Rubin Shrestha
Zend certified PHP/Magento developer
Rubin Shrestha
Blog

krb5 kinit error after upgrade to ubuntu 20

by |Published

I have an Ubuntu 18.04 computer where I connected (as client) to an AFS filesystem via openafs and kinit (krb5), hosted by my company (based on MIT Kerberos). This works well, here the log:

KRB5_TRACE=/dev/stdout kinit -V username
Using default cache: /tmp/krb5cc_5864_3P0GQm
Using principal: username@DOMAIN.COM
Getting initial credentials for username@DOMAIN.COM
Sending unauthenticated request
Sending request (198 bytes) to DOMAIN.COM
Resolving hostname SERVER.DOMAIN.COM
Sending initial UDP request to dgram IP:PORT
Received answer (572 bytes) from dgram IP:PORT
Response was not from master KDC
Salt derived from principal: DOMAIN.COMusername
Getting AS key, salt "DOMAIN.COMusername", params ""
Password for username@DOMAIN.COM: 
AS key obtained from gak_fct: des3-cbc-sha1/****
Decrypted AS reply; session key is: des-cbc-crc/****
FAST negotiation: unavailable
Initializing FILE:/tmp/krb5cc_5864_3P0GQm with default princ username@DOMAIN.COM
Storing username@DOMAIN.COM -> krbtgt/DOMAIN.COM@DOMAIN.COM in FILE:/tmp/krb5cc_5864_3P0GQm
Warning: Your password will expire in XXX days
Authenticated to Kerberos v5

Today, I upgraded to Ubuntu 20.04 and 22.04 via do-release-upgrade, and after successful completion, the AFS drives are still well mounted and readable, but the kinit authentication stopped working (already in 20.04), with this error, exactly the same in both 20.04 and 22.04:

KRB5_TRACE=/dev/stdout kinit -V username
Using default cache: /tmp/krb5cc_1001
Using principal: username@DOMAIN.COM
Getting initial credentials for username@DOMAIN.COM
Error loading plugin module pkinit: 2/unable to find plugin [/usr/lib/x86_64-linux-gnu/krb5/plugins/preauth/pkinit.so]: No such file or directory
Sending unauthenticated request
Sending request (201 bytes) to DOMAIN.COM
Resolving hostname SERVER.DOMAIN.COM
Sending initial UDP request to dgram IP:PORT
Received answer (127 bytes) from dgram IP:PORT
Response was not from primary KDC
Received error from KDC: -1765328370/KDC has no support for encryption type
Retrying AS request with primary KDC
Getting initial credentials for username@DOMAIN.COM
Sending unauthenticated request
Sending request (201 bytes) to DOMAIN.COM (primary)
kinit: KDC has no support for encryption type while getting initial credentials

Any idea how I can solve this error that prevents getting authenticated?

Here a comparison of the version of the relevant packages:

krb5-config: 2.6 http://archive.ubuntu.com/ubuntu bionic/main amd64
krb5-user: 1.16-2ubuntu0.2 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64
openafs-krb5: 1.8.8.1-3~ppa0~ubuntu18.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu bionic/main amd64
openafs-modules-dkms: 1.8.8.1-3~ppa0~ubuntu18.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu bionic/main amd64
openafs-client: 1.8.8.1-3~ppa0~ubuntu18.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu bionic/main amd64

vs

krb5-config: 2.6+nmu1ubuntu1 http://archive.ubuntu.com/ubuntu jammy/main amd64
krb5-user: 1.19.2-2 http://archive.ubuntu.com/ubuntu jammy/universe amd64
openafs-krb5: 1.8.8.1-3~ppa0~ubuntu22.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu jammy/main amd64
openafs-modules-dkms: 1.8.8.1-3~ppa0~ubuntu22.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu jammy/main amd64
openafs-client: 1.8.8.1-3~ppa0~ubuntu22.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu jammy/main amd64

Maybe related: 1 2 3

[EDIT: find below my krb5.conf file]

[libdefaults]
    allow_weak_crypto = true
    default_realm = DOMAIN.COM
    ticket_lifetime = 24h
    renew_lifetime = 120h
    dns_lookup_realm = false
    dns_lookup_kdc = false
    krb4_config = /etc/krb.conf
    krb4_realms = /etc/krb.realms
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    v4_instance_resolve = false
    v4_name_convert = {
        host = {
            rcmd = host
            ftp = ftp
        }
        plain = {
            something = something-else
        }
    }
    fcc-mit-ticketflags = true

[realms]
    DOMAIN.COM = {
        default_domain = DOMAIN.COM
        kdc = SERVER.DOMAIN.COM
        admin_server = SERVER.DOMAIN.COM
        kdc = SERVER.DOMAIN.COM
                v4_name_convert = {
                  host = {
                    rcmd = host
                  }
                }
    }

[domain_realm]
        .DOMAIN.COM = DOMAIN.COM

[login]
    krb4_convert = true
    krb4_get_tickets = false

[appdefaults]
    aklog_homedir = true
    always_aklog = true
    kdestroy = true
    retain_after_close = false
        pam-afs-session = {
           nopag = true
           minimum_uid = 4999
        }
    debug = true

Thanks in advance.

You may also like

why i can’t display the new column in the admin panel? I can not display a new column in Configuration panel
Published

why i can’t display the new column in the admin panel? I can not display a new column in Configuration panel

my system.xml <?xml version=”1.0″?> <config xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xsi:noNamespaceSchemaLocation=”urn:magento:module:Magento_Config:etc/system_file.xsd”> <system> <tab id=”General” translate=”label” sortOrder=”10″> <label>Mageplaza</label> </tab> <section id=”General” translate=”label” sortOrder=”130″ showInDefault=”1″ showInWebsite=”1″ showInStore=”1″> <class>separator-top</class> […]