Bug 1290761
| Summary: | [RFE] Support Automatic Renewing of Kerberos Host Keytabs | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Jakub Hrozek <jhrozek> | |
| Component: | sssd | Assignee: | Sumit Bose <sbose> | |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | |
| Severity: | unspecified | Docs Contact: | Aneta Šteflová Petrová <apetrova> | |
| Priority: | unspecified | |||
| Version: | 6.0 | CC: | enewland, grajaiya, jhrozek, lslebodn, mkosek, mniranja, mzidek, pbrezina, preichl, sbose, sebastian.gumprich, sgoveas | |
| Target Milestone: | rc | Keywords: | FutureFeature | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | sssd-1.13.3-8.el6 | Doc Type: | Release Note | |
| Doc Text: |
SSSD is now able to automatically renew the host credentials of Linux clients joined to AD
Certain Windows utilities can remove hosts from Active Directory (AD) after their password has not been updated for a long time. This is because these utilities consider such clients inactive.
With this feature, the host password of Linux clients joined to AD is regularly updated, which indicates the client is still actively used. As a result, Red Hat Enterprise Linux clients joined to AD are not removed in the described situation.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1310877 (view as bug list) | Environment: | ||
| Last Closed: | 2016-05-10 20:25:41 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1290731 | |||
| Bug Blocks: | 1310877 | |||
|
Description
Jakub Hrozek
2015-12-11 11:28:58 UTC
* master:
* 8167761a1e1d7575d49babcea45937fc9cd45fdc
* 7fdec78178440855058be8ca1011e0b1aa45de31
* 5a7f17aedad34a8618765bc33342c109a6958ab5
* 5f7cd30c865046a7ea69944f7e07c85b4c43465a
* e89c2cb5ec77d57ed93952dae08df51738834faf
* 9dcc7dbf04466cd8cd90aa0bb8acbebef9aca832
* sssd-1-13:
* 95024cd9a24164cbaf6704aace93e1592edd9733
* 11271254205e9f7c1caf363be8822b3f9756f061
* d4844683cbbb6e366afd56e7753adb79c20e93a5
* 20ed1a2063e0463c9e97870ea4e5e607467b041e
* 375772251671797fa7ffe47491e7f8a9ac35aa72
* 831883be77a2c60a44df99798bf4091bf450adb2
Versions:
=========
sssd-1.13.3-15.el6.x86_64
krb5-workstation-1.10.3-55.el6.x86_64
Windows 2008R2 64-bit
Steps on Windows AD
===================
Configure Domain using dcpromo and setup AD REALM for WINPKI1.TESTPKI.TEST
Steps:
=====
1. Configure system authentication to use sssd and krb5
$ authconfig --enablesssd --enablesssdauth --krb5kdc=WIN-Q8VKBEJ7H39.winpki1.testpki.test --krb5adminserver=WIN-Q8VKBEJ7H39.winpki1.testpki.test -krb5realm=WINPKI1.TESTPKI.TEST --enablemkhomedir --updateall
2. Get Administrator credentials
kinit Administrator
3. Join to AD and create keytab
net ads join -U Administrator%Secret123 -k
net ads keytab create -k
<snip>
cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = WINPKI1.TESTPKI.TEST
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
WKINPKI1.TESTPKI.TEST = {
kdc = WIN-Q8VKBEJ7H39.winpki1.testpki.test
admin_server = WIN-Q8VKBEJ7H39.winpki1.testpki.test
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
wkinpki1.testpki.test = WKINPKI1.TESTPKI.TEST
.wkinpki1.testpki.test = WKINPKI1.TESTPKI.TEST
winpki1.testpki.test = WINPKI1.TESTPKI.TEST
.winpki1.testpki.test = WINPKI1.TESTPKI.TEST
</snip>
5.Do kinit by using HOST credentials from keytab
klist -k /etc/krb5.keytab
kinit -k DHCP201-182\$@WINPKI1.TESTPKI.TEST
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: DHCP201-182$@WINPKI1.TESTPKI.TEST
