Subject: Re: Kerberos testing... packet decode
To: None <joda@pdc.kth.se>
From: Pete Vickers <pete.vickers@uk.adtranz.com>
List: tech-net
Date: 01/13/2001 17:37:04
>"Pete Vickers" <pete.vickers@uk.adtranz.com> writes:
>
>> Tcpdump captures packets to/from KDC:
>
>Can you mail the actual data, both from login and kinit?
>
>> any thoughts welcomed...
>
>Not that I have much hands-on experience with w2k...
>
>/Johan
Okay, I've run the dumps thru tethereal, with good results. [see full deocode
below]
Notes from [my dumbish] analysis of decodes:
1. I guess the unknown 'Address' in the client request is because I've got a
GENERIC kernel with IPv6 in it ?
2. With kinit we request with enc "des-cbc-crc" and get back reply from KDC with
enc "des-cbc-crc".
With telnet/login we request with enc "des3-cbc-sha1, des3-cbc-sha, des-cbc-md5,
des-cbc-md4, des-cbc-crc" even though /etc/krb5.conf states use only "
des-cbc-crc".
We get back reply from KDC with enc "des-cbc-md5" ... which is I guess the first
matching type [in the send list] that the W2k KDC can do ?
So I guess the question is why does the login request ignore the /etc/krb5.conf
setting ? Also can anyone with some kerberos knowledge spot anything else with
might be causing problems ?
TIA
Pete.
Packet decode from tethereal:
--------------------------------------------------------------------------
[successful] kinit decode:
_Summary_:
1 0.000000 172.16.96.155 -> 172.16.96.159 KRB5 AS-REQ
2 0.002424 172.16.96.159 -> 172.16.96.155 KRB5 KRB-ERROR
3 0.006188 172.16.96.155 -> 172.16.96.159 KRB5 AS-REQ
4 0.009801 172.16.96.159 -> 172.16.96.155 KRB5 AS-REP
_Full_:
Frame 1 (236 on wire, 236 captured)
Arrival Time: Jan 13, 2001 16:57:10.0055
Time delta from previous packet: 0.000000 seconds
Time relative to first packet: 0.000000 seconds
Frame Number: 1
Packet Length: 236 bytes
Capture Length: 236 bytes
Ethernet II
Destination: 00:50:da:4e:cd:a6 (00:50:da:4e:cd:a6)
Source: 00:d0:b7:86:2a:df (00:d0:b7:86:2a:df)
Type: IP (0x0800)
Internet Protocol
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 222
Identification: 0x1687
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0x4a2d (correct)
Source: 172.16.96.155 (172.16.96.155)
Destination: 172.16.96.159 (172.16.96.159)
User Datagram Protocol
Source port: 65048 (65048)
Destination port: 88 (88)
Length: 202
Checksum: 0x9d69 (correct)
Kerberos
Version: 5
MSG Type: AS-REQ
Request
Options: 0000000000
Client Name: ukpv0001
Type: Principal
Name: ukpv0001
Realm: TRANSTEST
Server Name: krbtgt
Type: Principal
Name: krbtgt
Name: TRANSTEST
End Time: 2001-01-14 02:57:06 (Z)
Random Number: 427440651
Encryption Types
Type: des-cbc-crc
Addresses
Type: IPv4
Value: 172.16.96.155
Type: Unknown address type 0x18
Value: 00000000000000000000000000000001
Type: IPv4
Value: 127.0.0.1
Frame 2 (207 on wire, 207 captured)
Arrival Time: Jan 13, 2001 16:57:10.0080
Time delta from previous packet: 0.002424 seconds
Time relative to first packet: 0.002424 seconds
Frame Number: 2
Packet Length: 207 bytes
Capture Length: 207 bytes
Ethernet II
Destination: 00:d0:b7:86:2a:df (00:d0:b7:86:2a:df)
Source: 00:50:da:4e:cd:a6 (00:50:da:4e:cd:a6)
Type: IP (0x0800)
Internet Protocol
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 193
Identification: 0x2f00
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0xf1d0 (correct)
Source: 172.16.96.159 (172.16.96.159)
Destination: 172.16.96.155 (172.16.96.155)
User Datagram Protocol
Source port: 88 (88)
Destination port: 65048 (65048)
Length: 173
Checksum: 0x2303 (correct)
Kerberos
Version: 5
MSG Type: KRB-ERROR
stime: 2001-01-13 16:57:10 (Z)
susec: 64819
Error Code: KRB5KDC_ERR_PREAUTH_REQUIRED
realm: TRANSTEST
sname: krbtgt
Type: Service and Instance
Name: krbtgt
Name: TRANSTEST
Error Data: 3043302BA10302010BA2240422302030...
