krb5 and ADS error using 10.04, not 9.04

Bug #567188 reported by jean-yves chateaux
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
krb5 (Ubuntu)
Medium
Unassigned
Lucid
Medium
Unassigned

Bug Description

Environment:
The installed distributions use kerberos and likewise to identify the user to an Active Directory Server.
The client configuration on 9.04 is basic and efficient. I use the same configuration file (krb5.conf) on 10.04.
Kerberos and likewise come from ubuntu repository for each distribution (9.04 and 10.04).

Description:
Using 9.04 to auth with kerberos/likewise works fine: tickets ok, everything is done login in one time only.
Using 10.04 to auth the same way leads to an error and forbids the access: user login ok but the access to other ressources is forbidden, most often returning: KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN.
The likewise-open5 versions used are the same on both distributions.
I tested with same versions of kerberos on both distributions and i got the same results.
I thought the "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN" was related to a dns problem but when i solved this the following appears:
     the client sends a TGS_REQ, containing the "Encryption type: rc4-hmac (23)", to the server.
     the server answers "KRB5KDC_ERR_ETYPE_NOSUPP (14)"
     10.04 sends a section "Authenticator rc4-hmac (23)" in PA-TGS-REQ , 9.04 doesn't.

There's no such error using ubuntu-9.04.
I grab theses informations sniffing the local network with wireshark.

Is there anybody experiencing the same problems ?
How can i fix this ?
thanx

== Regression details ==
Discovered in version: lucid 10.04 : krb5-user 1.8.1+dfsg-2 with likewise 5.3.0-1
Last known good version: jaunty - krb5-user 1.6.dfsg.4~beta1-5ubuntu2.2 with likewise-open5 5.0.3991.1-0ubuntu2

Revision history for this message
jean-yves chateaux (jean-yves-chateaux) wrote :

-----------------------------
problem partialy solved by downgrading libkrb5 from 10.04 to a lower version supporting the required enctypes.
-----------------------------
if some services use des, rc4 and aes as enctypes for kerberos auth you may have to downgrade libkrb5.

Revision history for this message
Philip Muškovac (yofel) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. This bug did not have a package associated with it, which is important for ensuring that it gets looked at by the proper developers. You can learn more about finding the right package at https://wiki.ubuntu.com/Bugs/FindRightPackage. I have classified this bug as a bug in krb5.

When reporting bugs in the future please use apport, either via the appropriate application's "Help -> Report a Problem" menu or using 'ubuntu-bug' and the name of the package affected. You can learn more about this functionality at https://wiki.ubuntu.com/ReportingBugs.

affects: ubuntu → krb5 (Ubuntu)
tags: added: lucid regression-potential
Revision history for this message
Chuck Short (zulcss) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. Please answer these questions:
1. Is this reproducible?
2. If so, what specific steps should we take to recreate this bug? Be as detailed as possible.
This will help us to find and resolve the problem.

Changed in krb5 (Ubuntu):
importance: Undecided → Medium
status: New → Incomplete
Revision history for this message
jean-yves chateaux (jean-yves-chateaux) wrote :

The errors are the results of MIT resolution to exclude DES/DES3 from the supported enctypes (security reasons).
The parameter "allow_weak_crypto = true" should be added in the default [libdefaults] section of /etc/krb5.conf.
Adding this parameter solved the errors of the original bug report but leads to a new one: likewise+krb5 cannot get the authenticated user groups correctly from the ADS when trying to browse samba shares using tickets.
It looks like a bug in krb5 when using "allow_weak_crypto = true" in the des/des3 "old school" support.
This support is _not_ like the previous des/des3 krb version support.
MIT isn't really in "verbose mode" about the code they modified to make this partial support ""good enough"".

Revision history for this message
Taylor Yu (tlyu) wrote : Re: [Bug 567188] Re: krb5 and ADS error using 10.04, not 9.04

jean-yves chateaux <email address hidden> writes:

> The errors are the results of MIT resolution to exclude DES/DES3 from the supported enctypes (security reasons).

DES3 was not marked as "weak". Neither was rc4-hmac (enctype 23).
The "export-grade" rc4-hmac-exp is enctype 24 and was marked as weak,
but that doesn't explain the "KRB5KDC_ERR_ETYPE_NOSUPP" when
requesting rc4-hmac (23).

> The parameter "allow_weak_crypto = true" should be added in the default [libdefaults] section of /etc/krb5.conf.

> Adding this parameter solved the errors of the original bug report but leads to a new one: likewise+krb5 cannot get the authenticated user groups correctly from the ADS when trying to browse samba shares using tickets.

The user groups problem probably has nothing to do with disabling weak
crypto.

I think more information is needed. In particular, what package
versions for the krb5 packages are in each configuration?

Revision history for this message
jean-yves chateaux (jean-yves-chateaux) wrote :

packages:
9.04 : krb5-user 1.6.dfsg.4~beta1-5ubuntu2.2 with likewise-open5 5.0.3991.1-0ubuntu2
10.04 : krb5-user 1.8.1+dfsg-2 with likewise 5.3.0-1

Revision history for this message
Sam Hartman (hartmans) wrote :

>>>>> "jean-yves" == jean-yves chateaux <email address hidden> writes:

    jean-yves> The errors are the results of MIT resolution to exclude
    jean-yves> DES/DES3 from the supported enctypes (security reasons).
    jean-yves> The parameter "allow_weak_crypto = true" should be added
    jean-yves> in the default [libdefaults] section of /etc/krb5.conf.

