Bug 1035494

Summary: Unable to add Kerberos principal via kadmin.local
Product: Red Hat Enterprise Linux 7 Reporter: Matt Bryant <matthew.bryant>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: low Docs Contact:
Priority: medium    
Version: 7.0CC: abokovoy, dpal, mkosek, rcritten, spoore, ssorce
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.2.0-0.1.alpha1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:00:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matt Bryant 2013-11-27 22:25:50 UTC
Description of problem:

Unable to add a krbtgt/OLD-REALM@IPA-REALM via kadmin(.local) to IPA v3. Also seems some functionality such as listpols doesnt work ..

Version-Release number of selected component (if applicable):

ipa-server-3.0.0-26.el6_4.4.x86_64


How reproducible:

Very .. seems to happen all the time ...


Steps to Reproduce:
1. kadmin.local
2. add_principal -pw XXXXXXXXX krbtgt/OLD-REALM@IPA-REALM

3. listpols

Actual results:

for add_pinciple
WARNING: no policy specified for krbtgt/OLD-RELAM@IPA-REALM; defaulting to no policy
add_principal: Invalid argument while creating "krbtgt/OLD-REALM@IPA-REALM".

for listpols

kadmin.local:  listpols
get_policies: Plugin does not support the operation while retrieving list.


Expected results:

The principle should be added to the kerberos database and be able to be retrieved or listed

Additional info:

listprincs / getprincs seem to work ok though. Basically trying to add a principle to see if we can set up a trust between IPA kerberos realm and older kerberos realm.

Comment 2 Martin Kosek 2013-11-28 11:26:18 UTC
Simo, can you please advise?

Comment 3 Simo Sorce 2013-11-28 19:43:55 UTC
We need to allow the creation of cross realm tgts so that users can create MIT trusts even though we do not have official support yet.

The kdb layer needs to be changed to allow adding principals of the form krbtgt/REALM1@REALM2.

Currently we deny all add operations unless a special command line variable is passed in to the command line utility, we need a little bi more discretion, and probably only deny principals in our own domain that are not of the form krbtgt/something.

Comment 4 Martin Kosek 2013-11-29 07:53:07 UTC
Thanks for info, makes sense. I will open an upstream ticket.

Comment 5 Martin Kosek 2013-11-29 09:34:39 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4059

Comment 6 Martin Kosek 2015-02-20 14:37:47 UTC
At this point, we do not plan to add CLI/UI for such principals until we get into implementing trusts between IPA and general Kerberos realm. However, we are not there yet, IPA-AD or IPA-IPA trusts are more important. Please feel free to watch or file related RFEs for this major work.

To workaround until the official support is added:

# kinit admin
# kadmin.local -q 'addprinc -randkey krbtgt/OTHER-REALM.TEST.TEST' -x ipa-setup-override-restrictions
# kadmin.local -q 'ktadd -k /tmp/realm.keytab krbtgt/OTHER-REALM.TEST.TEST' -x ipa-setup-override-restrictions

This will get you the keytab. This part works also on RHEL-6. However, to get proper CA Paths delegation, you need to use on FreeIPA 4.1.3 release which added this fix:

https://fedorahosted.org/freeipa/ticket/4791

Comment 7 Martin Kosek 2015-02-20 15:38:42 UTC
Note that there is a RFE for the proper support of trust with Kerberos realm:

https://fedorahosted.org/freeipa/ticket/4917

You can track this request in the upstream Trac, if you are interested in this work.

Comment 9 Scott Poore 2015-10-06 18:08:32 UTC
What should work here?  Just comment #6 with the ipa-setup-override-restrictions option?

Was something changed to support the original use stated?

Thanks

Comment 10 Scott Poore 2015-10-11 18:02:03 UTC
Martin,

What was modified here for this bug?  Anything?


Is it necessary to test this with another actual Kerberos realm or, can this be verified without that?


What I see with the workaround from comment #6:

[root@rhel7-1 ~]# kinit admin
Password for admin: 

[root@rhel7-1 ~]# kadmin.local -q 'addprinc -randkey krbtgt/OTHER-REALM.TEST' -x ipa-setup-override-restrictions
Authenticating as principal admin/admin with password.
WARNING: no policy specified for krbtgt/OTHER-REALM.TEST; defaulting to no policy
Principal "krbtgt/OTHER-REALM.TEST" created.

