Bug 1457942

Summary: certauth: use canonical principal for lookups
Product: Red Hat Enterprise Linux 7 Reporter: Sumit Bose <sbose>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Scott Poore <spoore>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: enewland, ksiddiqu, mbasti, pvoborni, rcritten, spoore, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-16.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:51:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sumit Bose 2017-06-01 15:24:31 UTC 
Description of problem:
Currently the certauth plugin use the unmodified principal from the request to lookup the user. This might fial if e.g. enterprise principals are use.

On the client:
    kinit -E -X X509_user_identity=.... scuser
In krb5kdc.log:
    Mär 22 11:09:12 ipa-devel-f25.ipaf25.devel krb5kdc[26868](info): Doing certauth authorize for [scuser\@IPAF25.DEVEL]
Mär 22 11:09:12 ipa-devel-f25.ipaf25.devel krb5kdc[26868](info): Got cert filter [(...)]
Mär 22 11:09:12 ipa-devel-f25.ipaf25.devel krb5kdc[26868](info): No matching entry found
Mär 22 11:09:12 ipa-devel-f25.ipaf25.devel krb5kdc[26868](info): preauth (pkinit) verify failure: Certificate mismatch


To not fail the canonical principal which is also available in the certauth plugin should be used.
Comment 1 Petr Vobornik 2017-06-01 15:35:37 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6993
Comment 4 Martin Bašti 2017-06-07 12:01:17 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/117d6e9be0c386f134bd27eee3377e70df77f0f0
ipa-4-5:
https://pagure.io/freeipa/c/e8d8aab469ca634f4ec38b869767316806c739f1
Comment 6 Scott Poore 2017-06-07 19:39:29 UTC 
I think this is failing:

# On IPA SERVER:

ipa-server-4.5.0-16.el7.x86_64


# From the client:

[root@dhcp129-184 yum.local.d]# kinit -E -X X509_user_identity=PKCS11:module_name=/usr/lib64/opensc-pkcs11.so demosc1
demosc1 (OpenSC Card)            PIN: 

# From server logs:

Jun 07 15:25:28 auto-hv-02-guest08.testrelm.test krb5kdc[9325](info): Initializing IPA certauth plugin.
Jun 07 15:25:28 auto-hv-02-guest08.testrelm.test krb5kdc[9325](info): sss_certmap initialized.
Jun 07 15:25:28 auto-hv-02-guest08.testrelm.test krb5kdc[9325](info): Doing certauth authorize for [demosc1]
Jun 07 15:25:28 auto-hv-02-guest08.testrelm.test krb5kdc[9325](info): Got cert filter [(|(userCertificate;binary=\30\82\04\...
Jun 07 15:25:28 auto-hv-02-guest08.testrelm.test krb5kdc[9325](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) IPSCRUBBED: ISSUE: authtime 1496863528, etypes {rep=18 tkt=18 ses=18}, demosc1\@TESTRELM.TEST for krbtgt/TESTRELM.TEST
Jun 07 15:25:28 auto-hv-02-guest08.testrelm.test krb5kdc[9325](info): closing down fd 11

# ^^ So this is working before I change the principal for the user in IPA ^^

# Now I change the user principal alias:

[root@dhcp129-184 yum.local.d]# kinit admin
Password for admin: 

2017-06-07 13:25:42 MDT 
[root@dhcp129-184 yum.local.d]# ipa user-mod demosc1 --principal=alias_demosc1
-----------------------
Modified user "demosc1"
-----------------------
  User login: demosc1
  First name: demo
  Last name: sc1
  Home directory: /home/demosc1
  Login shell: /bin/sh
  Principal name: demosc1
  Principal alias: alias_demosc1
  Email address: demosc1
  UID: 1505600004
  GID: 1505600004
  Certificate: MII...
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True


# First trying with demosc1

[root@dhcp129-184 yum.local.d]# kinit -E -X X509_user_identity=PKCS11:module_name=/usr/lib64/opensc-pkcs11.so demosc1
kinit: Client 'demosc1\@TESTRELM.TEST' not found in Kerberos database while getting initial credentials


Jun 07 15:25:48 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) IPSCRUBBED: CLIENT_NOT_FOUND: demosc1\@TESTRELM.TEST for krbtgt/TESTRELM.TEST, Client not found in Kerberos database




# Next trying with alias_demosc1

[root@dhcp129-184 yum.local.d]# kinit -E -X X509_user_identity=PKCS11:module_name=/usr/lib64/opensc-pkcs11.so alias_demosc1
demosc1 (OpenSC Card)            PIN: 
kinit: Certificate mismatch while getting initial credentials

2017-06-07 13:25:57 MDT 

Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): Initializing IPA certauth plugin.
Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): sss_certmap initialized.
Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): Doing certauth authorize for [demosc1]
Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): Got cert filter [(|(userCertificate;binary=\30\82\04
Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): No matching entry found
Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): preauth (pkinit) verify failure: Certificate mismatch
Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) IPSCRUBBED: PREAUTH_FAILED: alias_demosc1\@TESTRELM.TEST for krbtgt/TESTRELM.TEST, Certificate mismatch
Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): closing down fd 11
Comment 7 Sumit Bose 2017-06-08 07:37:51 UTC 
No, this is expected.

By calling 'ipa user-mod demosc1 --principal=alias_demosc1' you say that only 'alias_demosc1' can be used as input for kinit becasue you overwrite the default principal 'demosc1'.

