On su, 11 helmi 2018, John Ratliff via FreeIPA-users wrote:
> When trying to do pkinit, if I do kinit -n on one of the IdM servers,
> it works fine. If I try on a client machine, it asks me for the
> password for WELLKNOWN/ANONYMOUS@REALM.
>
> I have the pkinit_anchors setup for the realm. As I'm trying to do
> anonymous pkinit, I think I don't need a client certificate.
>
> On the server, I get this:
>
> $ KRB5_TRACE="/dev/stderr" kinit -n
> [13061] 1518402857.924212: Getting initial credentials for
> WELLKNOWN/ANONYMOUS(a)IDM.EXAMPLE.COM
> [13061] 1518402857.929673: Sending request (200 bytes) to
IDM.EXAMPLE.COM
> [13061] 1518402857.931830: Initiating TCP connection to stream
> 10.77.9.101:88
> [13061] 1518402857.932241: Sending TCP request to stream 10.77.9.101:88
> [13061] 1518402857.939162: Received answer (359 bytes) from stream
> 10.77.9.101:88
> [13061] 1518402857.939180: Terminating TCP connection to stream
> 10.77.9.101:88
> [13061] 1518402857.939284: Response was from master KDC
> [13061] 1518402857.939380: Received error from KDC:
> -1765328359/Additional pre-authentication required
> [13061] 1518402857.939474: Processing preauth types: 16, 15, 14, 136,
> 19, 147, 2, 133
> [13061] 1518402857.939499: Selected etype info: etype aes256-cts, salt
> "IDM.EXAMPLE.COMWELLKNOWNANONYMOUS", params ""
> [13061] 1518402857.939509: Received cookie: MIT
> [13061] 1518402857.939563: Preauth module pkinit (147) (info)
> returned: 0/Success
> [13061] 1518402857.940352: PKINIT client computed kdc-req-body
> checksum 9/D98A0144E7E4ACC66B63EBCA98379AB9F055D143
> [13061] 1518402857.940369: PKINIT client making DH request
> [13061] 1518402858.935: Preauth module pkinit (16) (real) returned:
> 0/Success
> [13061] 1518402858.956: Produced preauth for next request: 133, 16
> [13061] 1518402858.994: Sending request (1408 bytes) to
IDM.EXAMPLE.COM
> [13061] 1518402858.1091: Initiating TCP connection to stream
> 10.77.9.101:88
> [13061] 1518402858.1187: Sending TCP request to stream 10.77.9.101:88
> [13061] 1518402858.43063: Received answer (2880 bytes) from stream
> 10.77.9.101:88
> [13061] 1518402858.43088: Terminating TCP connection to stream
> 10.77.9.101:88
> [13061] 1518402858.43198: Response was from master KDC
> [13061] 1518402858.43258: Processing preauth types: 17, 19, 147
> [13061] 1518402858.43273: Selected etype info: etype aes256-cts, salt
> "IDM.EXAMPLE.COMWELLKNOWNANONYMOUS", params ""
> [13061] 1518402858.43300: Preauth module pkinit (147) (info) returned:
> 0/Success
> [13061] 1518402858.44150: PKINIT client verified DH reply
> [13061] 1518402858.44189: PKINIT client found id-pkinit-san in KDC
> cert: krbtgt/IDM.EXAMPLE.COM(a)IDM.EXAMPLE.COM
> [13061] 1518402858.44199: PKINIT client matched KDC principal
> krbtgt/IDM.EXAMPLE.COM(a)IDM.EXAMPLE.COM against id-pkinit-san; no EKU
> check required
> [13061] 1518402858.62345: PKINIT client used KDF 2B06010502030602 to
> compute reply key aes256-cts/00E0
> [13061] 1518402858.62395: Preauth module pkinit (17) (real) returned:
> 0/Success
> [13061] 1518402858.62402: Produced preauth for next request: (empty)
> [13061] 1518402858.62414: AS key determined by preauth: aes256-cts/00E0
> [13061] 1518402858.62547: Decrypted AS reply; session key is:
> aes256-cts/96F0
> [13061] 1518402858.62589: FAST negotiation: available
