Bug 2033342

Summary:	User can't log in after ipa-user-mod --user-auth-type=hardened
Product:	Red Hat Enterprise Linux 8	Reporter:	Sam Morris <sam>
Component:	ipa	Assignee:	Julien Rische <jrische>
Status:	CLOSED ERRATA	QA Contact:	ipa-qe <ipa-qe>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	8.5	CC:	abokovoy, frenaud, ftrivino, mvarun, rcritten, rjeffman, ssidhaye, sumenon, tscherf
Target Milestone:	rc	Keywords:	Triaged
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	idm-DL1-8060020220203151553.92098735	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	2049104 (view as bug list)		Environment:
Last Closed:	2022-05-10 14:09:17 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	2049104

Description Sam Morris 2021-12-16 15:01:13 UTC

Description of problem:
I've a user for which I've run:

$ ipa user-mod user --user-auth-type=hardened

Now they can't use kinit any more:

[admin@ipa-test0 ~]$ KRB5_TRACE=/dev/stderr KRB5CCNAME=MEMORY: kinit htest
[3910683] 1639666477.833986: Getting initial credentials for htest
[3910683] 1639666477.833988: Sending unauthenticated request
[3910683] 1639666477.833989: Sending request (167 bytes) to IPATEST.QQ
[3910683] 1639666477.833990: Initiating TCP connection to stream 192.168.0.7:88
[3910683] 1639666477.833991: Sending TCP request to stream 192.168.0.7:88
[3910683] 1639666477.833992: Received answer (234 bytes) from stream 192.168.0.7:88
[3910683] 1639666477.833993: Terminating TCP connection to stream 192.168.0.7:88
[3910683] 1639666477.833994: Response was from primary KDC
[3910683] 1639666477.833995: Received error from KDC: -1765328359/Additional pre-authentication required
[3910683] 1639666477.833998: Preauthenticating using KDC method data
[3910683] 1639666477.833999: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-PKINIT-KX (147), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133)
[3910683] 1639666477.834000: Received cookie: MIT
[3910683] 1639666477.834001: PKINIT client has no configured identity; giving up
[3910683] 1639666477.834002: Preauth module pkinit (147) (info) returned: 0/Success
[3910683] 1639666477.834003: PKINIT client received freshness token from KDC
[3910683] 1639666477.834004: Preauth module pkinit (150) (info) returned: 0/Success
[3910683] 1639666477.834005: PKINIT client has no configured identity; giving up
[3910683] 1639666477.834006: Preauth module pkinit (16) (real) returned: 22/Invalid argument
kinit: Pre-authentication failed: Invalid argument while getting initial credentials

Nor can they log in via PAM:

==> /var/log/sssd/krb5_child.log <==
(2021-12-16 14:56:46): [krb5_child[3910812]] [get_and_save_tgt] (0x0020): 1724: [-1765328174][Pre-authentication failed: Invalid argument]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [main] (0x0400): krb5_child started.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [unpack_buffer] (0x1000): total buffer size: [107]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [unpack_buffer] (0x0100): cmd [241 (auth)] uid [1829800021] gid [1829800021] validate [true] enterprise principal [false] offline [false] UPN [htest]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [unpack_buffer] (0x0100): ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [switch_creds] (0x0200): Switch user to [1829800021][1829800021].
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [switch_creds] (0x0200): Switch user to [0][0].
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [k5c_check_old_ccache] (0x4000): Ccache_file is [KCM:] and is not active and TGT is  valid.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [k5c_precreate_ccache] (0x4000): Recreating ccache
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [k5c_setup_fast] (0x0100): Fast principal is set to [host/ipa-test0.example.qq]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [find_principal_in_keytab] (0x4000): Trying to find principal host/ipa-test0.example.qq in keytab.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [match_principal] (0x1000): Principal matched to the sample (host/ipa-test0.example.qq).
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [become_user] (0x0200): Trying to become user [1829800021][1829800021].
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [main] (0x2000): Running as [1829800021][1829800021].
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [set_lifetime_options] (0x0100): No specific lifetime requested.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [main] (0x0400): Will perform auth
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [main] (0x0400): Will perform online auth
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [tgt_req_child] (0x1000): Attempting to get a TGT
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [IPATEST.QQ]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [get_and_save_tgt] (0x0020): 1724: [-1765328174][Pre-authentication failed: Invalid argument]

********************** BACKTRACE DUMP ENDS HERE *********************************

(2021-12-16 14:56:46): [krb5_child[3910812]] [map_krb5_error] (0x0020): [1432158222][Failure setting user credentials].

Version-Release number of selected component (if applicable):
ipa-server-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64 (RHEL 8)
ipa-server-4.9.6-9.el9.x86_64 (CentOS Stream 9)

How reproducible:
100% on both RHEL 8 and CentOS Stream 9


Steps to Reproduce:
1. ipa-server-install
2. ipa user-add htest
3. ipa user-mod htest --user-auth-type=hardened

Actual results:
User can't use kinit to authenticate with SPAKE; nor can they use kinit -T to authenticate via a FAST channel. pam_sss doesn't let them in either.

Expected results:
kinit and pam_sss should let user log in.