[root@rhel7-1 ~]# kadmin.local -q 'ktadd -k /tmp/realm.keytab krbtgt/OTHER-REALM.TEST' -x ipa-setup-override-restrictions
Authenticating as principal admin/admin with password.
Entry for principal krbtgt/OTHER-REALM.TEST with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/realm.keytab.
Entry for principal krbtgt/OTHER-REALM.TEST with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/realm.keytab.
Entry for principal krbtgt/OTHER-REALM.TEST with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/realm.keytab.
Entry for principal krbtgt/OTHER-REALM.TEST with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/tmp/realm.keytab.
Entry for principal krbtgt/OTHER-REALM.TEST with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/tmp/realm.keytab.
Entry for principal krbtgt/OTHER-REALM.TEST with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/tmp/realm.keytab.

[root@rhel7-1 ~]# klist -ket /tmp/realm.keytab
Keytab name: FILE:/tmp/realm.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 10/11/2015 12:49:46 krbtgt/OTHER-REALM.TEST (aes256-cts-hmac-sha1-96) 
   2 10/11/2015 12:49:46 krbtgt/OTHER-REALM.TEST (aes128-cts-hmac-sha1-96) 
   2 10/11/2015 12:49:46 krbtgt/OTHER-REALM.TEST (des3-cbc-sha1) 
   2 10/11/2015 12:49:46 krbtgt/OTHER-REALM.TEST (arcfour-hmac) 
   2 10/11/2015 12:49:46 krbtgt/OTHER-REALM.TEST (camellia128-cts-cmac) 
   2 10/11/2015 12:49:46 krbtgt/OTHER-REALM.TEST (camellia256-cts-cmac) 
[root@rhel7-1 ~]# 

But, I have nothing in krb5.conf pointing to OTHER-REALM.TEST.  So, is this a valid verification?

Thanks,
Scott

Comment 11 Scott Poore 2015-10-11 18:18:58 UTC
FYI, I setup a KDC for OTHER-REALM.TEST and added to IPA server's krb5.conf and got the same results.

I also tried without the ipa-setup-override-restrictions option:

[root@rhel7-1 ~]# kadmin.local -q 'addprinc -randkey krbtgt/OTHER-REALM.TEST'
Authenticating as principal admin/admin with password.
WARNING: no policy specified for krbtgt/OTHER-REALM.TEST; defaulting to no policy
add_principal: Principal or policy already exists while creating "krbtgt/OTHER-REALM.TEST".

[root@rhel7-1 ~]# kadmin.local -q 'ktadd -k /tmp/realm.keytab krbtgt/OTHER-REALM.TEST' 
Authenticating as principal admin/admin with password.
Entry for principal krbtgt/OTHER-REALM.TEST with kvno 5, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/realm.keytab.
Entry for principal krbtgt/OTHER-REALM.TEST with kvno 5, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/realm.keytab.
Entry for principal krbtgt/OTHER-REALM.TEST with kvno 5, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/realm.keytab.
Entry for principal krbtgt/OTHER-REALM.TEST with kvno 5, encryption type arcfour-hmac added to keytab WRFILE:/tmp/realm.keytab.
Entry for principal krbtgt/OTHER-REALM.TEST with kvno 5, encryption type camellia128-cts-cmac added to keytab WRFILE:/tmp/realm.keytab.
Entry for principal krbtgt/OTHER-REALM.TEST with kvno 5, encryption type camellia256-cts-cmac added to keytab WRFILE:/tmp/realm.keytab.

[root@rhel7-1 ~]# klist -ket /tmp/realm.keytab
Keytab name: FILE:/tmp/realm.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   5 10/11/2015 13:17:29 krbtgt/OTHER-REALM.TEST (aes256-cts-hmac-sha1-96) 
   5 10/11/2015 13:17:29 krbtgt/OTHER-REALM.TEST (aes128-cts-hmac-sha1-96) 
   5 10/11/2015 13:17:29 krbtgt/OTHER-REALM.TEST (des3-cbc-sha1) 
   5 10/11/2015 13:17:29 krbtgt/OTHER-REALM.TEST (arcfour-hmac) 
   5 10/11/2015 13:17:29 krbtgt/OTHER-REALM.TEST (camellia128-cts-cmac) 
   5 10/11/2015 13:17:29 krbtgt/OTHER-REALM.TEST (camellia256-cts-cmac) 
[root@rhel7-1 ~]#

Comment 12 Martin Kosek 2015-10-13 06:17:41 UTC
Alexander, can you please advise?

Comment 13 Alexander Bokovoy 2015-10-13 06:35:11 UTC
Scott,

you need to create cross-realm TGT principal using -x ipa-setup-override-restrictions option to even allow creating the principal. 

