ClientClaimsInfo error when authenticating with winkerberos

[pault28]

The below code fails when running from a windows machine:

import requests
import winkerberos as kerberos
service = "HTTP/vault.DOMAIN@REALM"
rc, vc = kerberos.authGSSClientInit(service=service, mech_oid=kerberos.GSS_MECH_OID_SPNEGO)
kerberos.authGSSClientStep(vc, "")
kerberos_token = kerberos.authGSSClientResponse(vc)
r = requests.post("https://vault/v1/auth/kerberos/login", json={'authorization': 'Negotiate ' + kerberos_token}, verify=False)

See error below:
{"time":"2018-05-29T21:48:01.052877076Z","type":"response","auth":{"client_token":"","accessor":"","display_name":"","policies":null,"metadata":null,"entity_id":""},"request":{"id":"e03ae638-16fb-8bb9-513c-ebe0334acbdc","operation":"update","client_token":"","client_token_accessor":"","path":"auth/kerberos/login","data":{"authorization":"hmac-sha256:1705419e6936724587ae0e5b1a4560736ecd6124ca9c0b63050c76ea17862c53"},"policy_override":false,"remote_address":"127.0.0.1","wrap_ttl":0,"headers":{}},"response":{},"error":"error processing ClientClaimsInfo: error parsing byte stream headers: Malformed NDR steam: Not enough bytes."}

This works fine from a linux machine. Only difference is we then use standard python kerberos module.

Does this work from a windows machine by any chance?

[ah-]

It should work, I've been running exactly this on Windows and it works. I suspect something else is up with the setup.

[sharkztex]

Getting a similar error to the above:
'errors': ['error processing ClientClaimsInfo: error parsing byte stream headers: Malformed NDR steam: Not enough bytes.'
This comes from the 'https://github.com/jcmturner/gokrb5/blob/master/pac/client_claims.go#L16'.
Struggling to figure out the issue here, we running on Win 10 clients.

[ah-]

Maybe try asking upstream in the gokrb5 project what this means? @jcmturner has been really helpful before.

[jcmturner]

Hi, I suspect this may be an bug in gokrb5 for processing the CLIENT_CLAIMS_INFO PAC entry that comes from the Active Directory KDC. Microsoft are not consistent in what is and is not NDR encoded and the documentation does not always specify what is an isn't. This has made it hard to code as I also have little to no access to test data to work against. As you can see here only a small proportion of the structures have examples.

Can I ask you to raise an issue against gokrb5. It would be great if you could share some data of the kerberos tickets (via a tcpdump/wireshark capture) as this will give me something to write a unit test against.

[pault28]

@ah- I can confirm that @jcmturner patch on jcmturner/gokrb5#156 fixes this error. Patch https://github.com/jcmturner/gokrb5/compare/issue-156

I am guessing this will applied to vault-plugin-auth-kerberos once the fix is merged to upstream.

[ah-]

Oh fantastic! Once this is merged into gokrb5 and released we can run scripts/update_deps.sh and release a new version.

[pault28]

I did get another error which I will add to the current issue on gokrb5.

{'errors': ['error processing CredentialsInfo: error parsing byte stream headers: Malformed NDR steam: Stream does not indicate a RPC Type serialization of version 1']}

It seems to be related to smart card login. When I log on without smart-card it works. Will update the upstream issue.

[ah-]

Fixed in 1.2.0.