Frame 3 (303 on wire, 303 captured)
Arrival Time: Jan 13, 2001 16:57:10.0117
Time delta from previous packet: 0.003764 seconds
Time relative to first packet: 0.006188 seconds
Frame Number: 3
Packet Length: 303 bytes
Capture Length: 303 bytes
Ethernet II
Destination: 00:50:da:4e:cd:a6 (00:50:da:4e:cd:a6)
Source: 00:d0:b7:86:2a:df (00:d0:b7:86:2a:df)
Type: IP (0x0800)
Internet Protocol
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 289
Identification: 0x168d
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0x49e4 (correct)
Source: 172.16.96.155 (172.16.96.155)
Destination: 172.16.96.159 (172.16.96.159)
User Datagram Protocol
Source port: 65042 (65042)
Destination port: 88 (88)
Length: 269
Checksum: 0x206d (correct)
Kerberos
Version: 5
MSG Type: AS-REQ
Pre-Authentication
Type: PA-ENC-TIMESTAMP
Value: 3031A003020101A22A042846E3D58E13...
Request
Options: 0000000000
Client Name: ukpv0001
Type: Principal
Name: ukpv0001
Realm: TRANSTEST
Server Name: krbtgt
Type: Principal
Name: krbtgt
Name: TRANSTEST
End Time: 2001-01-14 02:57:06 (Z)
Random Number: 427440651
Encryption Types
Type: des-cbc-crc
Addresses
Type: IPv4
Value: 172.16.96.155
Type: Unknown address type 0x18
Value: 00000000000000000000000000000001
Type: IPv4
Value: 127.0.0.1
Frame 4 (1361 on wire, 1361 captured)
Arrival Time: Jan 13, 2001 16:57:10.0153
Time delta from previous packet: 0.003613 seconds
Time relative to first packet: 0.009801 seconds
Frame Number: 4
Packet Length: 1361 bytes
Capture Length: 1361 bytes
Ethernet II
Destination: 00:d0:b7:86:2a:df (00:d0:b7:86:2a:df)
Source: 00:50:da:4e:cd:a6 (00:50:da:4e:cd:a6)
Type: IP (0x0800)
Internet Protocol
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 1347
Identification: 0x2f06
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0xed48 (correct)
Source: 172.16.96.159 (172.16.96.159)
Destination: 172.16.96.155 (172.16.96.155)
User Datagram Protocol
Source port: 88 (88)
Destination port: 65042 (65042)
Length: 1327
Checksum: 0xad53 (correct)
Kerberos
Version: 5
MSG Type: AS-REP
Pre-Authentication
Type: PA-PW-SALT
Value: 5452414E5354455354706574652E7669...
Realm: TRANSTEST
Client Name: ukpv0001
Type: Principal
Name: ukpv0001
Ticket
Version: 5
Realm: TRANSTEST
Service Name: krbtgt
Type: Principal
Name: krbtgt
Name: TRANSTEST
Encrypted Data: Ticket data
Type: des-cbc-crc
CipherText: F1121D9319FA4AF95D555D6387003141...
Encrypted Data: Encrypted Payload
Type: des-cbc-crc
KVNO: 1
CipherText: 3471DB9F4B89615B54BEA051908C6882...
