Bug 1035494
Summary: | Unable to add Kerberos principal via kadmin.local | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Matt Bryant <matthew.bryant> |
Component: | ipa | Assignee: | Martin Kosek <mkosek> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | low | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | CC: | abokovoy, dpal, mkosek, rcritten, spoore, ssorce |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.2.0-0.1.alpha1.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-11-19 12:00:30 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Matt Bryant
2013-11-27 22:25:50 UTC
Simo, can you please advise? We need to allow the creation of cross realm tgts so that users can create MIT trusts even though we do not have official support yet. The kdb layer needs to be changed to allow adding principals of the form krbtgt/REALM1@REALM2. Currently we deny all add operations unless a special command line variable is passed in to the command line utility, we need a little bi more discretion, and probably only deny principals in our own domain that are not of the form krbtgt/something. Thanks for info, makes sense. I will open an upstream ticket. Upstream ticket: https://fedorahosted.org/freeipa/ticket/4059 At this point, we do not plan to add CLI/UI for such principals until we get into implementing trusts between IPA and general Kerberos realm. However, we are not there yet, IPA-AD or IPA-IPA trusts are more important. Please feel free to watch or file related RFEs for this major work. To workaround until the official support is added: # kinit admin # kadmin.local -q 'addprinc -randkey krbtgt/OTHER-REALM.TEST.TEST' -x ipa-setup-override-restrictions # kadmin.local -q 'ktadd -k /tmp/realm.keytab krbtgt/OTHER-REALM.TEST.TEST' -x ipa-setup-override-restrictions This will get you the keytab. This part works also on RHEL-6. However, to get proper CA Paths delegation, you need to use on FreeIPA 4.1.3 release which added this fix: https://fedorahosted.org/freeipa/ticket/4791 Note that there is a RFE for the proper support of trust with Kerberos realm: https://fedorahosted.org/freeipa/ticket/4917 You can track this request in the upstream Trac, if you are interested in this work. What should work here? Just comment #6 with the ipa-setup-override-restrictions option? Was something changed to support the original use stated? Thanks Martin, What was modified here for this bug? Anything? Is it necessary to test this with another actual Kerberos realm or, can this be verified without that? What I see with the workaround from comment #6: [root@rhel7-1 ~]# kinit admin Password for admin: [root@rhel7-1 ~]# kadmin.local -q 'addprinc -randkey krbtgt/OTHER-REALM.TEST' -x ipa-setup-override-restrictions Authenticating as principal admin/admin with password. WARNING: no policy specified for krbtgt/OTHER-REALM.TEST; defaulting to no policy Principal "krbtgt/OTHER-REALM.TEST" created. [root@rhel7-1 ~]# kadmin.local -q 'ktadd -k /tmp/realm.keytab krbtgt/OTHER-REALM.TEST' -x ipa-setup-override-restrictions Authenticating as principal admin/admin with password. Entry for principal krbtgt/OTHER-REALM.TEST with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/realm.keytab. Entry for principal krbtgt/OTHER-REALM.TEST with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/realm.keytab. Entry for principal krbtgt/OTHER-REALM.TEST with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/realm.keytab. Entry for principal krbtgt/OTHER-REALM.TEST with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/tmp/realm.keytab. Entry for principal krbtgt/OTHER-REALM.TEST with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/tmp/realm.keytab. Entry for principal krbtgt/OTHER-REALM.TEST with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/tmp/realm.keytab. [root@rhel7-1 ~]# klist -ket /tmp/realm.keytab Keytab name: FILE:/tmp/realm.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 10/11/2015 12:49:46 krbtgt/OTHER-REALM.TEST (aes256-cts-hmac-sha1-96) 2 10/11/2015 12:49:46 krbtgt/OTHER-REALM.TEST (aes128-cts-hmac-sha1-96) 2 10/11/2015 12:49:46 krbtgt/OTHER-REALM.TEST (des3-cbc-sha1) 2 10/11/2015 12:49:46 krbtgt/OTHER-REALM.TEST (arcfour-hmac) 2 10/11/2015 12:49:46 krbtgt/OTHER-REALM.TEST (camellia128-cts-cmac) 2 10/11/2015 12:49:46 krbtgt/OTHER-REALM.TEST (camellia256-cts-cmac) [root@rhel7-1 ~]# But, I have nothing in krb5.conf pointing to OTHER-REALM.TEST. So, is this a valid verification? Thanks, Scott FYI, I setup a KDC for OTHER-REALM.TEST and added to IPA server's krb5.conf and got the same results. I also tried without the ipa-setup-override-restrictions option: [root@rhel7-1 ~]# kadmin.local -q 'addprinc -randkey krbtgt/OTHER-REALM.TEST' Authenticating as principal admin/admin with