Vault: Kerberos: matching key not found in keytab
Hello
I'm testing the new Kerberos auth method in Vault v1.4.0-beta1
I start vault like this:
vault login -method=kerberos username=admzn service=HTTP/bella2.zeuthen.desy.de:8200 realm=IFH.DE keytab_path=./krb5.vaultclient_test.keytab krb5conf_path=./krb5.conf
The keytab looks like:
ktutil: read_kt krb5.vaultclient.keytab
ktutil: list -e -k -t
slot KVNO Timestamp Principal
1 8 01.04.2020 15:08 [email protected] (aes256-cts-hmac-sha1-96)
2 8 01.04.2020 15:08 [email protected] (arcfour-hmac)
3 8 01.04.2020 15:08 [email protected] (des3-hmac-sha1)
the following error occurred:
Error authenticating: couldn't log in: [Root cause: Encrypting_Error] KRBMessage_Handling_Error: AS Exchange Error: issue with setting PAData on AS_REQ < Encrypting_Error: error getting key from credentials: matching key not found in keytab. Looking for [admzn] realm: IFH.DE kvno: 0 etype: 17
Strange is there etype: 17 is aes128-cts-hmac-sha1-96 and not listed in the keytab (see https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml#kerberos-parameters-2)
According to tcpdump no connection is established. The error already occurs when reading the keytab.
pbolle
All 3 comments
Hi! Thanks for reporting this.
This is the right place to post this issue. Over in the plugin repo, we have a couple of scripts we use for working on it, and from the home directory if I run "$ make dev-env" it spins up a local test environment for me. I did that and checked the keytab used for logging in, in the tests.
The keytab looks like this:
bash-4.4# ktutil
ktutil: read_kt grace.keytab
ktutil: list -e -k -t
slot KVNO Timestamp Principal
---- ---- ----------------- ---------------------------------------------------
1 2 04/02/20 16:46:40 [email protected] (arcfour-hmac) (0x5607c5e51e6c59d6fdeda478aa2f4471)
And the login command that works with it is located here and looks like this when the variables are written out:
login-kerb \
-username=grace \
-service="HTTP/d6d685ce14f3.matrix.lan:8200" \
-realm=MATRIX.LAN \
-keytab_path="/tests/grace.keytab" \
-krb5conf_path="/tests/krb5.conf" \
-vault_addr="http://d6d685ce14f3.matrix.lan:8200"
The error message you're encountering makes it sound like it's not having a "hit" in your keytab for the username of "admzn", which as you point out, doesn't make sense given that we can clearly see the keytab contains that user.
One thing I'm wondering is, as a workaround, would it work if you removed the other two entries and only kept the one using the (arcfour-hmac)?
tyrannosaurus-becks
on 2 Apr 2020
Hi thanks for the quick response. It was a great help.
The problem is that I did not set the value for preferred_preauth_types in krb5.conf. The implementation then takes the first value from the defaults (17, 16, 15, 14)
Solution:
[libdefaults]
preferred_preauth_types = 23
Regards Philipp
pbolle
on 3 Apr 2020
Ah! Thanks for posting that! Much appreciated.
tyrannosaurus-becks
on 3 Apr 2020
Related issues
adamroddick
路
3Comments
ngunia
路
3Comments
maxsivanov
路
3Comments
weisinc
路
3Comments
andris9
路
3Comments
Most helpful comment
Hi thanks for the quick response. It was a great help.
The problem is that I did not set the value for preferred_preauth_types in krb5.conf. The implementation then takes the first value from the defaults (17, 16, 15, 14)
Solution:
Regards Philipp