Error during Kerberos credentials validation

[mwegrzynek]

H!

I'm trying to set-up the proxy. I was able to build it, also, it starts without problems. If I try to authenticate with wrong credentials, I'm greeted with a login and password request. However, if I try to authenticate with correct credentials, the proxy crashes with the following log (real user name replaced with redactedusername, real password with realpassword, and true realm with REDACTED.KERBEROS.REALM)

/opt/rdpproxy/bin/rdpproxy foreground
Exec: /opt/rdpproxy/erts-15.2.1/bin/erlexec -noinput +Bd -boot /opt/rdpproxy/releases/1.0.0/start -mode embedded -boot_var SYSTEM_LIB_DIR /opt/rdpproxy/lib -config /opt/rdpproxy/releases/1.0.0/sys.config -args_file /opt/rdpproxy/releases/1.0.0/vm.args -- foreground
Root: /opt/rdpproxy
/opt/rdpproxy
13:41:01.385 [debug] Lager installed handler {lager_file_backend,"console.log"} into lager_event
13:41:01.385 [debug] Lager installed handler {lager_file_backend,"error.log"} into lager_event
13:41:01.386 [debug] Lager installed handler {lager_file_backend,"debug.log"} into lager_event
13:41:01.386 [debug] Lager installed handler error_logger_lager_h into error_logger
13:41:01.405 [debug] lvkid 0x00007fd834c1ce10: starting up
13:41:01.405 [debug] lvkid 0x00007fd834b4fa50: starting up
13:41:01.885 [debug] Lager installed handler lager_backend_throttle into lager_event
13:41:17.023 [debug] connect {{172,20,2,1},36476} to listener default, protocols [credssp,ssl]
13:41:17.053 [info] {{172,20,2,1},36476}: accepted tls 'tlsv1.3' (cipher = #{mac => aead,prf => sha384,cipher => aes_256_gcm,key_exchange => any}, sni = "rdp.grupalubawa.pl")
13:41:17.062 [debug] {{172,20,2,1},36476} mcs_chans all ok (chans = #{1005 => {tsud_net_channel,"rdpdr",low,[init,encrypt_rdp,compress_rdp]},1006 => {tsud_net_channel,"rdpsnd",low,[init,encrypt_rdp]},1008 => {tsud_net_channel,"cliprdr",low,[init,encrypt_rdp,compress_rdp,show_protocol]},1009 => {tsud_net_channel,"drdynvc",low,[init,encrypt_rdp,compress_rdp]}})
13:41:17.062 [debug] using color format 16bpp out of ['32bpp','15bpp','16bpp','24bpp']
13:41:17.063 [debug] client OS = [unix,unknown], flags = [suppress_output,refresh_rect,fastpath,long_creds,autoreconnect,salted_mac,short_bitmap_hdr]
13:41:17.064 [debug] inst 0x00007fd834b53b10: fbuf = 0, kid = 0x00007fd834c1ce10 (pid 18802), owner = <0.1113.0>, msgref = #Ref<0.1886618380.3017015298.237223>
13:41:17.064 [debug] 0x00007fd834b53b10: created disp_drv 0x00007fd85800ecf8 => 0x00007fd85800ee60
13:41:17.064 [debug] 0x00007fd834b53b10: created mouse_drv 0x00007fd85800edd8 => 0x00007fd85800f9b0
13:41:17.064 [debug] 0x00007fd834b53b10: created kbd_drv 0x00007fd85800ed98 => 0x00007fd85800f8b0
13:41:17.065 [debug] ui_fsm for frontend <0.1113.0>
13:41:17.066 [debug] frontend spawned ui_fsm <0.1157.0>
13:41:17.121 [debug] cliprdr caps for <0.1113.0>: #cliprdr_caps{flags = [],
              caps = [#cliprdr_cap_general{version = 2,flags = [long_names]}]}
13:41:17.572 [debug] peer = {172,20,2,1}, duoid = <<"J7ka0CGG9WTVfxJXoMdyr6tz5jpFpSpXpxQ/A3XWAhQ=">>
13:41:17.632 [debug] no devices in >1s, probably none coming
13:41:17.632 [debug] rdpdr: devices = #{}
13:41:17.843 [debug] sent req #Ref<0.1886618380.3017015297.237348> to 1 KDCs via udp
13:41:17.869 [debug] sent req #Ref<0.1886618380.3017015297.245554> to 1 KDCs via udp
13:41:17.920 [debug] sent req #Ref<0.1886618380.3017015297.245566> to 1 KDCs via tcp
13:41:17.961 [debug] terminating from auth due to {badmatch,{'PrincipalName',1,["redactedusername"]}}
13:41:17.961 [error] gen_statem <0.1180.0> in state auth terminated with reason: no match of right hand value {'PrincipalName',1,["redactedusername"]} in state_functions
13:41:17.962 [error] CRASH REPORT Process <0.1180.0> with 12 neighbours crashed with reason: no match of right hand value {'PrincipalName',1,["redactedusername"]} in krb_proto:ticket_from_rep/2 line 108
