Bug 2033342
Summary: | User can't log in after ipa-user-mod --user-auth-type=hardened | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Sam Morris <sam> | |
Component: | ipa | Assignee: | Julien Rische <jrische> | |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 8.5 | CC: | abokovoy, frenaud, ftrivino, mvarun, rcritten, rjeffman, ssidhaye, sumenon, tscherf | |
Target Milestone: | rc | Keywords: | Triaged | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | idm-DL1-8060020220203151553.92098735 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 2049104 (view as bug list) | Environment: | ||
Last Closed: | 2022-05-10 14:09:17 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 2049104 |
Description
Sam Morris
2021-12-16 15:01:13 UTC
Thoughts: I think it is due to this handling of 'ua' (user auth) in case 0 below where IPADB_USER_AUTH_HARDENED should have also be considered: https://pagure.io/freeipa/blob/master/f/daemons/ipa-kdb/ipa_kdb_principals.c#_786 ret = ipadb_ldap_attr_to_key_data(lcontext, lentry, "krbPrincipalKey", &res_key_data, &result, &mkvno); switch (ret) { case 0: /* Only set a principal's key if password auth can be used. Otherwise * the KDC would add pre-authentication methods to the NEEDED_PREAUTH * reply for AS-REQs which indicate the password authentication is * available. This might confuse applications like e.g. SSSD which try * to determine suitable authentication methods and corresponding * prompts with the help of MIT Kerberos' responder interface which * acts on the returned pre-authentication methods. A typical example * is enforced OTP authentication where of course keys are available * for the first factor but password authentication should not be * advertised by the KDC. */ if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) { /* This is the same behavior as ENOENT below. */ ipa_krb5_free_key_data(res_key_data, result); break; } entry->key_data = res_key_data; entry->n_key_data = result; if (mkvno) { krb5_int16 kvno16le = htole16((krb5_int16)mkvno); kerr = ipadb_set_tl_data(entry, KRB5_TL_MKVNO, sizeof(kvno16le), (krb5_octet *)&kvno16le); if (kerr) { goto done; } } case ENOENT: break; default: kerr = KRB5_KDB_INTERNAL_ERROR; goto done; } Upstream bug: https://pagure.io/freeipa/issue/9065 Upstream PR: https://github.com/freeipa/freeipa/pull/6161 Fixed upstream master: https://pagure.io/freeipa/c/35e94bee0e0da4cf43c613a5296d57f7e04b583a https://pagure.io/freeipa/c/97d123ccccb50098e21884a0aa9d90ed017ef97e Fixed upstream ipa-4-9: https://pagure.io/freeipa/c/6d70421f57d0eca066a922e09416ef7195ee96d4 https://pagure.io/freeipa/c/294ae35a61e6ca8816b261c57508e4be21221864 Verified ipa-server-4.9.8-6.module+el8.6.0+14224+4c38d4ea.x86_64 Passed test_integration/test_krbtpolicy.py::TestPWPolicy::()::test_krbtpolicy_password_and_hardended ------------------------------ Captured log setup ------------------------------ transport.py 391 INFO RUN ['kinit', 'admin'] transport.py 513 DEBUG RUN ['kinit', 'admin'] transport.py 558 DEBUG Password for admin: transport.py 217 DEBUG Exit code: 0 ------------------------------ Captured log call ------------------------------- transport.py 391 INFO RUN ['ipa', 'user-mod', 'testuser1', '--user-auth-type', 'password', '--user-auth-type', 'hardened'] transport.py 513 DEBUG RUN ['ipa', 'user-mod', 'testuser1', '--user-auth-type', 'password', '--user-auth-type', 'hardened'] transport.py 558 DEBUG ------------------------- transport.py 558 DEBUG Modified user "testuser1" transport.py 558 DEBUG ------------------------- transport.py 558 DEBUG User login: testuser1 transport.py 558 DEBUG First name: test transport.py 558 DEBUG Last name: user transport.py 558 DEBUG Home directory: /home/testuser1 transport.py 558 DEBUG Login