Valid starting Expires Service principal
02/19/16 17:15:24 02/20/16 03:15:15 krbtgt/WINPKI1.TESTPKI.TEST.TEST
renew until 02/26/16 17:15:24
6. Verify keytab and kvno.
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/dhcp201-182.winpki1.testpki.test.TEST
2 host/dhcp201-182.winpki1.testpki.test.TEST
2 host/dhcp201-182.winpki1.testpki.test.TEST
2 host/dhcp201-182.winpki1.testpki.test.TEST
2 host/dhcp201-182.winpki1.testpki.test.TEST
2 host/dhcp201-182.TEST
2 host/dhcp201-182.TEST
2 host/dhcp201-182.TEST
2 host/dhcp201-182.TEST
2 host/dhcp201-182.TEST
2 DHCP201-182$@WINPKI1.TESTPKI.TEST
2 DHCP201-182$@WINPKI1.TESTPKI.TEST
2 DHCP201-182$@WINPKI1.TESTPKI.TEST
2 DHCP201-182$@WINPKI1.TESTPKI.TEST
2 DHCP201-182$@WINPKI1.TESTPKI.TEST
<snip from sssd.conf>
cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = winpki1.testpki.test
services = nss, pam
[domain/winpki1.testpki.test]
id_provider = ad
auth_provider = ad
access_provider = ad
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
use_fully_qualified_names = True
ad_maximum_machine_account_password_age = 1
ad_machine_account_password_renewal_opts = 300:15
debug_level = 9
enumerate = true
</snip>
7. service sssd restart
8. Do ldapsearch using GSSAPI credentials:
ldapsearch -H ldap://WIN-Q8VKBEJ7H39.WINPKI1.TESTPKI.TEST -Y GSSAPI -N -b 'CN=users,dc=winpki1,dc=testpki,dc=test' "(&(objectClass=user))"
SASL/GSSAPI authentication started
SASL username: DHCP201-182$@WINPKI1.TESTPKI.TEST
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <CN=users,dc=winpki1,dc=testpki,dc=test> with scope subtree
# filter: (&(objectClass=user)(sAMAccountName=Administrator))
# requesting: ALL
#
# Administrator, Users, winpki1.testpki.test
dn: CN=Administrator,CN=Users,DC=winpki1,DC=testpki,DC=test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
distinguishedName: CN=Administrator,CN=Users,DC=winpki1,DC=testpki,DC=test
instanceType: 4
whenCreated: 20151015064716.0Z
whenChanged: 20160227003812.0Z
uSNCreated: 8196
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=winpki1,DC=testpki,DC=tes
t
memberOf: CN=Domain Admins,CN=Users,DC=winpki1,DC=testpki,DC=test
memberOf: CN=Enterprise Admins,CN=Users,DC=winpki1,DC=testpki,DC=test
memberOf: CN=Schema Admins,CN=Users,DC=winpki1,DC=testpki,DC=test
memberOf: CN=Administrators,CN=Builtin,DC=winpki1,DC=testpki,DC=test
uSNChanged: 24934
name: Administrator
objectGUID:: bl498Y//gkSwJ9p4vFMYjQ==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 131004369631250000
lastLogoff: 0
lastLogon: 131003553875156250
logonHours:: ////////////////////////////
pwdLastSet: 130997685379687500
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAxMt6qMi0zmzL6cTl9AEAAA==
adminCount: 1
accountExpires: 0
logonCount: 77
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=winpki1,DC=testpki,DC=
test
isCriticalSystemObject: TRUE
dSCorePropagationData: 20151015070419.0Z
dSCorePropagationData: 20151015070419.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 131010070924843750
9. Verify kerberos tickets
[root@dhcp201-182 pam.d]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: DHCP201-182$@WINPKI1.TESTPKI.TEST
Valid starting Expires Service principal
02/19/16 17:15:24 02/20/16 03:15:15 krbtgt/WINPKI1.TESTPKI.TEST.TEST
renew until 02/26/16 17:15:24
02/19/16 17:18:52 02/20/16 03:15:15 ldap/win-q8vkbej7h39.winpki1.testpki.test.TEST
renew until 02/26/16 17:15:24
10. Move the system to 1 day ahead in both sssd client and Windows AD
date -s "Fri Feb 19 17:39:59 IST 2016 + 1 day"