13:41:17.962 [error] Supervisor krb_realm_sup had child krb_realm started with krb_realm:start_link("REDACTED.KERBEROS.REALM") at <0.1168.0> exit with reason no match of right hand value {'PrincipalName',1,["redactedusername"]} in krb_proto:ticket_from_rep/2 line 108 in context child_terminated
13:41:17.962 [error] Supervisor krb_realm_sup had child krb_realm started with krb_realm:start_link("REDACTED.KERBEROS.REALM") at <0.1168.0> exit with reason reached_max_restart_intensity in context shutdown
13:41:17.962 [error] Supervisor krb_sup had child krb_realm_sup started with krb_realm_sup:start_link() at <0.1017.0> exit with reason shutdown in context child_terminated
13:41:17.962 [debug] ui_fsm dying from state check_login due to {{{badmatch,{'PrincipalName',1,["redactedusername"]}},[{krb_proto,ticket_from_rep,2,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_proto.erl"},{line,108}]},{krb_auth_fsm,auth,3,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_auth_fsm.erl"},{line,289}]},{gen_statem,loop_state_callback,11,[{file,"gen_statem.erl"},{line,3735}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,329}]}]},{gen_server,call,[<0.1168.0>,{authenticate,[<<"redactedusername">>],<<"redactedpassword">>,#{}},infinity]}}
13:41:17.962 [debug] ui_fsm for frontend <0.1113.0>
13:41:17.964 [error] gen_statem <0.1157.0> in state check_login terminated with reason: {{{{badmatch,{'PrincipalName',1,["redactedusername"]}},[{krb_proto,ticket_from_rep,2,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_proto.erl"},{line,108}]},{krb_auth_fsm,auth,3,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_auth_fsm.erl"},{line,289}]},{gen_statem,loop_state_callback,11,[{file,"gen_statem.erl"},{line,3735}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,329}]}]},{gen_server,call,[<0.1168.0>,{authenticate,...},...]}},...}
13:41:17.964 [error] CRASH REPORT Process <0.1157.0> with 0 neighbours exited with reason: {{{badmatch,{'PrincipalName',1,["redactedusername"]}},[{krb_proto,ticket_from_rep,2,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_proto.erl"},{line,108}]},{krb_auth_fsm,auth,3,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_auth_fsm.erl"},{line,289}]},{gen_statem,loop_state_callback,11,[{file,"gen_statem.erl"},{line,3735}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,329}]}]},{gen_server,call,[<0.1168.0>,{authenticate,[...],...},...]}} in gen_server:call/3 line 1222
13:41:17.965 [error] Supervisor ui_fsm_sup had child undefined started with ui_fsm:start_link({<0.1113.0>,{state,#Port<0.8>,#Port<0.9>,rdp_lvgl_server,[{frontend,[default]}],{rdp_lvgl_server,...},...}}, default, #Ref<0.1886618380.3017146370.237224>, {1400,1052}) at <0.1157.0> exit with reason {{{badmatch,{'PrincipalName',1,["redactedusername"]}},[{krb_proto,ticket_from_rep,2,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_proto.erl"},{line,108}]},{krb_auth_fsm,auth,3,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_auth_fsm.erl"},{line,289}]},{gen_statem,loop_state_callback,11,[{file,"gen_statem.erl"},{line,3735}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,329}]}]},{gen_server,call,[<0.1168.0>,{authenticate,[...],...},...]}} in context child_terminated
13:41:18.468 [debug] peer = {172,20,2,1}, duoid = <<"J7ka0CGG9WTVfxJXoMdyr6tz5jpFpSpXpxQ/A3XWAhQ=">>
13:41:18.686 [debug] sent req #Ref<0.1886618380.3017015298.241839> to 1 KDCs via udp
13:41:18.713 [debug] sent req #Ref<0.1886618380.3017015298.248446> to 1 KDCs via udp
13:41:18.755 [debug] sent req #Ref<0.1886618380.3017015298.248458> to 1 KDCs via tcp
13:41:18.782 [debug] terminating from auth due to {badmatch,{'PrincipalName',1,["redactedusername"]}}
13:41:18.782 [error] gen_statem <0.1205.0> in state auth terminated with reason: no match of right hand value {'PrincipalName',1,["redactedusername"]} in state_functions
13:41:18.782 [error] CRASH REPORT Process <0.1205.0> with 12 neighbours crashed with reason: no match of right hand value {'PrincipalName',1,["redactedusername"]} in krb_proto:ticket_from_rep/2 line 108
