kerberos error: PAC checksum type is not keyed

Aaron Solochek aarons-samba at aberrant.org
Fri Nov 5 13:55:15 MDT 2010


On 11/02/2010 10:53 PM, Andrew Bartlett wrote:
> On Tue, 2010-11-02 at 10:55 -0400, Aaron Solochek wrote:
>> On 11/02/2010 07:19 AM, Andrew Bartlett wrote:
>>> On Wed, 2010-10-27 at 15:39 +1100, Andrew Bartlett wrote:
>>>> On Wed, 2010-10-27 at 11:05 +1100, Andrew Bartlett wrote:
>>>>> On Thu, 2010-10-21 at 08:17 +1100, Andrew Bartlett wrote:
>>>>>> On Wed, 2010-10-20 at 10:22 -0400, Aaron Solochek wrote:
>>>>>>> I'm getting ever closer to having nfs4 working with the samba4 kdc.  Currently I
>>>>>>> seem to be blocking on the error "PAC checksum type is not keyed" which is
>>>>>>> generated by the kdc when nfs sends a PA-TGS-REQ for nfs/foo.bar.com.
>>>>>>>
>>>>>>> >From googling, it seemed to be related to the des-cbc-crc enctype, so I set
>>>>>>>
>>>>>>> default_tkt_enctypes = rc4-hmac des-cbc-md5
>>>>>>>
>>>>>>> in krb5.conf on both client and server.
>>>>>>>
>>>>>>>
>>>>>>> Then the problem changes slightly.  With that option set, the client first
>>>>>>> requests nfs/foo.bar.com with enctypes "rc4-hmac des-cbc-md5", and that
>>>>>>> succeeds, but immediately following that the client sends the exact same
>>>>>>> request, only this time the enctypes are back to "des-cbc-crc des-cbc-md5
>>>>>>> des-cbc-md4" and it fails again with PAC checksum error.
>>>>>>>
>>>>>>>
>>>>>>> So it seems that I have 2 bugs.
>>>>>>>
>>>>>>> 1) PAC checksum bug
>>>>>>>
>>>>>>> 2) kerberos client (libraries or nfs4?) bug that causes the second request
>>>>>>> ignoring the enctypes specified in krb5.conf.
>>>>>>>
>>>>>>>
>>>>>>> What can I do about #1?
>>>>>>
>>>>>> Someone needs to confirm what Windows does here.  The PAC security
>>>>>> relies on the checksum being keyed, so my gut feeling is to omit the
>>>>>> checksum in this case.  We need to determine if this is security issue
>>>>>> with Windows, or there is some other protection, or Windows omits it.
>>>>>> (This should not be relevant for NFSv4, which should never need to use
>>>>>> DES, but is important for AFS clients).
>>>>>
>>>>> I've now looked into the windows behaviour, which is documented here:
>>>>> http://blogs.msdn.com/b/openspecification/archive/2010/01/01/verifying-the-server-signature-in-kerberos-privilege-account-certificate.aspx
>>>>>
>>>>> The problem is that when different crypto-systems are used (Example 2),
>>>>> Heimdal objects because the keys involved are not the right type or
>>>>> length.  I'm working with upstream Heimdal to find out if we can get a
>>>>> better API for this, plus a way to handle the crazy windows behaviour
>>>>> exception noted there. 
>>>>
>>>> Attached is my patch for testing.  
>>>
>>> A more complete and correct fix is in the autobuild queue, and should be
>>> available in master shortly.
>>>
>>> Andrew Bartlett
>>>
>>
>> I've been trying to rebuild the debian packages with this patch for testing, but
>> that package has lots of build issues at the moment.  I think I'm getting close
>> to getting it to build, and once I do I'll report back about how it works for me.
> 
> Please try with current master.  The new patch is much more elaborate
> than the one I posted here. 
>

Ok, I got tired of waiting for new .debs, so I rebuild samba from the master.
It looks like the patch worked!  Once I commented out the enctype parameters in
krb5.conf on the client and server, I was able to mount the nfs4 share.

Of course I still need to figure out how to deal with the nfs4 acls, and ideally
how to map them to samba4 acls, but at least I can get things mounted now.

Thanks!

-Aaron


More information about the samba-technical mailing list