Ask Your Question

Revision history [back]

I am experiencing the same issue. I'm using FreeIPA in a test lab and have tried to use Wireshark both on macOS and Ubuntu 21.10 to decode the pcapng file, thinking maybe there is a difference in the Kerberos libraries used.

Here is the contents of my keytab file which was created with ipa-getkeytab

Keytab name: FILE:keytab.file
KVNO Principal
---- --------------------------------------------------------------------------
   3 [email protected] (aes256-cts-hmac-sha1-96)
   3 [email protected] (aes128-cts-hmac-sha1-96)
   2 krbtgt/[email protected] (aes256-cts-hmac-sha1-96)
   2 krbtgt/[email protected] (aes256-cts-hmac-sha384-192)
   2 krbtgt/[email protected] (camellia256-cts-cmac)
   2 krbtgt/[email protected] (aes128-cts-hmac-sha1-96)
   2 krbtgt/[email protected] (aes128-cts-hmac-sha256-128)
   2 krbtgt/[email protected] (camellia128-cts-cmac)

Here is what the Wireshark decode looks like

Kerberos
    as-rep
        pvno: 5
        msg-type: krb-as-rep (11)
        crealm: IDM.EXAMPLE.COM
        cname
        ticket
            tkt-vno: 5
            realm: IDM.EXAMPLE.COM
            sname
                name-type: kRB5-NT-SRV-INST (2)
                sname-string: 2 items
                    SNameString: krbtgt
                    SNameString: IDM.EXAMPLE.COM
            enc-part
                etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                kvno: 1
                cipher: ab1520301d815aa83c1d1d1a02f1582623d9e5d6146115d056e2aef3300ee335c9a26a2c…
                    Missing keytype 18 usage 2 (id=missing.1)
                        [Expert Info (Warning/Decryption): Missing keytype 18 usage 2 (id=missing.1)]
                        [Expert Info (Warning/Decryption): Used keymap=all_keys num_keys=10 num_tries=2)]
        enc-part
            etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
            cipher: bf0a80b204b85200683176877c21d468093beeaab80f182250c1cf6fc6f4133cc77e2474…
                Missing keytype 18 usage 3 (id=missing.2)
                    [Expert Info (Warning/Decryption): Missing keytype 18 usage 3 (id=missing.2)]
                    [Expert Info (Warning/Decryption): Used keymap=all_keys num_keys=10 num_tries=2)]
    Missing keytype 18 usage 2 missing in frame 209 keytype 18 (id=missing.1 same=0) (00000000...)
        [Expert Info (Warning/Decryption): Missing keytype 18 usage 2 missing in frame 209 keytype 18 (id=missing.1 same=0) (00000000...)]
    Missing keytype 18 usage 3 missing in frame 209 keytype 18 (id=missing.2 same=0) (00000000...)
        [Expert Info (Warning/Decryption): Missing keytype 18 usage 3 missing in frame 209 keytype 18 (id=missing.2 same=0) (00000000...)]

I launch Wireshark from a terminal and do not see any errors being reported.