> [13061] 1518402858.62692: Initializing
> KEYRING:persistent:760400007:krb_ccache_f3PFEy1 with default princ
> WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
> [13061] 1518402858.62770: Storing
> WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS ->
> krbtgt/IDM.EXAMPLE.COM(a)IDM.EXAMPLE.COM in
> KEYRING:persistent:760400007:krb_ccache_f3PFEy1
> [13061] 1518402858.62846: Storing config in
> KEYRING:persistent:760400007:krb_ccache_f3PFEy1 for
> krbtgt/IDM.EXAMPLE.COM(a)IDM.EXAMPLE.COM: fast_avail: yes
> [13061] 1518402858.62878: Storing
> WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS ->
>
krb5_ccache_conf_data/fast_avail/krbtgt\/IDM.EXAMPLE.COM\@IDM.EXAMPLE.COM(a)X-CACHECONF:
> in KEYRING:persistent:760400007:krb_ccache_f3PFEy1
> [13061] 1518402858.62933: Storing config in
> KEYRING:persistent:760400007:krb_ccache_f3PFEy1 for
> krbtgt/IDM.EXAMPLE.COM(a)IDM.EXAMPLE.COM: pa_type: 16
> [13061] 1518402858.62954: Storing
> WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS ->
> krb5_ccache_conf_data/pa_type/krbtgt\/IDM.EXAMPLE.COM\@IDM.EXAMPLE.COM(a)X-CACHECONF:
> in KEYRING:persistent:760400007:krb_ccache_f3PFEy1
>
>
> But on the client, I get this:
>
> $ KRB5_TRACE="/dev/stderr" kinit -n
> [2941] 1518402820.155827: Getting initial credentials for
> WELLKNOWN/ANONYMOUS(a)IDM.EXAMPLE.COM
> [2941] 1518402820.156298: Sending request (200 bytes) to
IDM.EXAMPLE.COM
> [2941] 1518402820.158723: Resolving hostname
paine.example.com.
> [2941] 1518402820.159975: Resolving hostname
phantom.example.com.
> [2941] 1518402820.160757: Resolving hostname
paine.example.com.
> [2941] 1518402820.161411: Initiating TCP connection to stream
> 204.89.253.101:88
> [2941] 1518402820.162065: Sending TCP request to stream 204.89.253.101:88
> [2941] 1518402820.168495: Received answer (359 bytes) from stream
> 204.89.253.101:88
> [2941] 1518402820.168532: Terminating TCP connection to stream
> 204.89.253.101:88
> [2941] 1518402820.169917: Response was from master KDC
> [2941] 1518402820.169974: Received error from KDC:
> -1765328359/Additional pre-authentication required
> [2941] 1518402820.170029: Processing preauth types: 16, 15, 14, 136,
> 19, 147, 2, 133
> [2941] 1518402820.170051: Selected etype info: etype aes256-cts, salt
> "IDM.EXAMPLE.COMWELLKNOWNANONYMOUS", params ""
> [2941] 1518402820.170062: Received cookie: MIT
> Password for WELLKNOWN/ANONYMOUS(a)IDM.EXAMPLE.COM:
> [2941] 1518402833.34612: Preauth module encrypted_timestamp (2) (real)
> returned: -1765328252/Password read interrupted
> kinit: Pre-authentication failed: Password read interrupted while
> getting initial credentials
>
> Suggestions on what I'm missing?
Check that you have pkinit support packages installed on the client.
On RHEL/CentOS/Fedora it means you need to have krb5-pkinit package
installed.
It is not installed by default. Your client's log says there is no
preauth types 17 and 147 available for the client to process while on
the server
it did choose preauth types 147 and 17 to continue.
We have ipa-advise recipe on IPA master that shows how to configure a
client to perform smart-card authentication. In that recipe you'd see
which packages need to be added on the client to process PKINIT.
Thanks. This was what I was missing. As soon as I installed it,
everything started working.