password. WARNING: no policy specified for krbtgt/OTHER-REALM.TEST; defaulting to no policy add_principal: Principal or policy already exists while creating "krbtgt/OTHER-REALM.TEST". [root@rhel7-1 ~]# kadmin.local -q 'ktadd -k /tmp/realm.keytab krbtgt/OTHER-REALM.TEST' Authenticating as principal admin/admin with password. Entry for principal krbtgt/OTHER-REALM.TEST with kvno 5, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/realm.keytab. Entry for principal krbtgt/OTHER-REALM.TEST with kvno 5, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/realm.keytab. Entry for principal krbtgt/OTHER-REALM.TEST with kvno 5, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/realm.keytab. Entry for principal krbtgt/OTHER-REALM.TEST with kvno 5, encryption type arcfour-hmac added to keytab WRFILE:/tmp/realm.keytab. Entry for principal krbtgt/OTHER-REALM.TEST with kvno 5, encryption type camellia128-cts-cmac added to keytab WRFILE:/tmp/realm.keytab. Entry for principal krbtgt/OTHER-REALM.TEST with kvno 5, encryption type camellia256-cts-cmac added to keytab WRFILE:/tmp/realm.keytab. [root@rhel7-1 ~]# klist -ket /tmp/realm.keytab Keytab name: FILE:/tmp/realm.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 5 10/11/2015 13:17:29 krbtgt/OTHER-REALM.TEST (aes256-cts-hmac-sha1-96) 5 10/11/2015 13:17:29 krbtgt/OTHER-REALM.TEST (aes128-cts-hmac-sha1-96) 5 10/11/2015 13:17:29 krbtgt/OTHER-REALM.TEST (des3-cbc-sha1) 5 10/11/2015 13:17:29 krbtgt/OTHER-REALM.TEST (arcfour-hmac) 5 10/11/2015 13:17:29 krbtgt/OTHER-REALM.TEST (camellia128-cts-cmac) 5 10/11/2015 13:17:29 krbtgt/OTHER-REALM.TEST (camellia256-cts-cmac) [root@rhel7-1 ~]# Alexander, can you please advise? Scott, you need to create cross-realm TGT principal using -x ipa-setup-override-restrictions option to even allow creating the principal. You also need to create cross-realm TGT principal in the other realm, with the same password. Writing out keytab is not really needed. Then you need to configure krb5.conf on both sides to allow either to discover each other via DNS service records (for both realm and KDC) or explicitly define realm/domain configurations on both sides. You also will need to add [capaths] entries to make sure both realms trust each other explicitly. Once you do that, you can kinit as a user from one realm and try to use 'kvno' to obtain a ticket for a principal from another realm. Then running klist will show you there is a cross-realm TGT obtained as well. Basically, if kvno would work, you have verified it. Alexander, Can you confirm I've got my realms configured properly? And that the test below is correct? Do I need capaths entries for both domains in both krb5.conf's? or just the local in each with a reference to the remote? Or do I have that entry totally wrong? This seemed to work but, I want to make sure I'm doing this correctly. Thanks, Scott ################################################################### ##### IPA Master for EXAMPLE.COM ################################################################### [root@rhel7-1 ~]# cat /etc/krb5.conf includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] EXAMPLE.COM = { kdc = rhel7-1.example.com:88 master_kdc = rhel7-1.example.com:88 admin_server = rhel7-1.example.com:749 default_domain = example.com pkinit_anchors = FILE:/etc/ipa/ca.crt } OTHER-REALM.TEST = { kdc = kerberos.other-realm.test admin_server = kerberos.other-realm.test } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM .other-realm.test = OTHER-REALM.TEST other-realm.test = OTHER-REALM.TEST [dbmodules] EXAMPLE.COM = { db_library = ipadb.so } [capaths] EXAMPLE.COM = { OTHER-REALM.TEST = . } ################################################################### ##### Standalone KDC for OTHER-REALM.TEST ################################################################### [root@kerberos ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = OTHER-REALM.TEST default_ccache_name = KEYRING:persistent:%{uid} [realms] OTHER-REALM.TEST = { kdc = kerberos.other-realm.test admin_server = kerberos.other-realm.test } EXAMPLE.COM = { kdc = rhel7-1.example.com:88 master_kdc = rhel7-1.example.com:88 admin_server = rhel7-1.example.com:749 default_domain = example.com pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .other-realm.test = OTHER-REALM.TEST other-realm.test = OTHER-REALM.TEST .