13:41:18.783 [debug] ui_fsm dying from state check_login due to {{{badmatch,{'PrincipalName',1,["redactedusername"]}},[{krb_proto,ticket_from_rep,2,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_proto.erl"},{line,108}]},{krb_auth_fsm,auth,3,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_auth_fsm.erl"},{line,289}]},{gen_statem,loop_state_callback,11,[{file,"gen_statem.erl"},{line,3735}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,329}]}]},{gen_server,call,[<0.1193.0>,{authenticate,[<<"redactedusername">>],<<"redactedpassword">>,#{}},infinity]}}
13:41:18.783 [error] Supervisor krb_realm_sup had child krb_realm started with krb_realm:start_link("REDACTED.KERBEROS.REALM") at <0.1193.0> exit with reason no match of right hand value {'PrincipalName',1,["redactedusername"]} in krb_proto:ticket_from_rep/2 line 108 in context child_terminated
13:41:18.783 [debug] ui_fsm for frontend <0.1113.0>
13:41:18.783 [error] Supervisor krb_realm_sup had child krb_realm started with krb_realm:start_link("REDACTED.KERBEROS.REALM") at <0.1193.0> exit with reason reached_max_restart_intensity in context shutdown
13:41:18.783 [error] Supervisor krb_sup had child krb_realm_sup started with krb_realm_sup:start_link() at <0.1183.0> exit with reason shutdown in context child_terminated
13:41:18.784 [error] gen_statem <0.1185.0> in state check_login terminated with reason: {{{{badmatch,{'PrincipalName',1,["redactedusername"]}},[{krb_proto,ticket_from_rep,2,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_proto.erl"},{line,108}]},{krb_auth_fsm,auth,3,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_auth_fsm.erl"},{line,289}]},{gen_statem,loop_state_callback,11,[{file,"gen_statem.erl"},{line,3735}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,329}]}]},{gen_server,call,[<0.1193.0>,{authenticate,...},...]}},...}
13:41:18.784 [error] CRASH REPORT Process <0.1185.0> with 0 neighbours exited with reason: {{{badmatch,{'PrincipalName',1,["redactedusername"]}},[{krb_proto,ticket_from_rep,2,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_proto.erl"},{line,108}]},{krb_auth_fsm,auth,3,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_auth_fsm.erl"},{line,289}]},{gen_statem,loop_state_callback,11,[{file,"gen_statem.erl"},{line,3735}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,329}]}]},{gen_server,call,[<0.1193.0>,{authenticate,[...],...},...]}} in gen_server:call/3 line 1222
13:41:18.784 [error] Supervisor ui_fsm_sup had child undefined started with ui_fsm:start_link({<0.1113.0>,{state,#Port<0.8>,#Port<0.9>,rdp_lvgl_server,[{frontend,[default]}],{rdp_lvgl_server,...},...}}, default, #Ref<0.1886618380.3017146370.237224>, {1400,1052}) at <0.1185.0> exit with reason {{{badmatch,{'PrincipalName',1,["redactedusername"]}},[{krb_proto,ticket_from_rep,2,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_proto.erl"},{line,108}]},{krb_auth_fsm,auth,3,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_auth_fsm.erl"},{line,289}]},{gen_statem,loop_state_callback,11,[{file,"gen_statem.erl"},{line,3735}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,329}]}]},{gen_server,call,[<0.1193.0>,{authenticate,[...],...},...]}} in context child_terminated
13:41:19.288 [debug] peer = {172,20,2,1}, duoid = <<"J7ka0CGG9WTVfxJXoMdyr6tz5jpFpSpXpxQ/A3XWAhQ=">>
13:41:19.512 [debug] sent req #Ref<0.1886618380.3017015297.249224> to 1 KDCs via udp
13:41:19.545 [debug] sent req #Ref<0.1886618380.3017015298.257342> to 1 KDCs via udp
13:41:19.588 [debug] sent req #Ref<0.1886618380.3017015297.249272> to 1 KDCs via tcp
13:41:19.662 [debug] terminating from auth due to {badmatch,{'PrincipalName',1,["redactedusername"]}}
13:41:19.662 [error] gen_statem <0.1230.0> in state auth terminated with reason: no match of right hand value {'PrincipalName',1,["redactedusername"]} in state_functions
13:41:19.662 [error] CRASH REPORT Process <0.1230.0> with 12 neighbours crashed with reason: no match of right hand value {'PrincipalName',1,["redactedusername"]} in krb_proto:ticket_from_rep/2 line 108