You also need to create cross-realm TGT principal in the other realm, with the same password.

Writing out keytab is not really needed.

Then you need to configure krb5.conf on both sides to allow either to discover each other via DNS service records (for both realm and KDC) or explicitly define realm/domain configurations on both sides. You also will need to add [capaths] entries to make sure both realms trust each other explicitly.

Once you do that, you can kinit as a user from one realm and try to use 'kvno' to obtain a ticket for a principal from another realm. Then running klist will show you there is a cross-realm TGT obtained as well. Basically, if kvno would work, you have verified it.

Comment 14 Scott Poore 2015-10-13 13:16:03 UTC
Alexander,

Can you confirm I've got my realms configured properly?  And that the test below is correct?

Do I need capaths entries for both domains in both krb5.conf's?  or just the local in each with a reference to the remote?  Or do I have that entry totally wrong?

This seemed to work but, I want to make sure I'm doing this correctly.

Thanks,
Scott

###################################################################
##### IPA Master for EXAMPLE.COM
###################################################################

[root@rhel7-1 ~]# cat /etc/krb5.conf 
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes
 udp_preference_limit = 0
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 EXAMPLE.COM = {
  kdc = rhel7-1.example.com:88
  master_kdc = rhel7-1.example.com:88
  admin_server = rhel7-1.example.com:749
  default_domain = example.com
  pkinit_anchors = FILE:/etc/ipa/ca.crt
 }

 OTHER-REALM.TEST = {
  kdc = kerberos.other-realm.test
  admin_server = kerberos.other-realm.test
 }


[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
 .other-realm.test = OTHER-REALM.TEST
 other-realm.test = OTHER-REALM.TEST


[dbmodules]
  EXAMPLE.COM = {
    db_library = ipadb.so
  }


[capaths]
 EXAMPLE.COM = {
  OTHER-REALM.TEST = .
 }

###################################################################
##### Standalone KDC for OTHER-REALM.TEST
###################################################################

[root@kerberos ~]# cat /etc/krb5.conf 
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = OTHER-REALM.TEST
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 OTHER-REALM.TEST = {
  kdc = kerberos.other-realm.test
  admin_server = kerberos.other-realm.test
 }

 EXAMPLE.COM = {
  kdc = rhel7-1.example.com:88
  master_kdc = rhel7-1.example.com:88
  admin_server = rhel7-1.example.com:749
  default_domain = example.com
  pkinit_anchors = FILE:/etc/ipa/ca.crt
 }

[domain_realm]
 .other-realm.test = OTHER-REALM.TEST
 other-realm.test = OTHER-REALM.TEST
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

[capaths]
 OTHER-REALM.TEST = {
  EXAMPLE.COM = .
 }

###################################################################
##### Testing on IPA master for EXAMPLE.COM
###################################################################

[root@rhel7-1 ~]# kadmin.local -q 'add_principal -pw T3stPa55 krbtgt/OTHER-REALM.TEST' -x ipa-setup-override-restrictions
Authenticating as principal admin/admin with password.
WARNING: no policy specified for krbtgt/OTHER-REALM.TEST; defaulting to no policy
Principal "krbtgt/OTHER-REALM.TEST" created.

[root@rhel7-1 ~]# kinit krbtgt/OTHER-REALM.TEST
Password for krbtgt/OTHER-REALM.TEST: 

[root@rhel7-1 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_A4Gs4bH
Default principal: krbtgt/OTHER-REALM.TEST

Valid starting       Expires              Service principal
10/13/2015 08:12:43  10/14/2015 08:12:34  krbtgt/OTHER-REALM.TEST
10/13/2015 08:12:37  10/14/2015 08:12:34  krbtgt/EXAMPLE.COM

[root@rhel7-1 ~]# kvno krbtgt/OTHER-REALM.TEST
krbtgt/OTHER-REALM.TEST: kvno = 1

###################################################################
##### Testing on standalone KDC for OTHER-REALM.TEST
###################################################################

[root@kerberos ~]# kadmin.local -q 'add_principal -pw T3stPa55 krbtgt/OTHER-REALM.TEST' 
Authenticating as principal root/admin with password.
WARNING: no policy specified for krbtgt/OTHER-REALM.TEST; defaulting to no policy
Principal "krbtgt/OTHER-REALM.TEST" created.

