On su, 11 helmi 2018, John Ratliff via FreeIPA-users wrote:
When trying to do pkinit, if I do kinit -n on one of the IdM servers, it works fine. If I try on a client machine, it asks me for the password for WELLKNOWN/ANONYMOUS@REALM.
I have the pkinit_anchors setup for the realm. As I'm trying to do anonymous pkinit, I think I don't need a client certificate.
On the server, I get this:
$ KRB5_TRACE="/dev/stderr" kinit -n [13061] 1518402857.924212: Getting initial credentials for WELLKNOWN/ANONYMOUS@IDM.EXAMPLE.COM [13061] 1518402857.929673: Sending request (200 bytes) to IDM.EXAMPLE.COM [13061] 1518402857.931830: Initiating TCP connection to stream 10.77.9.101:88 [13061] 1518402857.932241: Sending TCP request to stream 10.77.9.101:88 [13061] 1518402857.939162: Received answer (359 bytes) from stream 10.77.9.101:88 [13061] 1518402857.939180: Terminating TCP connection to stream 10.77.9.101:88 [13061] 1518402857.939284: Response was from master KDC [13061] 1518402857.939380: Received error from KDC: -1765328359/Additional pre-authentication required [13061] 1518402857.939474: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133 [13061] 1518402857.939499: Selected etype info: etype aes256-cts, salt "IDM.EXAMPLE.COMWELLKNOWNANONYMOUS", params "" [13061] 1518402857.939509: Received cookie: MIT [13061] 1518402857.939563: Preauth module pkinit (147) (info) returned: 0/Success [13061] 1518402857.940352: PKINIT client computed kdc-req-body checksum 9/D98A0144E7E4ACC66B63EBCA98379AB9F055D143 [13061] 1518402857.940369: PKINIT client making DH request [13061] 1518402858.935: Preauth module pkinit (16) (real) returned: 0/Success [13061] 1518402858.956: Produced preauth for next request: 133, 16 [13061] 1518402858.994: Sending request (1408 bytes) to IDM.EXAMPLE.COM [13061] 1518402858.1091: Initiating TCP connection to stream 10.77.9.101:88 [13061] 1518402858.1187: Sending TCP request to stream 10.77.9.101:88 [13061] 1518402858.43063: Received answer (2880 bytes) from stream 10.77.9.101:88 [13061] 1518402858.43088: Terminating TCP connection to stream 10.77.9.101:88 [13061] 1518402858.43198: Response was from master KDC [13061] 1518402858.43258: Processing preauth types: 17, 19, 147 [13061] 1518402858.43273: Selected etype info: etype aes256-cts, salt "IDM.EXAMPLE.COMWELLKNOWNANONYMOUS", params "" [13061] 1518402858.43300: Preauth module pkinit (147) (info) returned: 0/Success [13061] 1518402858.44150: PKINIT client verified DH reply [13061] 1518402858.44189: PKINIT client found id-pkinit-san in KDC cert: krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM [13061] 1518402858.44199: PKINIT client matched KDC principal krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM against id-pkinit-san; no EKU check required [13061] 1518402858.62345: PKINIT client used KDF 2B06010502030602 to compute reply key aes256-cts/00E0 [13061] 1518402858.62395: Preauth module pkinit (17) (real) returned: 0/Success [13061] 1518402858.62402: Produced preauth for next request: (empty) [13061] 1518402858.62414: AS key determined by preauth: aes256-cts/00E0 [13061] 1518402858.62547: Decrypted AS reply; session key is: aes256-cts/96F0 [13061] 1518402858.62589: FAST negotiation: available [13061] 1518402858.62692: Initializing KEYRING:persistent:760400007:krb_ccache_f3PFEy1 with default princ WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS [13061] 1518402858.62770: Storing WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM in KEYRING:persistent:760400007:krb_ccache_f3PFEy1 [13061] 1518402858.62846: Storing config in KEYRING:persistent:760400007:krb_ccache_f3PFEy1 for krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM: fast_avail: yes [13061] 1518402858.62878: Storing WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krb5_ccache_conf_data/fast_avail/krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM@X-CACHECONF: in KEYRING:persistent:760400007:krb_ccache_f3PFEy1 [13061] 1518402858.62933: Storing config in KEYRING:persistent:760400007:krb_ccache_f3PFEy1 for krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM: pa_type: 16 [13061] 1518402858.62954: Storing WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krb5_ccache_conf_data/pa_type/krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM@X-CACHECONF: in KEYRING:persistent:760400007:krb_ccache_f3PFEy1
But on the client, I get this:
$ KRB5_TRACE="/dev/stderr" kinit -n [2941] 1518402820.155827: Getting initial credentials for WELLKNOWN/ANONYMOUS@IDM.EXAMPLE.COM [2941] 1518402820.156298: Sending request (200 bytes) to IDM.EXAMPLE.COM [2941] 1518402820.158723: Resolving hostname paine.example.com. [2941] 1518402820.159975: Resolving hostname phantom.example.com. [2941] 1518402820.160757: Resolving hostname paine.example.com. [2941] 1518402820.161411: Initiating TCP connection to stream 204.89.253.101:88 [2941] 1518402820.162065: Sending TCP request to stream 204.89.253.101:88 [2941] 1518402820.168495: Received answer (359 bytes) from stream 204.89.253.101:88 [2941] 1518402820.168532: Terminating TCP connection to stream 204.89.253.101:88 [2941] 1518402820.169917: Response was from master KDC [2941] 1518402820.169974: Received error from KDC: -1765328359/Additional pre-authentication required [2941] 1518402820.170029: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133 [2941] 1518402820.170051: Selected etype info: etype aes256-cts, salt "IDM.EXAMPLE.COMWELLKNOWNANONYMOUS", params "" [2941] 1518402820.170062: Received cookie: MIT Password for WELLKNOWN/ANONYMOUS@IDM.EXAMPLE.COM: [2941] 1518402833.34612: Preauth module encrypted_timestamp (2) (real) returned: -1765328252/Password read interrupted kinit: Pre-authentication failed: Password read interrupted while getting initial credentials
Suggestions on what I'm missing?
Check that you have pkinit support packages installed on the client. On RHEL/CentOS/Fedora it means you need to have krb5-pkinit package installed.
It is not installed by default. Your client's log says there is no preauth types 17 and 147 available for the client to process while on the server it did choose preauth types 147 and 17 to continue.
We have ipa-advise recipe on IPA master that shows how to configure a client to perform smart-card authentication. In that recipe you'd see which packages need to be added on the client to process PKINIT.