Bug 1438731

Summary: Extend ipa-server-certinstall and ipa-certupdate to handle PKINIT certificates/anchors
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Michal Reznik <mreznik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: jcholast, ksiddiqu, mbasti, ndehadra, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-14.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:47:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Verification logs none

Description Petr Vobornik 2017-04-04 10:05:04 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/6831

In order to fully support PKINIT configuration in CA-less deployments, the tools that manipulate 3rd party certificates must be extended to also install PKINIT server certificates and update KDC's PKINIT anchors when 3rd party CA certificates are to be used.
Comment 2 Petr Vobornik 2017-04-04 10:05:33 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6831
Comment 3 Martin Bašti 2017-05-19 10:32:55 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/235265a5f5436148dd8d7e63b7e3928689796560
https://pagure.io/freeipa/c/f0442a2d0ed54abe6567fce6d99fd31f7c6c7883
https://pagure.io/freeipa/c/52730c786f6bb11aa7992b11fa0f5c94c90f9eb8
https://pagure.io/freeipa/c/01a7416d305ddb11d5b83c99afbacf8ba854c148
https://pagure.io/freeipa/c/11b8a3434655932fa73f05d4bd864bed0194035c
https://pagure.io/freeipa/c/4d36cbf6ad412822b8fb029f517f9228e2c8d4ee
https://pagure.io/freeipa/c/f769045f0ae9c5fdc651e03c0c96af9cdec8f298
https://pagure.io/freeipa/c/b9fd123d61fa7adda090c05216906ba0cf4779a9
https://pagure.io/freeipa/c/0c5b2c42bf52dc75ecf9d95036ca8517670877d6
https://pagure.io/freeipa/c/cc572378a69a7e4d18b7297b7fa54e2fe8e33b2f
https://pagure.io/freeipa/c/3b5dbf7cdb4c03260057c8f7a2abd5c5712eca41
https://pagure.io/freeipa/c/b3855704f479eaf122139189b762b943b2dcc0fc
https://pagure.io/freeipa/c/9ea764ecf5c3118df0917d94c4940b4ee38b3a31
https://pagure.io/freeipa/c/96ca62f81d3505b050eb9b9d71d4fc4c18e1535e
Comment 4 Martin Bašti 2017-05-19 10:34:42 UTC 
ipa-4-5:
https://pagure.io/freeipa/c/6338dbe47313a70b93bbf53855db451145d24544
https://pagure.io/freeipa/c/749d504f4335c375cf86bf44814177f03be61b52
https://pagure.io/freeipa/c/e68812331526269f3b556c339f65077f649110d3
https://pagure.io/freeipa/c/16b295c5a8580accfbbab016f3cc4eef0a704163
https://pagure.io/freeipa/c/63c4cbd619f81f16e0c08d3786b69d348c9dcfd7
https://pagure.io/freeipa/c/523a82652e2f95704a07ac25cc829a0782b9e22a
https://pagure.io/freeipa/c/b83ebe0e3ff692de37f28834d09a423d04e6ad68
https://pagure.io/freeipa/c/5cf5395eb51ff5ec8164075a5ee573abe76bc15e
https://pagure.io/freeipa/c/e6497f099c09dfa60bd6ae98e4692e99b7381752
https://pagure.io/freeipa/c/bc8deb118dce93fc380793c75090d9108ce61541
https://pagure.io/freeipa/c/cbdf6693cc8707dda9c1db42fb05dc5b1d70b7af
https://pagure.io/freeipa/c/77ef29ef30086c714025d97328507bd51e3f0421
https://pagure.io/freeipa/c/6f900ec60a426a2b97823d4612949a953fa6d49b
https://pagure.io/freeipa/c/e27b3e139ffff16f6e238ef6f9ff7d2ed02492bc
Comment 9 Michal Reznik 2017-06-09 13:04:52 UTC 
Moving to assigned as verification failed:

ipa-server-4.5.0-16.el7.x86_64
selinux-policy-3.13.1-160.el7.noarch

Followed these steps:

