Previously, an SELinux rule allowing the System Security Services Daemon (SSSD) to update the /etc/krb5.keytab file was missing. Consequently, when running SELinux in enforcing mode, the adcli tool was not able to write the latest host principal to /etc/krb5.keytab. The missing policy rule has been added, and SSSD adcli no longer fails to update /etc/krb5.keytab when running SELinux in enforcing mode.
DescriptionNiranjan Mallapadi Raghavender
2016-07-13 11:27:25 UTC
Description of problem:
adcli fails to update /etc/krb5.keytab for keytab renewal when machine password expires in AD.
sssd-1.14.0-3.el7 has the capability to renew machine password and rotate /etc/krb5.keytab containing the host principal for the client joined to AD.
sssd calls adcli which tries to update /etc/krb5.keytab file with latest host principal . Currently adcli fails because selinux policy
Below is the AVC Message:
type=AVC msg=audit(1468570744.650:367): avc: denied { write } for pid=29020 comm="adcli" name="krb5.keytab" dev="dm-0" ino=34463180 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
type=SYSCALL msg=audit(1468570744.650:367): arch=c000003e syscall=2 success=no exit=-13 a0=7f6959d03a70 a1=2 a2=1b6 a3=24 items=0 ppid=29007 pid=29020 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="adcli" exe="/usr/sbin/adcli" subj=system_u:system_r:sssd_t:s0 key=(null)
Version-Release number of selected component (if applicable):
adcli-0.8.1-1.el7.x86_64
libselinux-utils-2.5-4.el7.x86_64
libselinux-2.5-4.el7.x86_64
libselinux-python-2.5-4.el7.x86_64
selinux-policy-targeted-3.13.1-85.el7.noarch
selinux-policy-3.13.1-85.el7.noarch
sssd-1.14.0-3.el7.x86_64
How reproducible:
1.On RHEL7.3 system install sssd-1.14.0-3
2.Join the system to Active Directory using net ads join -k
3.Create a keytab using net ads keytab create -k
4. Modify sssd.conf to use ad provider
<sssd.conf>
[sssd]
config_file_version = 2
domains = winpki1.testpki.test
services = nss, pam
[domain/winpki1.testpki.test]
id_provider = ad
auth_provider = ad
access_provider = ad
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
use_fully_qualified_names = True
ad_maximum_machine_account_password_age = 1
ad_machine_account_password_renewal_opts = 300:15
debug_level = 9
enumerate = true
</sssd.conf>
5. set the ad_maximum_machine_account_password_age = 1 and Modify system date to 1 day ahead (both client and the AD).
6.Restart sssd to enable renewal of Machine password. this fails with below error message:
Actual results:
* Found realm in keytab: SSSDAD2012R2.COM
* Found service principal in keytab: host/vm-idm-015.lab.eng.pnq.redhat.com
* Found host qualified name in keytab: host/vm-idm-015.lab.eng.pnq.redhat.com
* Found service principal in keytab: host/VM-IDM-015
* Found computer name in keytab: VM-IDM-015
* Using fully qualified name: vm-idm-015.lab.eng.pnq.redhat.com
* Using domain name: sssdad2012r2.com
* Calculated computer account name from fqdn: VM-IDM-015
* Using domain realm: sssdad2012r2.com
* Sending netlogon pings to domain controller: cldap://10.65.206.76
* Received NetLogon info from: jetfire.sssdad2012r2.com
* Wrote out krb5.conf snippet to /tmp/adcli-krb5-cAjnzt/krb5.d/adcli-krb5-conf-59JZXd
* Authenticated as default/reset computer account: VM-IDM-015
* Looked up short domain name: SSSDAD2012R2
* Using fully qualified name: vm-idm-015.lab.eng.pnq.redhat.com
* Using domain name: sssdad2012r2.com
* Using computer account name: VM-IDM-015
* Using domain realm: sssdad2012r2.com
* Using fully qualified name: vm-idm-015.lab.eng.pnq.redhat.com
* Enrolling computer name: VM-IDM-015
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* Found computer account for VM-IDM-015$ at: CN=VM-IDM-015,CN=Computers,DC=sssdad2012r2,DC=com
* Retrieved kvno '2' for computer account in directory: CN=VM-IDM-015,CN=Computers,DC=sssdad2012r2,DC=com
* Changed computer password
* kvno incremented to 3
* Modifying computer account: userAccountControl
! Couldn't set userAccountControl on computer account: CN=VM-IDM-015,CN=Computers,DC=sssdad2012r2,DC=com: Insufficient access
* Updated existing computer account: CN=VM-IDM-015,CN=Computers,DC=sssdad2012r2,DC=com
* Discovered which keytab salt to use
! Couldn't add keytab entries: FILE:/etc/krb5.keytab: Permission denied
adcli: updating membership with domain sssdad2012r2.com failed: Couldn't add keytab entries: FILE:/etc/krb5.keytab: Permission denied
Expected results:
adcli should be able to update /etc/krb5.keytab
Additional info:
[root@vm-idm-015 ~]# ls -lZ /etc/krb5.keytab
-rw-------. root root unconfined_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab
When set to permissive, adcli is able to update /etc/krb5.keytab
selinux denial messages when set in permissive mode:
type=AVC msg=audit(1468582002.904:1977): avc: denied { write } for pid=2920 comm="adcli" name="krb5.keytab" dev="dm-0" ino=34465601 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
type=SYSCALL msg=audit(1468582002.904:1977): arch=c000003e syscall=2 success=yes exit=9 a0=7fe5ac187fa0 a1=2 a2=1b6 a3=24 items=0 ppid=2907 pid=2920 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="adcli" exe="/usr/sbin/adcli" subj=system_u:system_r:sssd_t:s0 key=(null)
Comment 1Niranjan Mallapadi Raghavender
2016-07-13 11:28:39 UTC
This feature was added in RHEL6.8 and similar bug was found in selinux policy in RHEL6.8 which was fixed, i think the fix should be ported to RHEL7.3 also.
