0

I have an Ubuntu 18.04 computer where I connected (as client) to an AFS filesystem via openafs and kinit (krb5), hosted by my company (based on MIT Kerberos). This works well, here the log:

KRB5_TRACE=/dev/stdout kinit -V username
Using default cache: /tmp/krb5cc_5864_3P0GQm
Using principal: username@DOMAIN.COM
Getting initial credentials for username@DOMAIN.COM
Sending unauthenticated request
Sending request (198 bytes) to DOMAIN.COM
Resolving hostname SERVER.DOMAIN.COM
Sending initial UDP request to dgram IP:PORT
Received answer (572 bytes) from dgram IP:PORT
Response was not from master KDC
Salt derived from principal: DOMAIN.COMusername
Getting AS key, salt "DOMAIN.COMusername", params ""
Password for username@DOMAIN.COM: 
AS key obtained from gak_fct: des3-cbc-sha1/****
Decrypted AS reply; session key is: des-cbc-crc/****
FAST negotiation: unavailable
Initializing FILE:/tmp/krb5cc_5864_3P0GQm with default princ username@DOMAIN.COM
Storing username@DOMAIN.COM -> krbtgt/DOMAIN.COM@DOMAIN.COM in FILE:/tmp/krb5cc_5864_3P0GQm
Warning: Your password will expire in XXX days
Authenticated to Kerberos v5

Today, I upgraded to Ubuntu 20.04 and 22.04 via do-release-upgrade, and after successful completion, the AFS drives are still well mounted and readable, but the kinit authentication stopped working (already in 20.04), with this error, exactly the same in both 20.04 and 22.04:

KRB5_TRACE=/dev/stdout kinit -V username
Using default cache: /tmp/krb5cc_1001
Using principal: username@DOMAIN.COM
Getting initial credentials for username@DOMAIN.COM
Error loading plugin module pkinit: 2/unable to find plugin [/usr/lib/x86_64-linux-gnu/krb5/plugins/preauth/pkinit.so]: No such file or directory
Sending unauthenticated request
Sending request (201 bytes) to DOMAIN.COM
Resolving hostname SERVER.DOMAIN.COM
Sending initial UDP request to dgram IP:PORT
Received answer (127 bytes) from dgram IP:PORT
Response was not from primary KDC
Received error from KDC: -1765328370/KDC has no support for encryption type
Retrying AS request with primary KDC
Getting initial credentials for username@DOMAIN.COM
Sending unauthenticated request
Sending request (201 bytes) to DOMAIN.COM (primary)
kinit: KDC has no support for encryption type while getting initial credentials

Any idea how I can solve this error that prevents getting authenticated?

Here a comparison of the version of the relevant packages:

krb5-config: 2.6 http://archive.ubuntu.com/ubuntu bionic/main amd64
krb5-user: 1.16-2ubuntu0.2 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64
openafs-krb5: 1.8.8.1-3~ppa0~ubuntu18.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu bionic/main amd64
openafs-modules-dkms: 1.8.8.1-3~ppa0~ubuntu18.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu bionic/main amd64
openafs-client: 1.8.8.1-3~ppa0~ubuntu18.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu bionic/main amd64

vs

krb5-config: 2.6+nmu1ubuntu1 http://archive.ubuntu.com/ubuntu jammy/main amd64
krb5-user: 1.19.2-2 http://archive.ubuntu.com/ubuntu jammy/universe amd64
openafs-krb5: 1.8.8.1-3~ppa0~ubuntu22.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu jammy/main amd64
openafs-modules-dkms: 1.8.8.1-3~ppa0~ubuntu22.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu jammy/main amd64
openafs-client: 1.8.8.1-3~ppa0~ubuntu22.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu jammy/main amd64

Maybe related: 1 2 3

Thanks in advance.

ferdymercury
  • 128

1 Answers1

2

Your company's Kerberos realm is configured to use very outdated encryption types; it's a similar problem to the AD posts you found, except the enctype in question is not RC4, but single-DES (i.e. the des-cbc-crc). Support for single-DES has been completely removed from MIT Kerberos 1.18 and later versions and there is no way to re-enable it locally.

(Both DES3 and RC4 are still in the "kinda sorta acceptable" range, so the "des3-cbc-sha1" enctype is still supported by Krb5 1.20. On the other hand, single-DES with its 56-bit keys is firmly within the "crackable in several hours" range, so its removal is rather more urgent. Since you're seeing the error during kinit rather than aklog, and since a password change doesn't make it go away, it means the entire Kerberos realm basically runs on single-DES session keys.)

The only solution I would recommend is to remove the configured enctype limits on the KDC (which definitely supports at least des3) – if your site is using at least OpenAFS 1.4.15 or 1.6.5 (both released in 2013) with the rxkad-kdf extension, aklog will just automatically convert des3 or aes session keys to something acceptable to the AFS server. (Which, to be fair, is still 56-bit because that's all rxkad can handle – but at least it would be limited to AFS rather than being realm-wide.)

Though since your KDC is running on SL4 (which went out of support in 2011), I somewhat doubt the AFS servers have seen any updates in the last decade either, so your only remaining option is to downgrade libkrb5 and hope that nothing breaks. (Downgrading krb5-user to match the libraries is probably also needed, but it's not where the cipher support lives.)

(You could also make a Ubuntu 18.04 container using debootstrap and systemd-nspawn and use it for Kerberos things...)

grawity
  • 501,077