Bug 1979625

Summary: Add checks to prevent assigning authentication indicators to internal IPA services
Product: Red Hat Enterprise Linux 8 Reporter: Florence Blanc-Renaud <frenaud>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.5CC: amore, gkaihoro, ksiddiqu, rcritten, ssidhaye, tscherf
Target Milestone: betaKeywords: TestCaseProvided, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: idm-client-8050020210715144943.de73ecb2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 18:29:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Florence Blanc-Renaud 2021-07-06 15:06:43 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/8206

Authentication indicators currently should not be enforced against internal IPA services because not all users of those services can produce Kerberos tickets with required authentication indicators. Enforcing the indicators will lead to a broken FreeIPA deployment for such services. Thus, we should add a logic that prevents such broken setup.

`host/...`, `ldap/..`, `HTTP/..`, and 'cifs/..` principals on IPA masters should not allow setting any authentication indicators as of the moment.
 
In Active Directory infrastructure all services running on the machine are aliases of the machine account (represented with `host/...` service principal). It means they all have the same Kerberos keys. In FreeIPA there is no strong aliasing between the services running on a host; `host/...` and `cifs/...` keys can be different. However, `host/...` service principal on any IPA system running Samba plays important role for DCE RPC calls authenticated with the help of Kerberos because DCE RPC clients will use `host/...` key to encrypt a request and DCE RPC server will have to use own `host/..` keys to decrypt that request. It means DCE RPC clients will attempt to obtain a service ticket to `host/..` on a target DCE RPC server automatically. Assigning an authentication indicator to it will prevent this operation, rendering SMB (and DCE RPC) services impossible to use.

This means that for IPA clients which have Samba services enabled (have `cifs/...` service principal), there should also be not possible to assign authentication indicator to `host/...` and `cifs/..` principals on the hosts.

We need to figure out if using `hardened` authentication indicator could be permitted.
Comment 1 Florence Blanc-Renaud 2021-07-06 15:09:04 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/8206
Comment 2 Florence Blanc-Renaud 2021-07-06 15:10:15 UTC 
Fixed upstream:
master:

    0bdbf11 Add checks to prevent adding auth indicators to internal IPA services
    da72a57 ipatests: ensure auth indicators can't be added to internal IPA services
Comment 3 Florence Blanc-Renaud 2021-07-06 15:11:37 UTC 
Adding TestCaseProvided as a new test is available in 
ipatests/test_xmlrpc/test_host_plugin.py::TestProtectedMaster::test_try_add_auth_ind_master
ipatests/test_xmlrpc/test_service_plugin.py::TestAuthenticationIndicators::test_update_indicator_internal_service
Comment 4 Florence Blanc-Renaud 2021-07-06 15:37:48 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/a5d2857297cfcf87ed8973df96e89ebcef22850d
https://pagure.io/freeipa/c/28484c3dee225662e41acc691bfe6b1c1cee99c8
Comment 8 anuja 2021-07-12 12:56:52 UTC 
Verified with : ipa-server-4.9.6-2.module+el8.5.0+11725+f7f58359.x86_64

with ipa host-add should fail with correct error on ipa-server.

logs from downstream: src/otp/test_0004_authentication_indicators.py::TestAuthIndent::()::test009
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
transport.py               519 DEBUG    RUN ['ipa', 'host-add', '--auth-ind=otp', '--force', 'another01.TESTREALM.TEST']
channel.py                1212 DEBUG    [chan 861] Sesch channel 861 request ok
transport.py               563 DEBUG    ipa: ERROR: an internal error has occurred
channel.py                1212 DEBUG    [chan 861] EOF received (861)