11. Restart sssd
service sssd restart
12. Verify keytab gets rotated with both new and old kvno.
[root@dhcp201-182 sssd]# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/dhcp201-182.winpki1.testpki.test.TEST
2 host/dhcp201-182.winpki1.testpki.test.TEST
2 host/dhcp201-182.winpki1.testpki.test.TEST
2 host/dhcp201-182.winpki1.testpki.test.TEST
2 host/dhcp201-182.winpki1.testpki.test.TEST
2 host/dhcp201-182.TEST
2 host/dhcp201-182.TEST
2 host/dhcp201-182.TEST
2 host/dhcp201-182.TEST
2 host/dhcp201-182.TEST
2 DHCP201-182$@WINPKI1.TESTPKI.TEST
2 DHCP201-182$@WINPKI1.TESTPKI.TEST
2 DHCP201-182$@WINPKI1.TESTPKI.TEST
2 DHCP201-182$@WINPKI1.TESTPKI.TEST
2 DHCP201-182$@WINPKI1.TESTPKI.TEST
3 DHCP201-182$@WINPKI1.TESTPKI.TEST
3 DHCP201-182$@WINPKI1.TESTPKI.TEST
3 DHCP201-182$@WINPKI1.TESTPKI.TEST
3 DHCP201-182$@WINPKI1.TESTPKI.TEST
3 DHCP201-182$@WINPKI1.TESTPKI.TEST
3 host/dhcp201-182.winpki1.testpki.test.TEST
3 host/dhcp201-182.winpki1.testpki.test.TEST
3 host/dhcp201-182.winpki1.testpki.test.TEST
3 host/dhcp201-182.winpki1.testpki.test.TEST
3 host/dhcp201-182.winpki1.testpki.test.TEST
3 host/dhcp201-182.TEST
3 host/dhcp201-182.TEST
3 host/dhcp201-182.TEST
3 host/dhcp201-182.TEST
3 host/dhcp201-182.TEST
13. Destroy current kerbeos tickets
$ kdestroy
14. Get a new ticket with host TGT
$kinit -k DHCP201-182\$@WINPKI1.TESTPKI.TEST
15. Do ldapsearch again
$ ldapsearch -H ldap://WIN-Q8VKBEJ7H39.WINPKI1.TESTPKI.TEST -Y GSSAPI -N -b 'CN=users,dc=winpki1,dc=testpki,dc=test' "(&(objectClass=user)(sAMAccountName=Administrator))"
#
# LDAPv3
# base <CN=users,dc=winpki1,dc=testpki,dc=test> with scope subtree
# filter: (&(objectClass=user)(sAMAccountName=Administrator))
# requesting: ALL
#
# Administrator, Users, winpki1.testpki.test
dn: CN=Administrator,CN=Users,DC=winpki1,DC=testpki,DC=test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
distinguishedName: CN=Administrator,CN=Users,DC=winpki1,DC=testpki,DC=test
instanceType: 4
whenCreated: 20151015064716.0Z
whenChanged: 20160227003812.0Z
uSNCreated: 8196
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=winpki1,DC=testpki,DC=tes
t
adcli output from sssd logs: (Sat Feb 20 17:45:21 2016) [sssd[be[winpki1.testpki.test]]] [read_pipe_handler] (0x0400): EOF received, client finished (Sat Feb 20 17:45:21 2016) [sssd[be[winpki1.testpki.test]]] [ad_machine_account_password_renewal_done] (0x1000): --- adcli output start--- * Found realm in keytab: WINPKI1.TESTPKI.TEST * Found service principal in keytab: host/dhcp201-182.winpki1.testpki.test * Found host qualified name in keytab: host/dhcp201-182.winpki1.testpki.test * Found service principal in keytab: host/dhcp201-182 * Found computer name in keytab: DHCP201-182 * Using fully qualified name: dhcp201-182.winpki1.testpki.test * Using domain name: winpki1.testpki.test * Calculated computer account name from fqdn: DHCP201-182 * Using domain realm: winpki1.testpki.test * Sending netlogon pings to domain controller: cldap://10.65.201.109 * Received NetLogon info from: WIN-Q8VKBEJ7H39.winpki1.testpki.test * Wrote out krb5.conf snippet to /tmp/adcli-krb5-W2SqfY/krb5.d/adcli-krb5-conf-FCF2tV * Authenticated as default/reset computer account: DHCP201-182 * Looked up short domain name: WINPKI1 * Using fully qualified name: dhcp201-182.winpki1.testpki.test * Using domain name: winpki1.testpki.test * Using computer account name: DHCP201-182 * Using domain realm: winpki1.testpki.test * Using fully qualified name: dhcp201-182.winpki1.testpki.test * Enrolling computer name: DHCP201-182 * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Found computer account for DHCP201-182$ at: CN=dhcp201-182,CN=Computers,DC=winpki1,DC=testpki,DC=test * Retrieved kvno '2' for computer account in directory: CN=dhcp201-182,CN=Computers,DC=winpki1,DC=testpki,DC=test * Changed computer password * kvno incremented to 3 * Modifying computer account: userAccountControl ! Couldn't set userAccountControl on computer account: CN=dhcp201-182,CN=Computers,DC=winpki1,DC=testpki,DC=test: Insufficient access * Updated existing computer account: CN=dhcp201-182,CN=Computers,DC=winpki1,DC=testpki,DC=test * Discovered which keytab salt to use * Added the entries to the keytab: DHCP201-182$@WINPKI1.TESTPKI.TEST: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/dhcp201-182.winpki1.testpki.test.TEST: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/dhcp201-182.TEST: FILE:/etc/krb5.keytab ---adcli output end--- Due to selinux issue adcli is unable to update /etc/krb5.keytab , Refer:https://bugzilla.redhat.com/show_bug.cgi?id=1308911 If system is set to permissive mode, adcli is able to update /etc/krb5.keytab. Used updated selinux-policy version selinux-policy-3.7.19-289.el6.noarch and adcli updates /etc/krb5.keytab file in enforcing mode. Based on comment #3, #4, #5 and #6 , Marking this as verified Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0782.html |