Describe the process to create a working keytab to be used with kinit to authenticate on Fedora infra kerberos.
This is not urgent, but I can only get a working keytab on Fedora 31 with a weak encryption type. I'd like to be able to move to f32 or f33 asap.
I'm using a keytab that have generated some time ago and I'm using it from a f31 container. The keytab has been generated using the "rc4-hmac" enctype with ktutil:
ktutil: addent -password -p fbo@FEDORAPROJECT.ORG -k 1 -e rc4-hmac Password for fbo@FEDORAPROJECT.ORG: ktutil: write_kt keytab1 ktutil: q
And this is working fine to authenticate with:
kinit -c /tmp/kinit -k -t keytab1 fbo@FEDORAPROJECT.ORG
Since f32, the enctype is no longer authorized by default, thus I'm generating a new one with a new enctype:
ktutil: addent -password -p fbo@FEDORAPROJECT.ORG -k 1 -e aes256-cts-hmac-sha1-96 Password for fbo@FEDORAPROJECT.ORG: ktutil: wkt keytab2 ktutil: q
[root@a96041da4609 data]# KRB5_TRACE=/dev/stderr kinit -k -t ./keytab2 fbo@FEDORAPROJECT.ORG [59] 1608633426.322215: Getting initial credentials for fbo@FEDORAPROJECT.ORG [59] 1608633426.322216: Looked up etypes in keytab: aes256-cts [59] 1608633426.322218: Sending unauthenticated request [59] 1608633426.322219: Sending request (206 bytes) to FEDORAPROJECT.ORG [59] 1608633426.322220: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG. [59] 1608633426.322221: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/" [59] 1608633426.322222: Resolving hostname id.fedoraproject.org [59] 1608633426.322223: TLS certificate name matched "id.fedoraproject.org" [59] 1608633426.322224: Sending HTTPS request to https 18.130.159.183:443 [59] 1608633427.132027: Received answer (309 bytes) from https 18.130.159.183:443 [59] 1608633427.132028: Terminating TCP connection to https 18.130.159.183:443 [59] 1608633427.132029: Response was from master KDC [59] 1608633427.132030: Received error from KDC: -1765328359/Additional pre-authentication required [59] 1608633427.132033: Preauthenticating using KDC method data [59] 1608633427.132034: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133) [59] 1608633427.132035: Selected etype info: etype aes256-cts, salt "..............", params "" [59] 1608633427.132036: Received cookie: MIT [59] 1608633427.132037: Retrieving fbo@FEDORAPROJECT.ORG from FILE:./keytab2 (vno 0, enctype aes256-cts) with result: 0/Success [59] 1608633427.132038: AS key obtained for encrypted timestamp: aes256-cts/DDFC [59] 1608633427.132040: Encrypted timestamp (for 1608633427.80545): plain ....., encrypted .... [59] 1608633427.132041: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [59] 1608633427.132042: Produced preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2) [59] 1608633427.132043: Sending request (301 bytes) to FEDORAPROJECT.ORG [59] 1608633427.132044: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG. [59] 1608633427.132045: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/" [59] 1608633427.132046: Resolving hostname id.fedoraproject.org [59] 1608633427.132047: TLS certificate name matched "id.fedoraproject.org" [59] 1608633427.132048: Sending HTTPS request to https 140.211.169.206:443 [59] 1608633428.015742: Received answer (309 bytes) from https 140.211.169.206:443 [59] 1608633428.015743: Terminating TCP connection to https 140.211.169.206:443 [59] 1608633428.015744: Response was from master KDC [59] 1608633428.015745: Received error from KDC: -1765328360/Preauthentication failed kinit: Preauthentication failed while getting initial credentials
It does not seems to be a credential issue as I'm able to re-create my keytab with rc4 enctype and the same creds then authenticate.
Could you provide me the steps to create the a working keytab for Fedora Infra working on f33 with a valid enctype (aes256-cts-hmac-sha1-96 or another) ?
Metadata Update from @mizdebsk: - Issue assigned to mizdebsk - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: authentication
First obtain Kerberos ticket with kinit:
kinit
$ kinit myusername@FEDORAPROJECT.ORG Password for myusername@FEDORAPROJECT.ORG:
Then obtain kvno value:
$ kvno myusername@FEDORAPROJECT.ORG myusername@FEDORAPROJECT.ORG: kvno = 42
Ticket is no longer needed and can be destroyed:
$ kdestroy -p myusername@FEDORAPROJECT.ORG
Generate keytab and write it to disk:
$ ktutil ktutil: addent -password -p myusername@FEDORAPROJECT.ORG -k 42 -f Password for myusername@FEDORAPROJECT.ORG: ktutil: wkt /tmp/kt/fedora ktutil: q
Done. You can now use the keytab to obtain the ticket without typing password:
$ kinit -kt /tmp/kt/fedora myusername@FEDORAPROJECT.ORG
Let me know if this works for you.
Metadata Update from @mizdebsk: - Issue priority set to: Waiting on Reporter (was: Waiting on Assignee)
Wonderful, thanks you @mizdebsk ! It's working !
Metadata Update from @fbo: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.