kpasswd - Cannot contact any KDC for requested realm changing password - kerberos

After kinit user1 successfully
I tried to change passwd with kpasswd user1
$ kpasswd user1
Password for user1#EXAMPLE.COMN:
Enter new password:
Enter it again:
kpasswd: Cannot contact any KDC for requested realm changing password
How can I debug this problem?
How can I see logs of kpasswd?

I could set ENV KRB5_TRACE and see logs.
$ KRB5_TRACE=/dev/stdout kpasswd user1
...
...
Enter new password:
Enter it again:
[19347] 1542261437.864732: Creating authenticator for ... -> kadmin/changepw#..., seqnum 0, subkey aes256-cts/BC93, session key aes256-cts/6786
[19347] 1542261437.866856: Resolving hostname ...
[19347] 1542261437.867433: Sending initial UDP request to dgram ...
[19347] 1542261440.870780: Sending retry UDP request to dgram ...
[19347] 1542261445.876049: Sending retry UDP request to dgram ...
kpasswd: Cannot contact any KDC for requested realm changing password

Related

KeyCloak fails to send email using SMTP with status 500

I have Keycloak running in a Kubernetes cluster. Authentication works but I need to set up e-mail to be able to send e-mails for verification and password reset.
I have SendGrid set up as an SMTP Relay. These settings (host, port and api key) work when I send mail using the SendGrid java client. However, when pressing Test connection in KeyCloak I get:
[Error] Failed to load resource: the server responded with a status of 500 ()
[Debug] Remove message (services.js, line 14)
[Debug] Added message (services.js, line 15)
[Error] Can't find variable: error
https://<domain>/auth/resources/ong8v/admin/keycloak/js/controllers/realm.js:76 – "Possibly unhandled rejection: {}"
[Debug] Remove message (services.js, line 14)
There isn't much to go on here. I have an e-mail address set up for the currently logged in user. I've also tried resetting the password in case the Test connection functionality was broken but that didn't work either.
The Realm Settings settings user for email are as such:
host: smtp.sendgrid.net
port: 587
from: test#<domain>
Enable StartTLS: true
Username: "apikey"
Password: <api key>
Any idea what can be wrong? Or how to find out? For instance, maybe I can get a more meaningful error message somehow.
Edit:
I got the server logs.
Failed to send email: com.sun.mail.util.MailConnectException: Couldn't connect to host, port: smtp.sendgrid.net, 587; timeout 10000;
nested exception is: java.net.SocketTimeoutException: connect timed out
Edit 2:
I've tried sending mail using Telnet using the exact same settings and that works. So apparently it's something with Keycloak or its underlying Java libraries that's causing issues sending e-mail.
Turns out that Keycloak works and that emails were blocked by the hosting provider.

How to force CoTURN long term credentials validation from WebRTC Flutter application?

