Bug 1441316

Summary: WebUI cert auth fails after ipa-adtrust-install
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Scott Poore <spoore>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: ksiddiqu, pvoborni, pvomacka, rcritten, spoore, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-6.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:48:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Vobornik 2017-04-11 16:22:57 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/6862

IPA 4.5.0-5.el7
gssproxy 0.7.0-3.el7

IPA configured for WebUI certificate authentication, with a user entry demoCert containing a user certificate delivered by IPA CA
Web UI certificate authentication stops working when an AD trust is configured. The web page shows:
    Authentication with personal certificate failed

httpd error_log displays:

    [Tue Apr 11 08:09:33.787693 2017] [auth_gssapi:error] [pid 44111] [client 10.36.116.124:50694] GSS ERROR In S4U2Self: gss_acquire_cred_impersonate_name(): [A required input parameter could not be read, No credentials were supplied, or the credentials were unavailable or inaccessible (Unknown error)]
    [Tue Apr 11 08:09:33.791505 2017] [:error] [pid 44109] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
    [Tue Apr 11 08:09:33.791853 2017] [:error] [pid 44109] ipa: DEBUG: WSGI login_x509.__call__:
    [Tue Apr 11 08:09:33.792102 2017] [:error] [pid 44109] ipa: INFO: 401 Unauthorized: KRB5CCNAME not set

krb5.kdc log:

    Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): TGS_REQ : handle_authdata (-1765328240)
    Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.34.58.20: HANDLE_AUTHDATA: authtime 1491839345,  HTTP/ipaserver.example.com for HTTP/ipaserver.example.com, Wrong principal in request
    Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): ... PROTOCOL-TRANSITION s4u-client=democert
    Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): closing down fd 11
Comment 2 Petr Vobornik 2017-04-11 16:23:14 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6862
Comment 3 Pavel Vomacka 2017-04-12 07:48:23 UTC 
Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/b5114070ae55bcc7ec1abe57b4c303cee4822930
master:
https://pagure.io/freeipa/c/e88d5e815ea440bcef4acdc5f8fcb3a29e6eaec9
Comment 5 Scott Poore 2017-05-12 03:51:44 UTC 
Verified.

Version ::

ipa-server-4.5.0-11.el7.x86_64
gssproxy-0.7.0-3.el7.x86_64


Results ::

# First confirm WebUI cert login without AD Trust:


[root@dhcp129-184 ~]# ipa certmap-match /root/testing/demosc1_cert1.crt 
---------------
2 users matched
---------------
  Domain: TESTRELM.TEST
  User logins: demosc1, demosc2
----------------------------
Number of entries returned 1
----------------------------

# WebUI login with demosc1 works with cert on card after entering pin


[root@auto-hv-02-guest08 ~]# ipa-adtrust-install -a Secret123 --add-sids -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.


Configuring CIFS
  [1/23]: validate server hostname
  [2/23]: stopping smbd
  [3/23]: creating samba domain object
  [4/23]: creating samba config registry
  [5/23]: writing samba config file
  [6/23]: adding cifs Kerberos principal
  [7/23]: adding cifs and host Kerberos principals to the adtrust agents group
  [8/23]: check for cifs services defined on other replicas
  [9/23]: adding cifs principal to S4U2Proxy targets
  [10/23]: adding admin(group) SIDs
  [11/23]: adding RID bases
  [12/23]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [13/23]: activating CLDAP plugin
  [14/23]: activating sidgen task
  [15/23]: configuring smbd to start on boot
  [16/23]: adding special DNS service records
  [17/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [18/23]: adding fallback group
  [19/23]: adding Default Trust View
  [20/23]: setting SELinux booleans
  [21/23]: starting CIFS services
  [22/23]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
  [23/23]: restarting smbd
Done configuring CIFS.

=============================================================================
Setup complete

You must make sure these network ports are open:
	TCP Ports:
	  * 135: epmap
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 445: microsoft-ds
	  * 1024..1300: epmap listener range
	  * 3268: msft-gc
	UDP Ports:
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 389: (C)LDAP
	  * 445: microsoft-ds

See the ipa-adtrust-install(1) man page for more details

=============================================================================


# Login to WebUI worked with demosc1 with pin

[root@auto-hv-02-guest08 ~]# ipactl restart
Stopping pki-tomcatd Service
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
Starting smb Service
Starting winbind Service
ipa: INFO: The ipactl command was successful

# Login to WebUI worked with demosc1 with pin


[root@auto-hv-02-guest08 ~]# ipa trust-add ipaadcs12r2.test --admin Administrator --password
Active Directory domain administrator's password: 
---------------------------------------------------------
Added Active Directory trust for realm "ipaadcs12r2.test"
---------------------------------------------------------
  Realm name: ipaadcs12r2.test
  Domain NetBIOS name: IPAADCS12R2
  Domain Security Identifier: S-1-5-21-2104345585-122664420-2375807449
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@auto-hv-02-guest08 ~]# vim /etc/sssd/sssd.conf
...
subdomains_provider = ipa
[sssd]
services = sudo, nss, ifp, pam, ssh, pac
...

[root@auto-hv-02-guest08 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

# Showing that AD Trust is working:

[root@auto-hv-02-guest08 ~]# id tempuser1
uid=1664401105(tempuser1) gid=1664401105(tempuser1) groups=1664401105(tempuser1),1664400513(domain users)

# Login to WebUI worked with demosc1 with pin
Comment 6 errata-xmlrpc 2017-08-01 09:48:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304