It’s sort of implemented. On my Mac, if I use --fast-armor-cache=FILE:/tmp/krb5cc_1003 it sends udp packets to the server. The server doesn’t return anything and makes no entry in krb5kdc.log. So the client waits and eventually times out.
If I force tcp by using tcp/hostname in krb5.conf, a non-OTP kinit works, but a fast kinit immediately returns unable to reach any KDC. A compatibility issue between Heimdal and MIT KDCs? > On Nov 2, 2017, at 10:50 AM, Greg Hudson <ghud...@mit.edu> wrote: > > On 11/02/2017 05:06 AM, Oleksandr Yermolenko wrote: >> I have a strange (for me?) situation using MIT KDC together with >> Heimdal client. PKINIT/FAST scenario. > > I don't believe Heimdal implements FAST OTP. > >> kinit --cache=FILE:/tmp/krb5cc_1000 a...@idm.crp >> a...@idm.crp's Password: passwordOTP >> kinit: Password incorrect >> >> KDC log: >> Nov 02 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth >> (encrypted_timestamp) verify failure: Preauthentication failed Nov 02 >> 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth > > It looks like the Heimdal client is trying to do encrypted timestamp > (not encrypted challenge, so I'm not sure the client is even using FAST > with these options) against whatever long-term keys you have on the > client principal entry. You might want to remove those (with kadmin > purgekeys -all) so that the KDC doesn't offer encrypted > timestamp/encrypted challenge. > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.mit.edu%2Fmailman%2Flistinfo%2Fkerberos&data=02%7C01%7Chedrick%40rutgers.edu%7C24004d8fd5184a7aa23608d5220166ad%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636452311769952170&sdata=38MDQ9a3OF8oRhhQa9GI72%2Bshom2Zxr5MGOpJelRsl0%3D&reserved=0 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
