fedora-infrastructure

Clone
Source Code
GIT

#5666 unable to authenticate ktdreyer@FEDORAPROJECT.ORG with a keytab
Closed: Will Not/Can Not fix 7 years ago Opened 7 years ago by ktdreyer.

Closed: Will Not/Can Not fix
Reopen Issue

I've tried to authenticate with a keytab for ktdreyer@FEDORAPROJECT.ORG, and I cannot get it to work for the life of me.

I can kinit ktdreyer@FEDORAPROJECT.ORG and type my password just fine, and I get a proper TGT. It's just that when I create a keytab with ktutil and try to authenticate, I don't get the successful AS-REP from the KDC. Instead I get a KRB Error: KRB5KRB_AP_ERR_BAD_INTEGRITY.

Looking at the Krb5 traffic in Wireshark, I don't see anything obvious. After my client sends the preauth'd AS-REQ, the KDC replies with:

error-code: eRR-BAD-INTEGRITY (31)
e-text: PREAUTH_FAILED

One thing that is confusing to me is that when I run kvno ktdreyer@FEDORAPROJECT.ORG, I see it print "kvno = 3" But when I look at a successful AS-REP in Wireshark (where I typed in my password), I see the KDC is setting the kvno to "1". (For what it's worth I've tried writing a keytab with kvno as "1" and as "3", and neither keytab worked.)

Any tips are appreciated!

Currently the way we have things setup only admin users can make keytabs. :(

@puiterwijk can provide more details.

Whats your use case? Just wanting to not type your password ? Or ?

:hotsprings:

Thanks Kevin (I didn't know IPA could do that - are there any docs for that feature where I could read more about it?)

You're right, I wanted to avoid typing my password. It would be nice to also be able to use kstart to allow my TGT to last for the lifetime of the task (and not longer)

Sounds like this won't work out. From #fedora-apps today:

< ktdreyer> as far as I know, I should be able to use ktutil to construct 
            something that gets me a TGT, right?
< puiterwijk> ktdreyer: you shouldn't be able to. When you use a keytab, 
              if I recall correctly, it sends the ticket back encrypted 
              with your krb secret in the ldap directory. But you don't 
              have this krb secret. Normally this is derived from your 
              password, but not with IPA, as its ipa-getkeytab tool 
              (which you cannot use) generates and stores a separate key 
              for that

Metadata Update from @kevin:
- Issue tagged with: authentication
7 years ago

Metadata Update from @puiterwijk:
- Issue close_status updated to: Will Not/Can Not fix
- Issue status updated to: Closed (was: Open)
7 years ago

Login to comment on this ticket.

Metadata
None

authentication

None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.