#476940 python-kerberos - fails to do preauth

#476940#5
Date:
2008-04-20 09:47:31 UTC
From:
To:
kerberos.checkPassword fails to do preauth. Instead of using the kdc
configured in the config, it tries to find _kerberos-master._udp.$REALM
via DNS:

| 192.168.202.17 -> 192.168.202.9 DNS Standard query AAAA u-stud-dc01.student.uni-tuebingen.de
| 192.168.202.9 -> 192.168.202.17 DNS Standard query response
| 192.168.202.17 -> 192.168.202.9 DNS Standard query AAAA u-stud-dc01.student.uni-tuebingen.de.waldi.eu.org
| 192.168.202.9 -> 192.168.202.17 DNS Standard query response, No such name
| 192.168.202.17 -> 192.168.202.9 DNS Standard query A u-stud-dc01.student.uni-tuebingen.de
| 192.168.202.9 -> 192.168.202.17 DNS Standard query response A 134.2.3.194
| 192.168.202.17 -> 192.168.202.9 DNS Standard query A u-stud-dc01.student.uni-tuebingen.de
| 192.168.202.9 -> 192.168.202.17 DNS Standard query response A 134.2.3.194
| 192.168.202.17 -> 192.168.202.9 DNS Standard query AAAA u-stud-dc02.student.uni-tuebingen.de
| 192.168.202.9 -> 192.168.202.17 DNS Standard query response
| 192.168.202.17 -> 192.168.202.9 DNS Standard query AAAA u-stud-dc02.student.uni-tuebingen.de.waldi.eu.org
| 192.168.202.9 -> 192.168.202.17 DNS Standard query response, No such name
| 192.168.202.17 -> 192.168.202.9 DNS Standard query A u-stud-dc02.student.uni-tuebingen.de
| 192.168.202.9 -> 192.168.202.17 DNS Standard query response A 134.2.3.195
| 192.168.202.17 -> 192.168.202.9 DNS Standard query A u-stud-dc02.student.uni-tuebingen.de
| 192.168.202.9 -> 192.168.202.17 DNS Standard query response A 134.2.3.195
| 192.168.202.17 -> 192.168.202.9 DNS Standard query AAAA u-stud-dc01.student.uni-tuebingen.de
| 192.168.202.9 -> 192.168.202.17 DNS Standard query response
| 192.168.202.17 -> 192.168.202.9 DNS Standard query AAAA u-stud-dc01.student.uni-tuebingen.de.waldi.eu.org
| 192.168.202.9 -> 192.168.202.17 DNS Standard query response, No such name
| 192.168.202.17 -> 192.168.202.9 DNS Standard query A u-stud-dc01.student.uni-tuebingen.de
| 192.168.202.9 -> 192.168.202.17 DNS Standard query response A 134.2.3.194
| 192.168.202.17 -> 192.168.202.9 DNS Standard query AAAA u-stud-dc02.student.uni-tuebingen.de
| 192.168.202.9 -> 192.168.202.17 DNS Standard query response
| 192.168.202.17 -> 192.168.202.9 DNS Standard query AAAA u-stud-dc02.student.uni-tuebingen.de.waldi.eu.org
| 192.168.202.9 -> 192.168.202.17 DNS Standard query response, No such name
| 192.168.202.17 -> 192.168.202.9 DNS Standard query A u-stud-dc02.student.uni-tuebingen.de
| 192.168.202.9 -> 192.168.202.17 DNS Standard query response A 134.2.3.195
| 192.168.202.17 -> 134.2.3.194  KRB5 AS-REQ
|  134.2.3.194 -> 192.168.202.17 KRB5 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
| 192.168.202.17 -> 192.168.202.9 DNS Standard query SRV _kerberos-master._udp.STUDENT.UNI-TUEBINGEN.DE

kinit (from heimdal) does the following:

| 192.168.202.17 -> 192.168.202.9 DNS Standard query AAAA u-stud-dc01.student.uni-tuebingen.de
| 192.168.202.9 -> 192.168.202.17 DNS Standard query response
| 192.168.202.17 -> 192.168.202.9 DNS Standard query AAAA u-stud-dc01.student.uni-tuebingen.de.waldi.eu.org
| 192.168.202.9 -> 192.168.202.17 DNS Standard query response, No such name
| 192.168.202.17 -> 192.168.202.9 DNS Standard query A u-stud-dc01.student.uni-tuebingen.de
| 192.168.202.9 -> 192.168.202.17 DNS Standard query response A 134.2.3.194
| 192.168.202.17 -> 134.2.3.194  KRB5 AS-REQ
|  134.2.3.194 -> 192.168.202.17 KRB5 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
| 192.168.202.17 -> 192.168.202.9 DNS Standard query AAAA u-stud-dc01.student.uni-tuebingen.de
| 192.168.202.9 -> 192.168.202.17 DNS Standard query response
| 192.168.202.17 -> 192.168.202.9 DNS Standard query AAAA u-stud-dc01.student.uni-tuebingen.de.waldi.eu.org
| 192.168.202.9 -> 192.168.202.17 DNS Standard query response, No such name
| 192.168.202.17 -> 192.168.202.9 DNS Standard query A u-stud-dc01.student.uni-tuebingen.de
| 192.168.202.9 -> 192.168.202.17 DNS Standard query response A 134.2.3.194
| 192.168.202.17 -> 134.2.3.194  KRB5 AS-REQ
|  134.2.3.194 -> 192.168.202.17 KRB5 KRB Error: KRB5KDC_ERR_PREAUTH_FAILED

Bastian

#476940#10
Date:
2008-04-20 10:46:45 UTC
From:
To:
Hi Bastian,
Could you try the version from experimental? IIRC there were some fixes
regarding finding the correct KDC.
 -- Guido

#476940#15
Date:
2008-04-21 12:16:12 UTC
From:
To:
Hi,
I just checked the one from experimental myself with against a preauth
enabled KDC and things work as expected. However there are SRV records
for this KDC and I'm seeing the _kerberos-master._udp.$REALM you
describe. In what way does:
 kerberos.checkPassword(user, pswd, service, realm)
fail then? Could you post the exception that shows up?
 -- Guido

#476940#20
Date:
2008-04-21 12:27:59 UTC
From:
To:
It seems to wait forever. The larger problem is, why does it try DNS at
all if the KDC are set in the config.

Bastian

#476940#25
Date:
2008-04-21 15:35:53 UTC
From:
To:
No idea - by config you mean /etc/krb5.conf?

Looking at the code it doesn't look that different from what kinit does
except for krb5_get_init_creds_opt_set_default_flags which is heimdal
only and pykerberos uses the MIT libs. Looking at MIT's kinit I can't
spot a real difference at all. What KDC is this? Could you post your
krb.conf? Since I can't reproduce this hear it would help to see in
which call it sits. I you could grab the pykerberos source code and
putting some printfs in verify_krb5_user (or using gdb of course) would
help a lot!
 -- Guido