1 | initial version |
I am experiencing the same issue. I'm using FreeIPA in a test lab and have tried to use Wireshark both on macOS and Ubuntu 21.10 to decode the pcapng file, thinking maybe there is a difference in the Kerberos libraries used.
Here is the contents of my keytab file which was created with ipa-getkeytab
Keytab name: FILE:keytab.file
KVNO Principal
---- --------------------------------------------------------------------------
3 [email protected] (aes256-cts-hmac-sha1-96)
3 [email protected] (aes128-cts-hmac-sha1-96)
2 krbtgt/[email protected] (aes256-cts-hmac-sha1-96)
2 krbtgt/[email protected] (aes256-cts-hmac-sha384-192)
2 krbtgt/[email protected] (camellia256-cts-cmac)
2 krbtgt/[email protected] (aes128-cts-hmac-sha1-96)
2 krbtgt/[email protected] (aes128-cts-hmac-sha256-128)
2 krbtgt/[email protected] (camellia128-cts-cmac)
Here is what the Wireshark decode looks like
Kerberos
as-rep
pvno: 5
msg-type: krb-as-rep (11)
crealm: IDM.EXAMPLE.COM
cname
ticket
tkt-vno: 5
realm: IDM.EXAMPLE.COM
sname
name-type: kRB5-NT-SRV-INST (2)
sname-string: 2 items
SNameString: krbtgt
SNameString: IDM.EXAMPLE.COM
enc-part
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
kvno: 1
cipher: ab1520301d815aa83c1d1d1a02f1582623d9e5d6146115d056e2aef3300ee335c9a26a2c…
Missing keytype 18 usage 2 (id=missing.1)
[Expert Info (Warning/Decryption): Missing keytype 18 usage 2 (id=missing.1)]
[Expert Info (Warning/Decryption): Used keymap=all_keys num_keys=10 num_tries=2)]
enc-part
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
cipher: bf0a80b204b85200683176877c21d468093beeaab80f182250c1cf6fc6f4133cc77e2474…
Missing keytype 18 usage 3 (id=missing.2)
[Expert Info (Warning/Decryption): Missing keytype 18 usage 3 (id=missing.2)]
[Expert Info (Warning/Decryption): Used keymap=all_keys num_keys=10 num_tries=2)]
Missing keytype 18 usage 2 missing in frame 209 keytype 18 (id=missing.1 same=0) (00000000...)
[Expert Info (Warning/Decryption): Missing keytype 18 usage 2 missing in frame 209 keytype 18 (id=missing.1 same=0) (00000000...)]
Missing keytype 18 usage 3 missing in frame 209 keytype 18 (id=missing.2 same=0) (00000000...)
[Expert Info (Warning/Decryption): Missing keytype 18 usage 3 missing in frame 209 keytype 18 (id=missing.2 same=0) (00000000...)]
I launch Wireshark from a terminal and do not see any errors being reported.