That's very strange. All versions of Windows have supported rc4
(arcfour-hmac-md5 in MIT terms), and no version of Windows should
require DES to work.

If Allow_weak_crypto = true is making things work better with Windows,
    something is broken somewhere else to cause this.

    jean-yves> Adding this parameter solved the errors of the original
    jean-yves> bug report but leads to a new one: likewise+krb5 cannot
    jean-yves> get the authenticated user groups correctly from the ADS
    jean-yves> when trying to browse samba shares using tickets. It
    jean-yves> looks like a bug in krb5 when using "allow_weak_crypto =
    jean-yves> true" in the des/des3 "old school" support. This support
    jean-yves> is _not_ like the previous des/des3 krb version support.

That's very strange. There have been some changes in DES support
surrounding reorganization of libk5crypto, however at this point, I
think we have fairly high confidence in that code.

Note that allow_weak_crypto is not new in 1.8; the thing that is new in
1.8 is that the default changed from true to false.

--Sam

Revision history for this message
jean-yves chateaux (jean-yves-chateaux) wrote :

> If Allow_weak_crypto = true is making things work better with Windows,
    something is broken somewhere else to cause this.

Without this parameter in krb5.conf the auth against the ADS to access services like http goes wrong and asks fora login/pass instead of using the kerberos tickets, claiming unsupported enctype.

> I think we have fairly high confidence in that code.

I'm sure too we can have confidence in the MIT code, no problem with that.
It just goes wrong using the last ubuntu version of krb5 when trying to authenticate and browse a samba share that was perfectly browsable with the krb5 version used in 9.04.

Revision history for this message
Sam Hartman (hartmans) wrote :

>>>>> "jean-yves" == jean-yves chateaux <email address hidden> writes:

    >> If Allow_weak_crypto = true is making things work better with
    >> Windows,
    jean-yves> something is broken somewhere else to cause this.

    jean-yves> Without this parameter in krb5.conf the auth against the
    jean-yves> ADS to access services like http goes wrong and asks fora
    jean-yves> login/pass instead of using the kerberos tickets,
    jean-yves> claiming unsupported enctype.

This sounds like a problem outside of the krb5 package.

Revision history for this message
jean-yves chateaux (jean-yves-chateaux) wrote :

After days of tests it seems it's a kerberos tickets forwarding problem, smbclient replying with an spnego error claiming a lack of information from kerberos.
The group resolving problem looks like an issue with ticket forwarding (forwardable and forward true in appdefaults): the filer requires login/pass.
downgrading smbclient does not fix the problem.
There was no problem with this filer when i used a ubuntu 9 workstation and kerberos/likewise.

Revision history for this message
Troc Ster (tom-m7sys) wrote :

I have encountered this issue as well. I use pam_kerberos and AD for authentication and login authorization; this works fine.

However this issue affects kerberos mediated Single Sign On to apache sites using mod_auth_kerb.so version 5.1 on the web server and the krb5 libraries on 10.04 (this used to work fine in 9.04). The SSO web authetication fails and falls back to less desirable methods (username password)

The issue is resolve by adding "allow_weak_crypto = true" in /etc/krb5.conf

Package: krb5-user
Version: 1.8.1+dfsg-2

Package: firefox
Version: 3.6.3+nobinonly-0ubuntu4

the wireshark trace shows the client doing a TGS-REQ to the kdc where the
padata: PA-TGS-REQ
    -> value .. AP-REQ
        -> Authenticator rc4-hmac
            -> Encryption type: rc4-hmac (23)
            -> Authenticator data: ........

the response is a KRB-ERROR with error code KRB5KDC_ERR_ETYPE_NOSUPP

after adding "allow_weak_crypto = true" the TGS-REQ to the kdc is responded with a TGS-REP which includes a ticket. The SSO session with the apache server continues, and the wireshark trace shows the following in the http headers :

GSS-API
    -> SPNEGO
         -> netTOkenInit
                -> krb5_blob
                       -> Kerberos AP-REQ
                             -> Authenticator des-cbc-crc
                                    -> Encryption type: des-cbc-crc (1)
                                    -> Autheticator data: ....

will add more info if needed. For now the the extra line works. Thank you for the suggestion.

Revision history for this message
Sam Hartman (hartmans) wrote :

My guess is that the DES only checkbox is checked in your AD
configuration for the service account used by the Apache server. If you
clear that checkbox and generate a keytab including both RC4 and DES
keys then I suspect allow_weak_crypto will not be needed.

I'm sorry, but I do not have instructions for generating an RC4 keytab
off the top of my head.

--Sam

Revision history for this message
Jean-Baptiste Lallement (jibel) wrote :

Jean-Yves, did you tried the advice from Sam Hartman in comment #12 ?
Is is still an issue with Ubuntu 10.10 - Maverick ?
Was it an issue in Ubuntu 9.10 ?

tags: added: regression-release
removed: regression-potential
Changed in krb5 (Ubuntu Lucid):
status: New → Confirmed
importance: Undecided → Medium
description: updated
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

I'm going to move this back to 'Confirmed' so we can take a look at this in the next sweep for bugs in krb5. There are 3 affected, so its likely the problem is at least worth a look.

Changed in krb5 (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in krb5 (Ubuntu Lucid):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related questions