shell: /bin/sh transport.py 558 DEBUG Principal name: testuser1 transport.py 558 DEBUG Principal alias: testuser1 transport.py 558 DEBUG Email address: testuser1 transport.py 558 DEBUG UID: 15200003 transport.py 558 DEBUG GID: 15200003 transport.py 558 DEBUG User authentication types: password, hardened transport.py 558 DEBUG Account disabled: False transport.py 558 DEBUG Password: True transport.py 558 DEBUG Member of groups: ipausers transport.py 558 DEBUG Kerberos keys available: True transport.py 217 DEBUG Exit code: 0 transport.py 391 INFO RUN ['ipa', 'config-mod', '--user-auth-type', 'password', '--user-auth-type', 'hardened'] transport.py 513 DEBUG RUN ['ipa', 'config-mod', '--user-auth-type', 'password', '--user-auth-type', 'hardened'] transport.py 558 DEBUG Maximum username length: 32 transport.py 558 DEBUG Maximum hostname length: 64 transport.py 558 DEBUG Home directory base: /home transport.py 558 DEBUG Default shell: /bin/sh transport.py 558 DEBUG Default users group: ipausers transport.py 558 DEBUG Default e-mail domain: testrelm.test transport.py 558 DEBUG Search time limit: 2 transport.py 558 DEBUG Search size limit: 100 transport.py 558 DEBUG User search fields: uid,givenname,sn,telephonenumber,ou,title transport.py 558 DEBUG Group search fields: cn,description transport.py 558 DEBUG Enable migration mode: FALSE transport.py 558 DEBUG Certificate Subject base: O=TESTRELM.TEST transport.py 558 DEBUG Password Expiration Notification (days): 4 transport.py 558 DEBUG Password plugin features: AllowNThash, KDC:Disable Last Success transport.py 558 DEBUG SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 transport.py 558 DEBUG Default SELinux user: unconfined_u:s0-s0:c0.c1023 transport.py 558 DEBUG Default PAC types: MS-PAC, nfs:NONE transport.py 558 DEBUG Default user authentication types: password, hardened transport.py 558 DEBUG IPA masters: master.testrelm.test transport.py 558 DEBUG IPA master capable of PKINIT: master.testrelm.test transport.py 558 DEBUG IPA CA servers: master.testrelm.test transport.py 558 DEBUG IPA CA renewal master: master.testrelm.test transport.py 558 DEBUG IPA DNS servers: master.testrelm.test transport.py 217 DEBUG Exit code: 0 transport.py 391 INFO RUN ['ipa', 'krbtpolicy-mod', 'testuser1', '--hardened-maxlife', '600'] transport.py 513 DEBUG RUN ['ipa', 'krbtpolicy-mod', 'testuser1', '--hardened-maxlife', '600'] transport.py 558 DEBUG Max life: 86400 transport.py 558 DEBUG Hardened max life: 600 transport.py 217 DEBUG Exit code: 0 transport.py 391 INFO RUN ['kdestroy', '-A'] transport.py 513 DEBUG RUN ['kdestroy', '-A'] transport.py 217 DEBUG Exit code: 0 transport.py 391 INFO RUN ['kinit', 'testuser1'] transport.py 513 DEBUG RUN ['kinit', 'testuser1'] transport.py 558 DEBUG Password for testuser1: transport.py 217 DEBUG Exit code: 0 transport.py 391 INFO RUN klist | grep krbtgt transport.py 513 DEBUG RUN klist | grep krbtgt transport.py 558 DEBUG 02/23/2022 12:47:10 02/23/2022 12:57:10 krbtgt/TESTRELM.TEST transport.py 217 DEBUG Exit code: 0 transport.py 391 INFO RUN ['kdestroy', '-A'] transport.py 513 DEBUG RUN ['kdestroy', '-A'] transport.py 217 DEBUG Exit code: 0 transport.py 391 INFO RUN ['kinit', 'testuser2'] transport.py 513 DEBUG RUN ['kinit', 'testuser2'] transport.py 558 DEBUG Password for testuser2: transport.py 217 DEBUG Exit code: 0 transport.py 391 INFO RUN klist | grep krbtgt transport.py 513 DEBUG RUN klist | grep krbtgt transport.py 558 DEBUG 02/23/2022 12:47:10 02/24/2022 11:51:49 krbtgt/TESTRELM.TEST transport.py 217 DEBUG Exit code: 0 http://idm-artifacts.usersys.redhat.com/mvarun/trigger//3929/test-suite/report.html.gz Based on the test result, marking the bug VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2022:1884 |