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[root@master ~]# tail -20 /var/log/httpd/error_log 
[Mon Jul 12 08:49:09.703718 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396] Traceback (most recent call last):
[Mon Jul 12 08:49:09.703721 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]   File "/usr/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 405, in wsgi_execute
[Mon Jul 12 08:49:09.703724 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]     result = command(*args, **options)
[Mon Jul 12 08:49:09.703727 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]   File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__
[Mon Jul 12 08:49:09.703730 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]     return self.__do_call(*args, **options)
[Mon Jul 12 08:49:09.703733 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]   File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call
[Mon Jul 12 08:49:09.703735 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]     ret = self.run(*args, **options)
[Mon Jul 12 08:49:09.703738 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]   File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run
[Mon Jul 12 08:49:09.703741 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]     return self.execute(*args, **options)
[Mon Jul 12 08:49:09.703743 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]   File "/usr/lib/python3.6/site-packages/ipaserver/plugins/baseldap.py", line 1278, in execute
[Mon Jul 12 08:49:09.703746 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]     *keys, **options)
[Mon Jul 12 08:49:09.703749 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]   File "/usr/lib/python3.6/site-packages/ipaserver/plugins/host.py", line 738, in pre_callback
[Mon Jul 12 08:49:09.703752 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]     validate_auth_indicator(entry_attrs)
[Mon Jul 12 08:49:09.703755 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]   File "/usr/lib/python3.6/site-packages/ipaserver/plugins/service.py", line 213, in validate_auth_indicator
[Mon Jul 12 08:49:09.703758 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]     server = api.Command.server_find(principal.hostname)['result']
[Mon Jul 12 08:49:09.703761 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]   File "/usr/lib/python3.6/site-packages/ipapython/kerberos.py", line 174, in hostname
[Mon Jul 12 08:49:09.703764 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]     "hostname is defined for host and service principals")
[Mon Jul 12 08:49:09.703768 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396] ValueError: hostname is defined for host and service principals
[Mon Jul 12 08:49:09.703775 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396] 
[Mon Jul 12 08:49:09.704126 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396] ipa: INFO: [jsonserver_session] admin: host_add/1('test.IPA.TEST', krbprincipalauthind=('otp',), force=True, version='2.242'): InternalError
[root@master ~]#
Comment 9 Rob Crittenden 2021-07-13 21:58:58 UTC 
Added test test_xmlrpc/test_host_plugin.py::TestProtectedMaster:: test_add_non_master_with_auth_ind

Fixed upstream
master:
https://pagure.io/freeipa/c/bd0d43745072ec7976207c231cba8411efb41e17
Comment 10 Rob Crittenden 2021-07-14 13:55:20 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/8ad535b618d60fa016061212ff85d0ad28ccae59
Comment 13 Ganna Kaihorodova 2021-08-05 10:56:17 UTC 
Bugzilla verified with existing test automation 

ipa-server-4.9.6-4.module+el8.5.0+11912+1b4496cf.x86_64.rpm 


Passed 	test_xmlrpc/test_service_plugin.py::TestAuthenticationIndicators::()::test_create_service_with_otp_indicator
Passed 	test_xmlrpc/test_service_plugin.py::TestAuthenticationIndicators::()::test_adding_all_indicators 	
Passed	test_xmlrpc/test_service_plugin.py::TestAuthenticationIndicators::()::test_update_indicator
Passed 	test_xmlrpc/test_host_plugin.py::TestProtectedMaster::()::test_try_add_auth_ind_master 		
Passed 	test_xmlrpc/test_host_plugin.py::TestProtectedMaster::()::test_add_non_master_with_auth_ind

 	

Passed 	test_integration/test_replica_promotion.py::TestReplicaPromotionLevel1::()::test_kra_install_master 	299.45 	
Passed 	test_integration/test_replica_promotion.py::TestReplicaPromotionLevel1::()::test_one_step_install_pwd_and_admin_pwd 	31.08 	
Passed 	test_integration/test_replica_promotion.py::TestReplicaPromotionLevel1::()::test_one_command_installation 	264.34 	

Detailed verification log in attached files
Comment 15 errata-xmlrpc 2021-11-09 18:29:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4230