261 bytes) from https 38.145.60.21:443 [62884] 1667834589.232124: Terminating TCP connection to https 38.145.60.21:443 [62884] 1667834589.232125: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG. [62884] 1667834589.232126: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/" [62884] 1667834589.232127: Response was from primary KDC [62884] 1667834589.232128: Received error from KDC: -1765328359/Additional pre-authentication required [62884] 1667834589.232131: Preauthenticating using KDC method data [62884] 1667834589.232132: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-PKINIT-KX (147), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133) [62884] 1667834589.232133: Received cookie: MIT [62884] 1667834589.232134: PKINIT client has no configured identity; giving up [62884] 1667834589.232135: Preauth module pkinit (147) (info) returned: 0/Success [62884] 1667834589.232136: PKINIT client received freshness token from KDC [62884] 1667834589.232137: Preauth module pkinit (150) (info) returned: 0/Success [62884] 1667834589.232138: PKINIT client has no configured identity; giving up [62884] 1667834589.232139: Preauth module pkinit (16) (real) returned: 22/Invalid argument
"soon"?
I was able to get a ticket at Mon 7 Nov 15:31:19 UTC 2022 using
Mon 7 Nov 15:31:19 UTC 2022
kdestroy -A KRB5_TRACE=/tmp/k fkinit -u smooge
Looking at the trace it is the same until around primary KDC
[248080] 1667835022.416590: Getting initial credentials for @FEDORAPROJECT.ORG [248080] 1667835022.416592: Sending unauthenticated request [248080] 1667835022.416593: Sending request (223 bytes) to FEDORAPROJECT.ORG [248080] 1667835022.416594: Resolving hostname id.fedoraproject.org [248080] 1667835022.416595: TLS certificate name matched "id.fedoraproject.org" [248080] 1667835022.416596: Sending HTTPS request to https 38.145.60.20:443 [248080] 1667835022.416597: Received answer (347 bytes) from https 38.145.60.20:443 [248080] 1667835022.416598: Terminating TCP connection to https 38.145.60.20:443 [248080] 1667835022.416599: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG. [248080] 1667835022.416600: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/" [248080] 1667835022.416601: Response was from primary KDC [248080] 1667835022.416602: Received error from KDC: -1765328359/Additional pre-authentication required [248080] 1667835022.416605: Preauthenticating using KDC method data [248080] 1667835022.416606: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133) [248080] 1667835022.416607: Selected etype info: etype aes256-cts, salt "FEDORAPROJECT.ORGWELLKNOWNANONYMOUS", params "" [248080] 1667835022.416608: Received cookie: MIT [248080] 1667835022.416609: Preauth module pkinit (147) (info) returned: 0/Success [248080] 1667835022.416610: PKINIT client received freshness token from KDC [248080] 1667835022.416611: Preauth module pkinit (150) (info) returned: 0/Success [248080] 1667835022.416612: PKINIT loading CA certs and CRLs from FILE [248080] 1667835022.416613: PKINIT client computed kdc-req-body checksum 9/EB431B971DD64C37E417E8683BFFE59A4D093208 [248080] 1667835022.416615: PKINIT client making DH request [248080] 1667835022.416616: Preauth module pkinit (16) (real) returned: 0/Success [248080] 1667835022.416617: Produced preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16) [248080] 1667835022.416618: Sending request (1436 bytes) to FEDORAPROJECT.ORG [248080] 1667835022.416619: Resolving hostname id.fedoraproject.org [248080] 1667835022.416620: TLS certificate name matched "id.fedoraproject.org" [248080] 1667835022.416621: Sending HTTPS request to https 38.145.60.20:443 [248080] 1667835022.416622: Received answer (2862 bytes) from https 38.145.60.20:443 [248080] 1667835022.416623: Terminating TCP connection to https 38.145.60.20:443 [248080] 1667835022.416624: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG. [248080] 1667835022.416625: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/" [248080] 1667835022.416626: Response was from primary KDC [248080] 1667835022.416627: Processing preauth types: PA-PK-AS-REP (17), PA-PKINIT-KX (147) [248080] 1667835022.416628: Preauth module pkinit (147) (info) returned: 0/Success [248080] 1667835022.416629: PKINIT client verified DH reply [248080] 1667835022.416630: PKINIT client found id-pkinit-san in KDC cert: krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG [248080] 1667835022.416631: PKINIT client matched KDC principal krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG against id-pkinit-san; no EKU check required [248080] 1667835022.416632: PKINIT client used KDF 2B06010502030602 to compute reply key aes256-cts/6539 [248080] 1667835022.416633: Preauth module pkinit (17) (real) returned: 0/Success [248080] 1667835022.416634: Produced preauth for next request: (empty) [248080] 1667835022.416635: AS key determined by preauth: aes256-cts/6539
$ cat /etc/krb5.conf.d/fedoraproject_org [realms] FEDORAPROJECT.ORG = { kdc = https://id.fedoraproject.org/KdcProxy pkinit_anchors = FILE:/etc/pki/ipa/fedoraproject_ipa_ca.crt } [domain_realm] .fedoraproject.org = FEDORAPROJECT.ORG fedoraproject.org = FEDORAPROJECT.ORG .centos.org = FEDORAPROJECT.ORG centos.org = FEDORAPROJECT.ORG
Could you try a
kdestroy -A KRB5_TRACE=/tmp/k1 fkinit -u martinpitt
If you have an OTP you will need to combine that with your regular password at the password prompt
Thanks @smooge ! Indeed I moved to 2FA some months ago, and i'm quite sure I never tried to kinit for fedora since then. However, as I said with simple kinit martinpitt@FEDORAPROJECT.ORG it doesn't even get to asking about the password, it fails before.
kinit martinpitt@FEDORAPROJECT.ORG
With fkinit -u martinpitt it indeed gets further and does ask me about my password (+OTP). That indeed works. So I'll use that from now on. Thank you!
fkinit -u martinpitt
Metadata Update from @martinpitt: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Issue status updated to: Open (was: Closed)
Metadata Update from @smooge: - Issue assigned to smooge - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: authentication, low-gain, low-trouble, ops
I wanted to update the issue tags so in case someone searches against authentication problems this was found. I am closing it as fixed as the person was given a solution even though we did not determine why the direct command was broken.
Metadata Update from @smooge: - Issue close_status updated to: Fixed with Explanation - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.