--------------------------------------------------------------------------
[failed] telnet decode:
_Summary_:
1 0.000000 172.16.96.155 -> 172.16.96.159 KRB5 AS-REQ
2 0.002368 172.16.96.159 -> 172.16.96.155 KRB5 KRB-ERROR
3 0.005716 172.16.96.155 -> 172.16.96.159 KRB5 AS-REQ
4 0.009241 172.16.96.159 -> 172.16.96.155 KRB5 AS-REP
5 0.019452 172.16.96.155 -> 172.16.96.159 KRB5 TGS-REQ
6 0.020431 172.16.96.159 -> 172.16.96.155 KRB5 KRB-ERROR
_Full_:
Frame 1 (248 on wire, 248 captured)
Arrival Time: Jan 13, 2001 16:41:45.8543
Time delta from previous packet: 0.000000 seconds
Time relative to first packet: 0.000000 seconds
Frame Number: 1
Packet Length: 248 bytes
Capture Length: 248 bytes
Ethernet II
Destination: 00:50:da:4e:cd:a6 (00:50:da:4e:cd:a6)
Source: 00:d0:b7:86:2a:df (00:d0:b7:86:2a:df)
Type: IP (0x0800)
Internet Protocol
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 234
Identification: 0x158d
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0x4b1b (correct)
Source: 172.16.96.155 (172.16.96.155)
Destination: 172.16.96.159 (172.16.96.159)
User Datagram Protocol
Source port: 65085 (65085)
Destination port: 88 (88)
Length: 214
Checksum: 0xa17f (correct)
Kerberos
Version: 5
MSG Type: AS-REQ
Request
Options: 0000000000
Client Name: ukpv0001
Type: Principal
Name: ukpv0001
Realm: TRANSTEST
Server Name: krbtgt
Type: Principal
Name: krbtgt
Name: TRANSTEST
End Time: 2001-01-14 02:41:45 (Z)
Random Number: 3298320473
Encryption Types
Type: des3-cbc-sha1
Type: des3-cbc-sha
Type: des-cbc-md5
Type: des-cbc-md4
Type: des-cbc-crc
Addresses
Type: IPv4
Value: 172.16.96.155
Type: Unknown address type 0x18
Value: 00000000000000000000000000000001
Type: IPv4
Value: 127.0.0.1
Frame 2 (239 on wire, 239 captured)
Arrival Time: Jan 13, 2001 16:41:45.8566
Time delta from previous packet: 0.002368 seconds
Time relative to first packet: 0.002368 seconds
Frame Number: 2
Packet Length: 239 bytes
Capture Length: 239 bytes
Ethernet II
Destination: 00:d0:b7:86:2a:df (00:d0:b7:86:2a:df)
Source: 00:50:da:4e:cd:a6 (00:50:da:4e:cd:a6)
Type: IP (0x0800)
Internet Protocol
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 225
Identification: 0x2ca2
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0xf40e (correct)
Source: 172.16.96.159 (172.16.96.159)
Destination: 172.16.96.155 (172.16.96.155)
User Datagram Protocol
Source port: 88 (88)
Destination port: 65085 (65085)
Length: 205
Checksum: 0x0cd8 (correct)
Kerberos
Version: 5
MSG Type: KRB-ERROR
stime: 2001-01-13 16:41:45 (Z)
susec: 903336
Error Code: KRB5KDC_ERR_PREAUTH_REQUIRED
realm: TRANSTEST
sname: krbtgt
Type: Service and Instance
Name: krbtgt
Name: TRANSTEST
Error Data: 3063304BA10302010BA2440442304030...
Frame 3 (396 on wire, 396 captured)
Arrival Time: Jan 13, 2001 16:41:45.8600
Time delta from previous packet: 0.003348 seconds
Time relative to first packet: 0.005716 seconds
Frame Number: 3
Packet Length: 396 bytes
Capture Length: 396 bytes
Ethernet II
Destination: 00:50:da:4e:cd:a6 (00:50:da:4e:cd:a6)
Source: 00:d0:b7:86:2a:df (00:d0:b7:86:2a:df)
Type: IP (0x0800)
Internet Protocol
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 382
Identification: 0x1593
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0x4a81 (correct)
Source: 172.16.96.155 (172.16.96.155)
Destination: 172.16.96.159 (172.16.96.159)
User Datagram Protocol
Source port: 65079 (65079)
Destination port: 88 (88)
Length: 362
Checksum: 0x164a (correct)
Kerberos
Version: 5
MSG Type: AS-REQ
Pre-Authentication
Type: PA-ENC-TIMESTAMP
Value: 3041A003020103A23A043813400869AF...
Type: PA-ENC-TIMESTAMP
Value: 3031A003020101A22A0428A1A8518C8B...