Refer:https://bugzilla.redhat.com/show_bug.cgi?id=1308911
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHBA-2016-2283.html
Description of problem: adcli fails to update /etc/krb5.keytab for keytab renewal when machine password expires in AD. sssd-1.14.0-3.el7 has the capability to renew machine password and rotate /etc/krb5.keytab containing the host principal for the client joined to AD. sssd calls adcli which tries to update /etc/krb5.keytab file with latest host principal . Currently adcli fails because selinux policy Below is the AVC Message: type=AVC msg=audit(1468570744.650:367): avc: denied { write } for pid=29020 comm="adcli" name="krb5.keytab" dev="dm-0" ino=34463180 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file type=SYSCALL msg=audit(1468570744.650:367): arch=c000003e syscall=2 success=no exit=-13 a0=7f6959d03a70 a1=2 a2=1b6 a3=24 items=0 ppid=29007 pid=29020 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="adcli" exe="/usr/sbin/adcli" subj=system_u:system_r:sssd_t:s0 key=(null) Version-Release number of selected component (if applicable): adcli-0.8.1-1.el7.x86_64 libselinux-utils-2.5-4.el7.x86_64 libselinux-2.5-4.el7.x86_64 libselinux-python-2.5-4.el7.x86_64 selinux-policy-targeted-3.13.1-85.el7.noarch selinux-policy-3.13.1-85.el7.noarch sssd-1.14.0-3.el7.x86_64 How reproducible: 1.On RHEL7.3 system install sssd-1.14.0-3 2.Join the system to Active Directory using net ads join -k 3.Create a keytab using net ads keytab create -k 4. Modify sssd.conf to use ad provider <sssd.conf> [sssd] config_file_version = 2 domains = winpki1.testpki.test services = nss, pam [domain/winpki1.testpki.test] id_provider = ad auth_provider = ad access_provider = ad default_shell = /bin/bash fallback_homedir = /home/%d/%u use_fully_qualified_names = True ad_maximum_machine_account_password_age = 1 ad_machine_account_password_renewal_opts = 300:15 debug_level = 9 enumerate = true </sssd.conf> 5. set the ad_maximum_machine_account_password_age = 1 and Modify system date to 1 day ahead (both client and the AD). 6.Restart sssd to enable renewal of Machine password. this fails with below error message: Actual results: * Found realm in keytab: SSSDAD2012R2.COM * Found service principal in keytab: host/vm-idm-015.lab.eng.pnq.redhat.com * Found host qualified name in keytab: host/vm-idm-015.lab.eng.pnq.redhat.com * Found service principal in keytab: host/VM-IDM-015 * Found computer name in keytab: VM-IDM-015 * Using fully qualified name: vm-idm-015.lab.eng.pnq.redhat.com * Using domain name: sssdad2012r2.com * Calculated computer account name from fqdn: VM-IDM-015 * Using domain realm: sssdad2012r2.com * Sending netlogon pings to domain controller: cldap://10.65.206.76 * Received NetLogon info from: jetfire.sssdad2012r2.com * Wrote out krb5.conf snippet to /tmp/adcli-krb5-cAjnzt/krb5.d/adcli-krb5-conf-59JZXd * Authenticated as default/reset computer account: VM-IDM-015 * Looked up short domain name: SSSDAD2012R2 * Using fully qualified name: vm-idm-015.lab.eng.pnq.redhat.com * Using domain name: sssdad2012r2.com * Using computer account name: VM-IDM-015 * Using domain realm: sssdad2012r2.com * Using fully qualified name: vm-idm-015.lab.eng.pnq.redhat.com * Enrolling computer name: VM-IDM-015 * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Found computer account for VM-IDM-015$ at: CN=VM-IDM-015,CN=Computers,DC=sssdad2012r2,DC=com * Retrieved kvno '2' for computer account in directory: CN=VM-IDM-015,CN=Computers,DC=sssdad2012r2,DC=com * Changed computer password * kvno incremented to 3 * Modifying computer account: userAccountControl ! Couldn't set userAccountControl on computer account: CN=VM-IDM-015,CN=Computers,DC=sssdad2012r2,DC=com: Insufficient access * Updated existing computer account: CN=VM-IDM-015,CN=Computers,DC=sssdad2012r2,DC=com * Discovered which keytab salt to use ! Couldn't add keytab entries: FILE:/etc/krb5.keytab: Permission denied adcli: updating membership with domain sssdad2012r2.com failed: Couldn't add keytab entries: FILE:/etc/krb5.keytab: Permission denied Expected results: adcli should be able to update /etc/krb5.keytab Additional info: [root@vm-idm-015 ~]# ls -lZ /etc/krb5.keytab -rw-------. root root unconfined_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab When set to permissive, adcli is able to update /etc/krb5.keytab selinux denial messages when set in permissive mode: type=AVC msg=audit(1468582002.904:1977): avc: denied { write } for pid=2920 comm="adcli" name="krb5.keytab" dev="dm-0" ino=34465601 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file type=SYSCALL msg=audit(1468582002.904:1977): arch=c000003e syscall=2 success=yes exit=9 a0=7fe5ac187fa0 a1=2 a2=1b6 a3=24 items=0 ppid=2907 pid=2920 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="adcli" exe="/usr/sbin/adcli" subj=system_u:system_r:sssd_t:s0 key=(null)