[root@kerberos ~]# kinit krbtgt/OTHER-REALM.TEST
Password for krbtgt/OTHER-REALM.TEST: 

[root@kerberos ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: krbtgt/OTHER-REALM.TEST

Valid starting       Expires              Service principal
10/13/2015 08:11:58  10/14/2015 08:11:54  krbtgt/EXAMPLE.COM
	renew until 10/20/2015 08:11:54

[root@kerberos ~]# kvno krbtgt/OTHER-REALM.TEST
krbtgt/OTHER-REALM.TEST: kvno = 1

Comment 15 Alexander Bokovoy 2015-10-13 13:52:37 UTC
You have not really asked the other realm to issue a ticket for you.

Kinit as some principal in the OTHER-REALM.TEST (admin, for example), then kvno for HTTP/ipa.master.

Comment 16 Scott Poore 2015-10-13 18:03:36 UTC
Verified.

Version ::

ipa-server-4.2.0-14.el7.x86_64
krb5-server-1.13.2-10.el7.x86_64

Results ::

No changes to krb5.conf on either host so see comment #14 for config settings.

###################################################################
##### on IPA master for EXAMPLE.COM
###################################################################

[root@rhel7-1 ~]# kadmin.local -q 'add_principal -requires_preauth -pw T3stPa55 krbtgt/OTHER-REALM.TEST' \
>     -x ipa-setup-override-restrictions
Authenticating as principal root/admin with password.
WARNING: no policy specified for krbtgt/OTHER-REALM.TEST; defaulting to no policy
Principal "krbtgt/OTHER-REALM.TEST" created.

[root@rhel7-1 ~]# kadmin.local -q 'add_principal -requires_preauth -pw T3stPa55 krbtgt/EXAMPLE.COM' \
>     -x ipa-setup-override-restrictions
Authenticating as principal root/admin with password.
WARNING: no policy specified for krbtgt/EXAMPLE.COM; defaulting to no policy
Principal "krbtgt/EXAMPLE.COM" created.

[root@rhel7-1 ~]# klist
klist: Credentials cache keyring 'persistent:0:krb_ccache_A4Gs4bH' not found

[root@rhel7-1 ~]# klist -f
klist: Credentials cache keyring 'persistent:0:krb_ccache_A4Gs4bH' not found

###################################################################
##### on Kerberos server for OTHER-REALM.TEST
###################################################################

[root@kerberos ~]# kadmin.local -q 'add_principal -requires_preauth -pw T3stPa55 krbtgt/OTHER-REALM.TEST' 
Authenticating as principal john/admin with password.
WARNING: no policy specified for krbtgt/OTHER-REALM.TEST; defaulting to no policy
Principal "krbtgt/OTHER-REALM.TEST" created.

[root@kerberos ~]# kadmin.local -q 'add_principal -requires_preauth -pw T3stPa55 krbtgt/EXAMPLE.COM' 
Authenticating as principal john/admin with password.
WARNING: no policy specified for krbtgt/EXAMPLE.COM; defaulting to no policy
Principal "krbtgt/EXAMPLE.COM" created.

[root@kerberos ~]# kadmin.local -q 'add_principal +requires_preauth -pw Secret123 test/admin'
Authenticating as principal john/admin with password.
WARNING: no policy specified for test/admin; defaulting to no policy
Principal "test/admin" created.

###################################################################
##### on IPA master for EXAMPLE.COM
###################################################################

[root@rhel7-1 ~]# kinit test/admin
Password for test/admin: 

[root@rhel7-1 ~]# klist -f
Ticket cache: KEYRING:persistent:0:krb_ccache_A4Gs4bH
Default principal: test/admin

Valid starting       Expires              Service principal
10/13/2015 12:51:06  10/14/2015 12:51:05  krbtgt/OTHER-REALM.TEST
	Flags: FIA

[root@rhel7-1 ~]# kvno -S HTTP $(hostname)
HTTP/rhel7-1.example.com: kvno = 2

[root@rhel7-1 ~]# klist -f
Ticket cache: KEYRING:persistent:0:krb_ccache_A4Gs4bH
Default principal: test/admin

Valid starting       Expires              Service principal
10/13/2015 12:51:44  10/14/2015 12:51:05  HTTP/rhel7-1.example.com
	Flags: FAT
10/13/2015 12:51:44  10/14/2015 12:51:05  krbtgt/EXAMPLE.COM
	Flags: FAT
10/13/2015 12:51:06  10/14/2015 12:51:05  krbtgt/OTHER-REALM.TEST
	Flags: FIA

Comment 17 errata-xmlrpc 2015-11-19 12:00:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html