Request
Options: 0000000000
Client Name: ukpv0001
Type: Principal
Name: ukpv0001
Realm: TRANSTEST
Server Name: krbtgt
Type: Principal
Name: krbtgt
Name: TRANSTEST
End Time: 2001-01-14 02:41:45 (Z)
Random Number: 3298320473
Encryption Types
Type: des3-cbc-sha1
Type: des3-cbc-sha
Type: des-cbc-md5
Type: des-cbc-md4
Type: des-cbc-crc
Addresses
Type: IPv4
Value: 172.16.96.155
Type: Unknown address type 0x18
Value: 00000000000000000000000000000001
Type: IPv4
Value: 127.0.0.1
Frame 4 (1385 on wire, 1385 captured)
Arrival Time: Jan 13, 2001 16:41:45.8635
Time delta from previous packet: 0.003525 seconds
Time relative to first packet: 0.009241 seconds
Frame Number: 4
Packet Length: 1385 bytes
Capture Length: 1385 bytes
Ethernet II
Destination: 00:d0:b7:86:2a:df (00:d0:b7:86:2a:df)
Source: 00:50:da:4e:cd:a6 (00:50:da:4e:cd:a6)
Type: IP (0x0800)
Internet Protocol
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 1371
Identification: 0x2ca8
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0xef8e (correct)
Source: 172.16.96.159 (172.16.96.159)
Destination: 172.16.96.155 (172.16.96.155)
User Datagram Protocol
Source port: 88 (88)
Destination port: 65079 (65079)
Length: 1351
Checksum: 0xd083 (correct)
Kerberos
Version: 5
MSG Type: AS-REP
Pre-Authentication
Type: PA-PW-SALT
Value: 5452414E5354455354706574652E7669...
Realm: TRANSTEST
Client Name: ukpv0001
Type: Principal
Name: ukpv0001
Ticket
Version: 5
Realm: TRANSTEST
Service Name: krbtgt
Type: Principal
Name: krbtgt
Name: TRANSTEST
Encrypted Data: Ticket data
Type: des-cbc-md5
CipherText: BC29E77A4FDF5CF7B339F5477D31D864...
Encrypted Data: Encrypted Payload
Type: des-cbc-md5
KVNO: 1
CipherText: AAE1F07DAFD12EA605407B08510BF314...
Frame 5 (1412 on wire, 1412 captured)
Arrival Time: Jan 13, 2001 16:41:45.8737
Time delta from previous packet: 0.010211 seconds
Time relative to first packet: 0.019452 seconds
Frame Number: 5
Packet Length: 1412 bytes
Capture Length: 1412 bytes
Ethernet II
Destination: 00:50:da:4e:cd:a6 (00:50:da:4e:cd:a6)
Source: 00:d0:b7:86:2a:df (00:d0:b7:86:2a:df)
Type: IP (0x0800)
Internet Protocol
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 1398
Identification: 0x15a5
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0x4677 (correct)
Source: 172.16.96.155 (172.16.96.155)
Destination: 172.16.96.159 (172.16.96.159)
User Datagram Protocol
Source port: 65061 (65061)
Destination port: 88 (88)
Length: 1378
Checksum: 0xa228 (correct)
Kerberos
Version: 5
MSG Type: TGS-REQ
Pre-Authentication
Type: PA-TGS-REQ
Value: 6E82047B30820477A003020105A10302...
Request
Options: 0000000000
Realm: TRANSTEST
Server Name: host
Type: Principal
Name: host
Name: ukdews0001.transtest
End Time: 1970-01-01 00:00:00 (Z)
Random Number: 3965539552
Encryption Types
Type: des3-cbc-sha1
Type: des3-cbc-sha
Type: des-cbc-md5
Type: des-cbc-md4
Type: des-cbc-crc
Addresses
Type: IPv4
Value: 172.16.96.155
Type: Unknown address type 0x18
Value: 00000000000000000000000000000001
Type: IPv4
Value: 127.0.0.1
Frame 6 (132 on wire, 132 captured)
Arrival Time: Jan 13, 2001 16:41:45.8747
Time delta from previous packet: 0.000979 seconds
Time relative to first packet: 0.020431 seconds
Frame Number: 6
Packet Length: 132 bytes
Capture Length: 132 bytes
Ethernet II
Destination: 00:d0:b7:86:2a:df (00:d0:b7:86:2a:df)
Source: 00:50:da:4e:cd:a6 (00:50:da:4e:cd:a6)
Type: IP (0x0800)
Internet Protocol
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 118
Identification: 0x2cba
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0xf461 (correct)
Source: 172.16.96.159 (172.16.96.159)
Destination: 172.16.96.155 (172.16.96.155)
User Datagram Protocol
Source port: 88 (88)
Destination port: 65061 (65061)
Length: 98
Checksum: 0xb294 (correct)
Kerberos
Version: 5
MSG Type: KRB-ERROR
stime: 2001-01-13 16:41:45 (Z)
susec: 913350
Error Code: KRB5KDC_ERR_SUMTYPE_NOSUPP
realm: TRANSTEST
sname: krbtgt
Type: Service and Instance
Name: krbtgt
Name: TRANSTEST
--------------------------------------------------------------------------