I use this example of Flutter data channel to connect my Android app to my CoTURN server on my local network. The CoTURN logs show that the Android app connects successfully to the CoTURN server but doesn't show any username. I would like to make sure that no access is possible to my CoTURN server while not using long term credentials.
The version of my CoTURN server is 4.5.1.1-1.1 on Debian Linux Stable (10 Buster). The lt-cred-mech is already set in the CoTURN server configuration while no-auth is not set (it is commented). I am using verbose to check the logs. I have a user created in my MySQL database for long term credentials. It is verified using this command on the secured port:
turnutils_uclient -p 5349 -u myuser -w mypassword 192.168.188.28
It leads to the following in the coturn logs:
1992: handle_udp_packet: New UDP endpoint: local addr 192.168.188.28:5349, remote addr 192.168.188.28:58256
1992: session 002000000000000002: realm <myrealm> user <>: incoming packet message processed, error 401: Unauthorized
1992: IPv4. Local relay addr: 192.168.188.28:64632
1992: IPv4. Local reserved relay addr: 192.168.188.28:64633
1992: session 002000000000000002: new, realm=<myrealm>, username=<myuser>, lifetime=777
1992: session 002000000000000002: realm <myrealm> user <myuser>: incoming packet ALLOCATE processed, success
1992: session 002000000000000002: refreshed, realm=<myrealm>, username=<myuser>, lifetime=777
1992: session 002000000000000002: realm <myrealm> user <myuser>: incoming packet REFRESH processed, success
...
2007: session 003000000000000003: delete: realm=<myrealm>, username=<myuser>
2007: session 003000000000000003: peer 0.0.0.0:3481 deleted
2008: session 001000000000000008: usage: realm=<myrealm>, username=<myuser>, rp=13, rb=1360, sp=8, sb=768
2008: session 001000000000000008: closed (2nd stage), user <myuser> realm <myrealm> origin <>, local 192.168.188.28:5349, remote 192.168.188.28:48266, reason: allocation timeout
2008: session 001000000000000008: delete: realm=<myrealm>, username=<myuser>
2008: session 001000000000000008: peer 0.0.0.0:3481 deleted
If I try the same command with an intentionally invalid user, I get the expected following results in the server logs:
2227: handle_udp_packet: New UDP endpoint: local addr 192.168.188.28:5349, remote addr 192.168.188.28:40431
2227: session 002000000000000003: realm <myrealm> user <>: incoming packet message processed, error 401: Unauthorized
2227: check_stun_auth: Cannot find credentials of user <myuserfaulty>
2227: session 002000000000000003: realm <myrealm> user <myuserfaulty>: incoming packet message processed, error 401: Unauthorized
2227: check_stun_auth: Cannot find credentials of user <myuserfaulty>
...
So, this means that the credentials are indeed checked by the CoTURN server.
However, when I add credentials to the Flutter app as follows, I get server logs that don't seem to show any user. Worst, if the user is intentionally faulty, it changes nothing. Here is the portion of code adapted:
...
Map<String, dynamic> configuration = {
"iceServers": [
{"url": "stun:192.168.188.28:5349"},
{"username": "myuserfaulty"},
{"credential": "mypassword"},
]
};
...
Note that I guessed the username and credential entries in the configuration from the following files:
https://github.com/cloudwebrtc/flutter-webrtc/blob/master/ios/Classes/FlutterWebRTCPlugin.m
https://github.com/cloudwebrtc/flutter-webrtc/blob/master/android/src/main/java/com/cloudwebrtc/webrtc/FlutterWebRTCPlugin.java
Here are the CoTURN logs while using intentionally wrong credentials from Flutter:
2945: handle_udp_packet: New UDP endpoint: local addr 192.168.188.28:5349, remote addr 192.168.188.31:58350
2945: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
2955: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
2965: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
2975: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
2985: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
2995: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
3005: session 002000000000000004: usage: realm=<myrealm>, username=<>, rp=6, rb=120, sp=6, sb=528
3005: session 002000000000000004: closed (2nd stage), user <> realm <myrealm> origin <>, local 192.168.188.28:5349, remote 192.168.188.31:58350, reason: allocation watchdog determined stale session state
3005: handle_udp_packet: New UDP endpoint: local addr 192.168.188.28:5349, remote addr 192.168.188.31:58350
3005: session 002000000000000005: realm <myrealm> user <>: incoming packet BINDING processed, success
3015: session 002000000000000005: realm <myrealm> user <>: incoming packet BINDING processed, success
...
So, I have the following questions:
How can I make sure that my CoTURN server cannot be used without authorized long term credentials?
How come the Flutter app is not subject to the same credentials validation as the turnutils_uclient?
Did I guess correctly the way to specify the credentials in the Flutter app with the addition of the username and credential entries in the configuration?
With this configuration (lt-cred-mech), the TURN server cannot be used without authorized long term credentials. However, the STUN server never requires authentication.
The turnutils_uclient command requires authentication because it calls the TURN server. To make a STUN server test call, the turnutils_stunclient command can be used and no credentials can be given to it.
The format for long term authentication on TURN server in Flutter is described in a comment in this file:
https://github.com/cloudwebrtc/flutter-webrtc-demo/blob/master/lib/src/call_sample/signaling.dart
...
{
'url': 'turn:123.45.67.89:3478',
'username': 'change_to_real_user',
'credential': 'change_to_real_secret'
},
...
which shows that my attempts were wrong for two reasons:
The protocol must be set to turn instead of stun.
The configuration items must be in the same array.
After those corrections, I do get the username in the coturn server logs as shown below:
87055: session 000000000000000540: new, realm=<myrealm>, username=<myuser>, lifetime=600
87055: session 000000000000000540: realm <myrealm> user <myuser>: incoming packet ALLOCATE processed, success
87065: session 000000000000000540: realm <myrealm> user <myuser>: incoming packet BINDING processed, success
Note that the coturn server configuration can require authentication for the STUN binding request as well:
...
# Require authentication of the STUN Binding request.
# By default, the clients are allowed anonymous access to the STUN Binding functionality.
#
#secure-stun
...

