0

I have an Ubuntu 18.04 computer where I connected (as client) to an AFS filesystem via openafs and kinit (krb5), hosted by my company (based on MIT Kerberos). This works well, here the log:

KRB5_TRACE=/dev/stdout kinit -V username
Using default cache: /tmp/krb5cc_5864_3P0GQm
Using principal: username@DOMAIN.COM
Getting initial credentials for username@DOMAIN.COM
Sending unauthenticated request
Sending request (198 bytes) to DOMAIN.COM
Resolving hostname SERVER.DOMAIN.COM
Sending initial UDP request to dgram IP:PORT
Received answer (572 bytes) from dgram IP:PORT
Response was not from master KDC
Salt derived from principal: DOMAIN.COMusername
Getting AS key, salt "DOMAIN.COMusername", params ""
Password for username@DOMAIN.COM: 
AS key obtained from gak_fct: des3-cbc-sha1/****
Decrypted AS reply; session key is: des-cbc-crc/****
FAST negotiation: unavailable
Initializing FILE:/tmp/krb5cc_5864_3P0GQm with default princ username@DOMAIN.COM
Storing username@DOMAIN.COM -> krbtgt/DOMAIN.COM@DOMAIN.COM in FILE:/tmp/krb5cc_5864_3P0GQm
Warning: Your password will expire in XXX days
Authenticated to Kerberos v5

Today, I upgraded to Ubuntu 20.04 and 22.04 via do-release-upgrade, and after successful completion, the AFS drives are still well mounted and readable, but the kinit authentication stopped working (already in 20.04), with this error, exactly the same in both 20.04 and 22.04:

KRB5_TRACE=/dev/stdout kinit -V username
Using default cache: /tmp/krb5cc_1001
Using principal: username@DOMAIN.COM
Getting initial credentials for username@DOMAIN.COM
Error loading plugin module pkinit: 2/unable to find plugin [/usr/lib/x86_64-linux-gnu/krb5/plugins/preauth/pkinit.so]: No such file or directory
Sending unauthenticated request
Sending request (201 bytes) to DOMAIN.COM
Resolving hostname SERVER.DOMAIN.COM
Sending initial UDP request to dgram IP:PORT
Received answer (127 bytes) from dgram IP:PORT
Response was not from primary KDC
Received error from KDC: -1765328370/KDC has no support for encryption type
Retrying AS request with primary KDC
Getting initial credentials for username@DOMAIN.COM
Sending unauthenticated request
Sending request (201 bytes) to DOMAIN.COM (primary)
kinit: KDC has no support for encryption type while getting initial credentials

Any idea how I can solve this error that prevents getting authenticated?

Here a comparison of the version of the relevant packages:

krb5-config: 2.6 http://archive.ubuntu.com/ubuntu bionic/main amd64
krb5-user: 1.16-2ubuntu0.2 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64
openafs-krb5: 1.8.8.1-3~ppa0~ubuntu18.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu bionic/main amd64
openafs-modules-dkms: 1.8.8.1-3~ppa0~ubuntu18.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu bionic/main amd64
openafs-client: 1.8.8.1-3~ppa0~ubuntu18.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu bionic/main amd64

vs

krb5-config: 2.6+nmu1ubuntu1 http://archive.ubuntu.com/ubuntu jammy/main amd64
krb5-user: 1.19.2-2 http://archive.ubuntu.com/ubuntu jammy/universe amd64
openafs-krb5: 1.8.8.1-3~ppa0~ubuntu22.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu jammy/main amd64
openafs-modules-dkms: 1.8.8.1-3~ppa0~ubuntu22.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu jammy/main amd64
openafs-client: 1.8.8.1-3~ppa0~ubuntu22.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu jammy/main amd64

Maybe related: 1 2 3

Thanks in advance.

ferdymercury
  • 128
  • 6
  • 1
    Could you show your /etc/krb5.conf? It sounds like you might have some settings from the OpenAFS 1.4 era that still force single-DES usage (which is no longer necessary with 1.6.5+). – u1686_grawity Nov 19 '22 at 19:54
  • added. Thanks for the reply. – ferdymercury Nov 19 '22 at 20:04
  • 1
    Looks like it's not in the client-side krb5.conf – it's either your account specifically or the entire KDC configuration that enforces DES... Do you have a way to change your Kerberos password (e.g. an older machine to run `kpasswd` on)? – u1686_grawity Nov 19 '22 at 20:08
  • Yes, I have an older machine running Ubuntu 18, where kinit works perfectly well. I can also run kpasswd. What shall I look there for? Thanks for the swift reply. – ferdymercury Nov 19 '22 at 20:10
  • Just change the password once, then check whether kinit has started using newer encryption types. (But on the second thought, since the _session_ key seems to be limited to DES, that's probably caused by KDC config and a password change won't help much...) – u1686_grawity Nov 19 '22 at 20:18
  • Just tried the password change on the Ubuntu 18 machine. It worked, after that I run the kinit command, and got the exact same message as above (for Ubuntu 18), saying that it's using des3-cbc-sha1 and des-cbc-crc. Maybe there is a way to install the older version of krb5-user on the Ubuntu 22 machine, as workaround? – ferdymercury Nov 19 '22 at 20:25
  • Note: The KDC server is a Scientific Linux 4 machine and I can not access it / upgrade it, so I was thinking of downgrading instead the krb5 packages on Ubuntu 22. – ferdymercury Nov 19 '22 at 20:38
  • 1
    Is there anyone who _can_ access it / upgrade it? – u1686_grawity Nov 19 '22 at 20:54

1 Answers1

2

Your company's Kerberos realm is configured to use very outdated encryption types; it's a similar problem to the AD posts you found, except the enctype in question is not RC4, but single-DES (i.e. the des-cbc-crc). Support for single-DES has been completely removed from MIT Kerberos 1.18 and later versions and there is no way to re-enable it locally.

(Both DES3 and RC4 are still in the "kinda sorta acceptable" range, so the "des3-cbc-sha1" enctype is still supported by Krb5 1.20. On the other hand, single-DES with its 56-bit keys is firmly within the "crackable in several hours" range, so its removal is rather more urgent. Since you're seeing the error during kinit rather than aklog, and since a password change doesn't make it go away, it means the entire Kerberos realm basically runs on single-DES session keys.)

The only solution I would recommend is to remove the configured enctype limits on the KDC (which definitely supports at least des3) – if your site is using at least OpenAFS 1.4.15 or 1.6.5 (both released in 2013) with the rxkad-kdf extension, aklog will just automatically convert des3 or aes session keys to something acceptable to the AFS server. (Which, to be fair, is still 56-bit because that's all rxkad can handle – but at least it would be limited to AFS rather than being realm-wide.)

Though since your KDC is running on SL4 (which went out of support in 2011), I somewhat doubt the AFS servers have seen any updates in the last decade either, so your only remaining option is to downgrade libkrb5 and hope that nothing breaks. (Downgrading krb5-user to match the libraries is probably also needed, but it's not where the cipher support lives.)

(You could also make a Ubuntu 18.04 container using debootstrap and systemd-nspawn and use it for Kerberos things...)

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966