1. install CA-less master without pkinit
2. generate KDC cert signed by different CA
3. issue "ipa-cacert-manage install" to add the CA
4. ipa-certupdate
5. ipa-server-certinstall --kdc ./pkinit-server.p12 --pin XXX
6. kinit -n

When attempting to get the anonymous ticket got:

[root@master ~]# KRB5_TRACE=/dev/stdout kinit -n
[12984] 1496992862.778766: Getting initial credentials for WELLKNOWN/ANONYMOUS
[12984] 1496992862.781603: Sending request (190 bytes) to TESTRELM.TEST
[12984] 1496992862.781775: Initiating TCP connection to stream 192.168.222.10:88
[12984] 1496992862.782014: Sending TCP request to stream 192.168.222.10:88
[12984] 1496992862.785226: Received answer (344 bytes) from stream 192.168.222.10:88
[12984] 1496992862.785236: Terminating TCP connection to stream 192.168.222.10:88
[12984] 1496992862.785312: Response was from master KDC
[12984] 1496992862.785355: Received error from KDC: -1765328359/Additional pre-authentication required
[12984] 1496992862.785401: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133
[12984] 1496992862.785414: Selected etype info: etype aes256-cts, salt "TESTRELM.TESTWELLKNOWNANONYMOUS", params ""
[12984] 1496992862.785418: Received cookie: MIT
[12984] 1496992862.785448: Preauth module pkinit (147) (info) returned: 0/Success
[12984] 1496992862.785860: PKINIT client computed kdc-req-body checksum 9/146F1085B92F98D4745FD5EFB4DA2FE1EE3E0E65
[12984] 1496992862.785867: PKINIT client making DH request
[12984] 1496992862.811974: Preauth module pkinit (16) (real) returned: 0/Success
[12984] 1496992862.811990: Produced preauth for next request: 133, 16
[12984] 1496992862.812012: Sending request (1453 bytes) to TESTRELM.TEST
[12984] 1496992862.812087: Initiating TCP connection to stream 192.168.222.10:88
[12984] 1496992862.812143: Sending TCP request to stream 192.168.222.10:88
[12984] 1496992862.826079: Received answer (1622 bytes) from stream 192.168.222.10:88
[12984] 1496992862.826093: Terminating TCP connection to stream 192.168.222.10:88
[12984] 1496992862.826143: Response was from master KDC
[12984] 1496992862.826169: Processing preauth types: 17, 19, 147
[12984] 1496992862.826176: Selected etype info: etype aes256-cts, salt "TESTRELM.TESTWELLKNOWNANONYMOUS", params ""
[12984] 1496992862.826191: Preauth module pkinit (147) (info) returned: 0/Success
[12984] 1496992862.826302: PKINIT client could not verify DH reply
[12984] 1496992862.826328: Preauth module pkinit (17) (real) returned: -1765328360/Preauthentication failed
kinit: Preauthentication failed while getting initial credentials

After restarting krb5kdc service it works:

[root@master ~]# systemctl restart krb5kdc.service
[root@master ~]# 
[root@master ~]# kinit -n
[root@master ~]# 
[root@master ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS

Valid starting       Expires              Service principal
06/09/2017 05:13:30  06/10/2017 05:13:30  krbtgt/TESTRELM.TEST
[root@master ~]# 
[root@master ~]# getenforce
Enforcing
[root@master ~]# ausearch -m avc
<no matches>

However manual restart should not be required obviously.

The issue looks like https://pagure.io/freeipa/issue/7003 however this time are not after an upgrade.
Comment 11 Michal Reznik 2017-06-12 12:18:37 UTC 
Verified on:

ipa-server-4.5.0-16.el7.x86_64
selinux-policy-3.13.1-160.el7.noarch

[root@master ~]# getenforce
Enforcing

Update to comment #9. It turned out that there is currently no restart in "ipa_server_certinstall.py" code. In this case the restart is really expected.
Comment 12 Michal Reznik 2017-06-12 12:19:35 UTC 
Created attachment 1287049 [details]
Verification logs
Comment 13 errata-xmlrpc 2017-08-01 09:47:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304