Response decoding failed with xmpp sasl authentication

I am trying complete the SASL authentication in XMPP server.
I have connected to the xmpp server using gen_tcp socket
I have registered a user 'test4' with password '123'
Encode the username password using... :base64.encode_to_string('test4')
Then sent the encoded string i.e dGVzdDQ= to SASL authentication
Using the command:
:gen_tcp.send(socket, "<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='PLAIN'>dGVzdDQ=</auth>")
But the server is giving error "<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><bad-protocol/><text xml:lang='en'>Response decoding failed</text></failure>"
Note: I also tried to send :base64.encode_to_string(' test4 123') to server
As per RFC 4616, you need to put a NUL character before the username and the password. Try this:
iex(1)> :base64.encode_to_string([0] ++ 'test4' ++ [0] ++ '123')
'AHRlc3Q0ADEyMw=='

Keycloak email verification not working and receiving any email through keycloak

I am Using keycloak 4.5.0 v and created a realm. I have set up the login to enable forget username and verify email. In the email tab I entered
host - smtp.gmail.com
smtp port:465
username - ***#gmail.com
SSL/TLS - enabled
Authentication - enabled with username and password
But I'm still unable to connect to gmail it always pop fail to send email notification error shown:
14:53:14,070 ERROR [org.keycloak.services.resources.admin.RealmAdminResource] (default task-1) Failed to send email
com.sun.mail.util.MailConnectException: Couldn't connect to host, port: smtp.gmail.com, 465; timeout 10000;
nested exception is:
java.net.SocketTimeoutException: connect timed out
Any Help would be highly appreciated thank u
change smtp port to 587 i think this work and off SSl and TLS is on

Gmail smtp SASL authentication

I'm using postfix to send email via gmail with an application's password (two step-validation activated).
Each time I test sending mail using sendmail command, I get this error:
Action: delayed
Status: 4.7.14
Diagnostic-Code: X-Postfix; delivery temporarily suspended: SASL authentication
failed; server smtp.gmail.com said: 534-5.7.14
<https://accounts.google.com/signin/continue?...> Please log in via your web browser and?534-5.7.14 then try again.?534-5.7.14
This is my postfix configuration:
main.cf
myorigin = /etc/mailname
mydestination = mydomain.com, localhost.fr, localhost
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
/etc/postfix/sasl/sasl_passwd:
[smtp.gmail.com]:587 admin#mydomain.com:application_password
And this is how I used sendmail:
sendmail -v ...
From: admin#mydomain.com
Subject: Test
This is a test mail
.
Any ideas ? Thanks !
For anyone finding this who has run into the same scenario:
Using an app specific password
2FA enabled on your account
Seeing 'delivery temporarily suspended: SASL authentication failed; server smtp.gmail.com[173.194.68.109] said: 534-5.7.9 Please log in with your web browser and then try again' in your log
You may need to visit https://accounts.google.com/DisplayUnlockCaptcha to 'bypass' the captcha, which will enable the account access and get everything working.
Allow less secure apps: If you don't use 2-Step Verification, you might need to allow less secure apps to access your account.