Bug 1117306

Summary: [RFE] Allow multiple Principals per host entry (Kerberos aliases)
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: jcholast, ksiddiqu, mbabinsk, mbasti, pvoborni, rcritten, xdong
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.4.0-4.el7 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 05:44:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitri Pal 2014-07-08 13:17:11 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4421

{{{
# ipa host-mod `hostname` --addattr krbcanonicalname=host/`hostname`@T.VDA.LI --addattr 'krbprincipalname=IPA-01$@T.VDA.LI'
ipa: ERROR: krbprincipalname: Only one value allowed.
}}}

krbPrincipalName is multi-valued attribute; if multiple values present, krbCanonicalName attribute must be present and it should contain canonical version of the principal name.

This is critical issue for trusts going forward for file sharing as by default AD attempts to use NetBIOS name as a principal (IPA-01$@REALM, for example).

Comment 2 Petr Vobornik 2016-01-04 18:40:31 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3961

Comment 3 Petr Vobornik 2016-01-04 18:40:41 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3864

Comment 4 Petr Vobornik 2016-06-02 13:43:47 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5927

Comment 11 Jan Cholasta 2016-07-01 11:13:43 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/0ade41abbad324d8c54449f3b1024a7651dc259d

Comment 13 Martin Bašti 2016-07-27 13:32:00 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6099

Comment 14 Martin Babinsky 2016-07-28 07:36:13 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/da2305ddb99ab982c757ab723acc95cda3d2f025

Comment 17 Martin Babinsky 2016-08-22 10:42:29 UTC
1.) create an arbitrary host entry with `ipa host-add --force`:
# ipa host-add host.example.com --force
-----------------------------
Added host "host.example.com"
-----------------------------
Host name: host.example.com
Principal name:
host/host.example.com
Principal alias:
host/host.example.com
Password: False
Keytab: False
Managed by: host.example.com

2.) add host principal alias to the entry:
# ipa host-add-principal host.example.com host/host.example.org
--------------------------------------------
Added new aliases to host "host.example.com"
--------------------------------------------
Host name: host.example.com
Principal alias:
host/host.example.com,
host/host.example.org

3.) request a keytab for the alias:
# ipa-getkeytab -p host/host.example.org -k /root/host.keytab
Keytab successfully retrieved and stored in: /root/host.keytab

4.) kinit as the alias while requesting canonicalization:
# kinit -C -kt /root/host.keytab host/host.example.org

Expected result:

The command in 4.) will succeed and fetch TGT with the canonical principal
name of the host:

# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_IZzDMoN
Default principal:
host/host.example.com

Valid starting       Expires              Service principal
08/22/2016 12:31:26  08/23/2016 12:31:26
krbtgt/IPA.TEST

Additional steps:

5.) re-kinit as admin:
# kdestroy && kinit admin

6.) remove principal alias from host entry:
# ipa host-remove-principal host.example.com host/host.example.org
--------------------------------------------
Removed aliases from host "host.example.com"
--------------------------------------------
Host name: host.example.com
Principal alias:
host/host.example.com

7.) repeat step 4.) and verify that you get the following error:
# kinit -C -kt /root/host.keytab host/host.example.org
kinit: Client 'host/host.example.org' not found
in Kerberos database while getting initial credentials

Comment 18 Xiyang Dong 2016-08-22 14:09:22 UTC
Verified on ipa-server-4.4.0-7.el7:
1.create an arbitrary host entry with `ipa host-add --force`:
# ipa host-add host.example.com --force
-----------------------------
Added host "host.example.com"
-----------------------------
  Host name: host.example.com
  Principal name: host/host.example.com
  Principal alias: host/host.example.com
  Password: False
  Keytab: False
  Managed by: host.example.com

  Host name: host.example.com
  Principal alias: host/host.example.com@TESTRELM, host/host.example.org@TESTRELM
2.add host principal alias to the entry:
# ipa host-add-principal host.example.com host/host.example.org
--------------------------------------------
Added new aliases to host "host.example.com"
--------------------------------------------
  Host name: host.example.com
  Principal alias: host/host.example.com, host/host.example.org
3.request a keytab for the alias:
# ipa-getkeytab -p host/host.example.org -k /root/host.keytab
Keytab successfully retrieved and stored in: /root/host.keytab
4.kinit as the alias while requesting canonicalization:
# kinit -C -kt /root/host.keytab host/host.example.org
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_Ofh2e8c
Default principal: host/host.example.com

Valid starting       Expires              Service principal
08/22/2016 10:06:25  08/23/2016 10:06:25  krbtgt/TESTRELM.TEST
5.re-kinit as admin:
# kdestroy;kinit admin
Password for admin: 
6.remove principal alias from host entry:
# ipa host-remove-principal host.example.com host/host.example.org
--------------------------------------------
Removed aliases from host "host.example.com"
--------------------------------------------
  Host name: host.example.com
  Principal alias: host/host.example.com
7.repeat step 4.) and verify that you get the following error:
# kinit -C -kt /root/host.keytab host/host.example.org
kinit: Client 'host/host.example.org' not found in Kerberos database while getting initial credentials

Comment 20 errata-xmlrpc 2016-11-04 05:44:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html