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [capaths] OTHER-REALM.TEST = { EXAMPLE.COM = . } ################################################################### ##### Testing on IPA master for EXAMPLE.COM ################################################################### [root@rhel7-1 ~]# kadmin.local -q 'add_principal -pw T3stPa55 krbtgt/OTHER-REALM.TEST' -x ipa-setup-override-restrictions Authenticating as principal admin/admin with password. WARNING: no policy specified for krbtgt/OTHER-REALM.TEST; defaulting to no policy Principal "krbtgt/OTHER-REALM.TEST" created. [root@rhel7-1 ~]# kinit krbtgt/OTHER-REALM.TEST Password for krbtgt/OTHER-REALM.TEST: [root@rhel7-1 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_A4Gs4bH Default principal: krbtgt/OTHER-REALM.TEST Valid starting Expires Service principal 10/13/2015 08:12:43 10/14/2015 08:12:34 krbtgt/OTHER-REALM.TEST 10/13/2015 08:12:37 10/14/2015 08:12:34 krbtgt/EXAMPLE.COM [root@rhel7-1 ~]# kvno krbtgt/OTHER-REALM.TEST krbtgt/OTHER-REALM.TEST: kvno = 1 ################################################################### ##### Testing on standalone KDC for OTHER-REALM.TEST ################################################################### [root@kerberos ~]# kadmin.local -q 'add_principal -pw T3stPa55 krbtgt/OTHER-REALM.TEST' Authenticating as principal root/admin with password. WARNING: no policy specified for krbtgt/OTHER-REALM.TEST; defaulting to no policy Principal "krbtgt/OTHER-REALM.TEST" created. [root@kerberos ~]# kinit krbtgt/OTHER-REALM.TEST Password for krbtgt/OTHER-REALM.TEST: [root@kerberos ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: krbtgt/OTHER-REALM.TEST Valid starting Expires Service principal 10/13/2015 08:11:58 10/14/2015 08:11:54 krbtgt/EXAMPLE.COM renew until 10/20/2015 08:11:54 [root@kerberos ~]# kvno krbtgt/OTHER-REALM.TEST krbtgt/OTHER-REALM.TEST: kvno = 1 You have not really asked the other realm to issue a ticket for you. Kinit as some principal in the OTHER-REALM.TEST (admin, for example), then kvno for HTTP/ipa.master. Verified. Version :: ipa-server-4.2.0-14.el7.x86_64 krb5-server-1.13.2-10.el7.x86_64 Results :: No changes to krb5.conf on either host so see comment #14 for config settings. ################################################################### ##### on IPA master for EXAMPLE.COM ################################################################### [root@rhel7-1 ~]# kadmin.local -q 'add_principal -requires_preauth -pw T3stPa55 krbtgt/OTHER-REALM.TEST' \ > -x ipa-setup-override-restrictions Authenticating as principal root/admin with password. WARNING: no policy specified for krbtgt/OTHER-REALM.TEST; defaulting to no policy Principal "krbtgt/OTHER-REALM.TEST" created. [root@rhel7-1 ~]# kadmin.local -q 'add_principal -requires_preauth -pw T3stPa55 krbtgt/EXAMPLE.COM' \ > -x ipa-setup-override-restrictions Authenticating as principal root/admin with password. WARNING: no policy specified for krbtgt/EXAMPLE.COM; defaulting to no policy Principal "krbtgt/EXAMPLE.COM" created. [root@rhel7-1 ~]# klist klist: Credentials cache keyring 'persistent:0:krb_ccache_A4Gs4bH' not found [root@rhel7-1 ~]# klist -f klist: Credentials cache keyring 'persistent:0:krb_ccache_A4Gs4bH' not found ################################################################### ##### on Kerberos server for OTHER-REALM.TEST ################################################################### [root@kerberos ~]# kadmin.local -q 'add_principal -requires_preauth -pw T3stPa55 krbtgt/OTHER-REALM.TEST' Authenticating as principal john/admin with password. WARNING: no policy specified for krbtgt/OTHER-REALM.TEST; defaulting to no policy Principal "krbtgt/OTHER-REALM.TEST" created. [root@kerberos ~]# kadmin.local -q 'add_principal -requires_preauth -pw T3stPa55 krbtgt/EXAMPLE.COM' Authenticating as principal john/admin with password. WARNING: no policy specified for krbtgt/EXAMPLE.COM; defaulting to no policy Principal "krbtgt/EXAMPLE.COM" created. [root@kerberos ~]# kadmin.local -q 'add_principal +requires_preauth -pw Secret123 test/admin' Authenticating as principal john/admin with password. WARNING: no policy specified for test/admin; defaulting to no policy Principal "test/admin" created. ################################################################### ##### on IPA master for EXAMPLE.COM ################################################################### [root@rhel7-1 ~]# kinit test/admin Password for test/admin: [root@rhel7-1 ~]# klist -f Ticket cache: KEYRING:persistent:0:krb_ccache_A4Gs4bH Default principal: test/admin Valid starting Expires Service principal 10/13/2015 12:51:06 10/14/2015 12:51:05 krbtgt/OTHER-REALM.TEST Flags: FIA [root@rhel7-1 ~]# kvno -S HTTP $(hostname) HTTP/rhel7-1.example.com: kvno = 2 [root@rhel7-1 ~]# klist -f Ticket cache: KEYRING:persistent:0:krb_ccache_A4Gs4bH Default principal: test/admin Valid starting Expires Service principal 10/13/2015 12:51:44 10/14/2015 12:51:05 HTTP/rhel7-1.example.com Flags: FAT 10/13/2015 12:51:44 10/14/2015 12:51:05 krbtgt/EXAMPLE.COM Flags: FAT 10/13/2015 12:51:06 10/14/2015 12:51:05 krbtgt/OTHER-REALM.TEST Flags: FIA Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2362.html |