13:41:19.663 [error] Supervisor krb_realm_sup had child krb_realm started with krb_realm:start_link("REDACTED.KERBEROS.REALM") at <0.1218.0> exit with reason no match of right hand value {'PrincipalName',1,["redactedusername"]} in krb_proto:ticket_from_rep/2 line 108 in context child_terminated
13:41:19.663 [debug] ui_fsm dying from state check_login due to {{{badmatch,{'PrincipalName',1,["redactedusername"]}},[{krb_proto,ticket_from_rep,2,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_proto.erl"},{line,108}]},{krb_auth_fsm,auth,3,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_auth_fsm.erl"},{line,289}]},{gen_statem,loop_state_callback,11,[{file,"gen_statem.erl"},{line,3735}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,329}]}]},{gen_server,call,[<0.1218.0>,{authenticate,[<<"redactedusername">>],<<"redactedpassword">>,#{}},infinity]}}
13:41:19.663 [error] Supervisor krb_realm_sup had child krb_realm started with krb_realm:start_link("REDACTED.KERBEROS.REALM") at <0.1218.0> exit with reason reached_max_restart_intensity in context shutdown
13:41:19.663 [error] Supervisor krb_sup had child krb_realm_sup started with krb_realm_sup:start_link() at <0.1208.0> exit with reason shutdown in context child_terminated
13:41:19.663 [debug] ui_fsm for frontend <0.1113.0>
13:41:19.665 [error] gen_statem <0.1210.0> in state check_login terminated with reason: {{{{badmatch,{'PrincipalName',1,["redactedusername"]}},[{krb_proto,ticket_from_rep,2,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_proto.erl"},{line,108}]},{krb_auth_fsm,auth,3,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_auth_fsm.erl"},{line,289}]},{gen_statem,loop_state_callback,11,[{file,"gen_statem.erl"},{line,3735}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,329}]}]},{gen_server,call,[<0.1218.0>,{authenticate,...},...]}},...}
13:41:19.666 [error] CRASH REPORT Process <0.1210.0> with 0 neighbours exited with reason: {{{badmatch,{'PrincipalName',1,["redactedusername"]}},[{krb_proto,ticket_from_rep,2,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_proto.erl"},{line,108}]},{krb_auth_fsm,auth,3,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_auth_fsm.erl"},{line,289}]},{gen_statem,loop_state_callback,11,[{file,"gen_statem.erl"},{line,3735}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,329}]}]},{gen_server,call,[<0.1218.0>,{authenticate,[...],...},...]}} in gen_server:call/3 line 1222
13:41:19.667 [error] Supervisor ui_fsm_sup had child undefined started with ui_fsm:start_link({<0.1113.0>,{state,#Port<0.8>,#Port<0.9>,rdp_lvgl_server,[{frontend,[default]}],{rdp_lvgl_server,...},...}}, default, #Ref<0.1886618380.3017146370.237224>, {1400,1052}) at <0.1210.0> exit with reason {{{badmatch,{'PrincipalName',1,["redactedusername"]}},[{krb_proto,ticket_from_rep,2,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_proto.erl"},{line,108}]},{krb_auth_fsm,auth,3,[{file,"/home/redactedusername/Projekty/rdpproxy/_build/default/lib/kerlberos/src/krb_auth_fsm.erl"},{line,289}]},{gen_statem,loop_state_callback,11,[{file,"gen_statem.erl"},{line,3735}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,329}]}]},{gen_server,call,[<0.1218.0>,{authenticate,[...],...},...]}} in context child_terminated

I'm build it and running on Arch Linux, the Kerberos realm is a set of Samba 4 DCs. Can you give me some pointers, how to debug it further? Thanks!

[lchanouha]

Hello
I have the same error, looks like a regression because it worked on my version built on May 2024 and doesn't anymore with updated repo with same configuration
L.

[arekinath]

Can you double-check the version of the kerlberos library that your release was built with please? There was a related fix in kerlberos 2.0.2 which normalises all the principal names to UTF-8 for comparison which I believe should resolve this. You might need a rebar3 upgrade -a (and we should probably bump the minimum dep version in rebar.config)