Please try:

    ipa user-mod demosc1 --principal=alias_demosc1 --principal=demosc1

HTH

bye,
Sumit
Comment 8 Scott Poore 2017-06-08 13:20:45 UTC 
Verified.

Version ::

ipa-server-4.5.0-16.el7.x86_64
sssd-1.15.2-43.el7.x86_64


Results ::

[root@dhcp129-184 ~]# ipa user-mod demosc1 --principal=alias_demosc1 --principal=demosc1
-----------------------
Modified user "demosc1"
-----------------------
  User login: demosc1
  First name: demo
  Last name: sc1
  Home directory: /home/demosc1
  Login shell: /bin/sh
  Principal name: demosc1
  Principal alias: demosc1, alias_demosc1
  Email address: demosc1
  UID: 1505600004
  GID: 1505600004
  Certificate: MIIEDTCCAvWgAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNjAyMTU1ODI3WhcNMTkwNjAzMTU1ODI3WjAqMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMRAwDgYDVQQDDAdkZW1vc2MxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA279MmazwE5IgH0gZXQKxVARtWLA8aRkbGnEgMBzhZLwso2U54gPdRVlq1pDsY0WFhwj9+NXLn7MpUp6JiXMsnbKJCwqRZF4MypQ/bCbqYJaRoHJwlSsgoP/y1o9eIZAJDQ3y7+SIh0qgE9Mk5pYgqes4xIRnPEIVQSIazyvwSo+CwQftvA/6IagDIzfdSEMMcxMOCMYWajNOZsiLzCGQOGHM6Hsgekg9BHCF7sTQQ6rTTVOC4c0mrP26N2z3toAhtRoR++8TW5bIbl+gyo9bBm/QXTFgLaLhdep0sEiTKC4cs7IEL6JIzbq1vHkXjO26+XwmnFPrW1It6okkdEaH6wIDAQABo4IBLjCCASowHwYDVR0jBBgwFoAU20BgPgH5orN4AsHOeMHgHZpnRHAwPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzABhiNodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHgGA1UdHwRxMG8wbaA1oDOGMWh0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFKP4VQaLnn5CcEUgN4mhPESvLFZpMA0GCSqGSIb3DQEBCwUAA4IBAQBoHX0D/lZDuDb3kWFRStj9aYdhg2mR5yKQOewLeEXPnj1mwaltNn/sEzIBoD1SrhQ0Ov2lG9MN8T3QVTUQoMTUgcRR57odMn0VIwhQrU3jq8XEaalgzubyq+zSsYmEIfCn+B/bChosaG+WoUnsW6E2OV6y0iSi47jUapFSO7SLmfsG8EbRF3PC39f7pXI102/xzZ6WaxMhPD/ZIE2fkunPHDlAf2F6762h5s9mPGfVv0Hko2zrQKaYEQG8V4J3hqPDRbsxQRxl5aojghSWzDVPNfJUsTN3CiOSMhrMHQtdH+YBvAGjB54oW/gR1qKOw0kO87607xyONVyIsEhdVEQc
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True


[root@dhcp129-184 ~]# vim /etc/sssd/sssd.conf
# add krb5_use_enterprise_principal = True


[root@dhcp129-184 ~]# kdestroy -A

[root@dhcp129-184 ~]# kinit -E -X X509_user_identity=PKCS11:module_name=/usr/lib64/opensc-pkcs11.so alias_demosc1
demosc1 (OpenSC Card)            PIN: 

[root@dhcp129-184 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_MPhy6EK
Default principal: demosc1

Valid starting       Expires              Service principal
06/08/2017 07:14:32  06/09/2017 07:14:29  krbtgt/TESTRELM.TEST

[root@dhcp129-184 ~]# kdestroy -A

[root@dhcp129-184 ~]# kinit -E -X X509_user_identity=PKCS11:module_name=/usr/lib64/opensc-pkcs11.so demosc1
demosc1 (OpenSC Card)            PIN: 

[root@dhcp129-184 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_MPhy6EK
Default principal: demosc1

Valid starting       Expires              Service principal
06/08/2017 07:14:46  06/09/2017 07:14:42  krbtgt/TESTRELM.TEST


[root@dhcp129-184 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*;systemctl start sssd

[root@dhcp129-184 ~]# su - demosc1 -c "kdestroy -A"

[root@dhcp129-184 ~]# su - demosc2 -c "su - alias_demosc1 -c klist"
PIN for demosc1 (OpenSC Card)
Ticket cache: KEYRING:persistent:1505600004:krb_ccache_N6I0SB5
Default principal: demosc1

Valid starting       Expires              Service principal
06/08/2017 07:17:58  06/09/2017 07:17:56  krbtgt/TESTRELM.TEST

[root@dhcp129-184 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*;systemctl start sssd

[root@dhcp129-184 ~]# su - demosc1 -c "kdestroy -A"

[root@dhcp129-184 ~]# su - demosc2 -c "su - demosc1 -c klist"
PIN for demosc1 (OpenSC Card)
Ticket cache: KEYRING:persistent:1505600004:krb_ccache_0A5n1um
Default principal: demosc1

Valid starting       Expires              Service principal
06/08/2017 07:18:28  06/09/2017 07:18:25  krbtgt/TESTRELM.TEST
Comment 9 errata-xmlrpc 2017-08-01 09:51:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304