Additional info:
Forwarded from https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/B2NGHAIUTWWO2QLHZS6UWRTJWXW4MB6K/

Comment 1 Alexander Bokovoy 2021-12-16 15:18:34 UTC

Thoughts:

I think it is due to this handling of 'ua' (user auth) in case 0 below where IPADB_USER_AUTH_HARDENED should have also be considered:
https://pagure.io/freeipa/blob/master/f/daemons/ipa-kdb/ipa_kdb_principals.c#_786

    ret = ipadb_ldap_attr_to_key_data(lcontext, lentry,
                                      "krbPrincipalKey",
                                      &res_key_data, &result, &mkvno);
    switch (ret) {
    case 0:
        /* Only set a principal's key if password auth can be used. Otherwise
         * the KDC would add pre-authentication methods to the NEEDED_PREAUTH
         * reply for AS-REQs which indicate the password authentication is
         * available. This might confuse applications like e.g. SSSD which try
         * to determine suitable authentication methods and corresponding
         * prompts with the help of MIT Kerberos' responder interface which
         * acts on the returned pre-authentication methods. A typical example
         * is enforced OTP authentication where of course keys are available
         * for the first factor but password authentication should not be
         * advertised by the KDC. */
        if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) {
            /* This is the same behavior as ENOENT below. */
            ipa_krb5_free_key_data(res_key_data, result);
            break;
        }

        entry->key_data = res_key_data;
        entry->n_key_data = result;
        if (mkvno) {
            krb5_int16 kvno16le = htole16((krb5_int16)mkvno);

            kerr = ipadb_set_tl_data(entry, KRB5_TL_MKVNO,
                                     sizeof(kvno16le),
                                     (krb5_octet *)&kvno16le);
            if (kerr) {
                goto done;
            }
        }
    case ENOENT:
        break;
    default:
        kerr = KRB5_KDB_INTERNAL_ERROR;
        goto done;
    }

Comment 2 Sam Morris 2021-12-16 15:19:53 UTC

Upstream bug: https://pagure.io/freeipa/issue/9065

Comment 3 Trivino 2022-02-02 12:46:58 UTC

Upstream PR: https://github.com/freeipa/freeipa/pull/6161

Comment 4 Florence Blanc-Renaud 2022-02-02 14:44:15 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/35e94bee0e0da4cf43c613a5296d57f7e04b583a
https://pagure.io/freeipa/c/97d123ccccb50098e21884a0aa9d90ed017ef97e

Comment 5 Florence Blanc-Renaud 2022-02-02 20:52:39 UTC

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/6d70421f57d0eca066a922e09416ef7195ee96d4
https://pagure.io/freeipa/c/294ae35a61e6ca8816b261c57508e4be21221864

Comment 11 Varun Mylaraiah 2022-02-23 18:04:34 UTC

Verified
ipa-server-4.9.8-6.module+el8.6.0+14224+4c38d4ea.x86_64

Passed	test_integration/test_krbtpolicy.py::TestPWPolicy::()::test_krbtpolicy_password_and_hardended
------------------------------ Captured log setup ------------------------------
transport.py               391 INFO     RUN ['kinit', 'admin']
transport.py               513 DEBUG    RUN ['kinit', 'admin']
transport.py               558 DEBUG    Password for admin: 
transport.py               217 DEBUG    Exit code: 0
------------------------------ Captured log call -------------------------------
transport.py               391 INFO     RUN ['ipa', 'user-mod', 'testuser1', '--user-auth-type', 'password', '--user-auth-type', 'hardened']
transport.py               513 DEBUG    RUN ['ipa', 'user-mod', 'testuser1', '--user-auth-type', 'password', '--user-auth-type', 'hardened']
transport.py               558 DEBUG    -------------------------
transport.py               558 DEBUG    Modified user "testuser1"
transport.py               558 DEBUG    -------------------------
transport.py               558 DEBUG      User login: testuser1
transport.py               558 DEBUG      First name: test
transport.py               558 DEBUG      Last name: user
transport.py               558 DEBUG      Home directory: /home/testuser1
transport.py               558 DEBUG      Login shell: /bin/sh
transport.py               558 DEBUG      Principal name: testuser1
transport.py               558 DEBUG      Principal alias: testuser1
transport.py               558 DEBUG      Email address: testuser1
transport.py               558 DEBUG      UID: 15200003
transport.py               558 DEBUG      GID: 15200003
transport.py               558 DEBUG      User authentication types: password, hardened
transport.py               558 DEBUG      Account disabled: False
transport.py               558 DEBUG      Password: True
transport.py               558 DEBUG      Member of groups: ipausers
transport.py               558 DEBUG      Kerberos keys available: True
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['ipa', 'config-mod', '--user-auth-type', 'password', '--user-auth-type', 'hardened']
transport.py               513 DEBUG    RUN ['ipa', 'config-mod', '--user-auth-type', 'password', '--user-auth-type', 'hardened']
transport.py               558 DEBUG      Maximum username length: 32
transport.py               558 DEBUG      Maximum hostname length: 64
transport.py               558 DEBUG      Home directory base: /home
transport.py               558 DEBUG      Default shell: /bin/sh
transport.py               558 DEBUG      Default users group: ipausers
transport.py               558 DEBUG      Default e-mail domain: testrelm.test
transport.py               558 DEBUG      Search time limit: 2
transport.py               558 DEBUG      Search size limit: 100
transport.py               558 DEBUG      User search fields: uid,givenname,sn,telephonenumber,ou,title
transport.py               558 DEBUG      Group search fields: cn,description
transport.py               558 DEBUG      Enable migration mode: FALSE
transport.py               558 DEBUG      Certificate Subject base: O=TESTRELM.TEST
transport.py               558 DEBUG      Password Expiration Notification (days): 4
transport.py               558 DEBUG      Password plugin features: AllowNThash, KDC:Disable Last Success
transport.py               558 DEBUG      SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
transport.py               558 DEBUG      Default SELinux user: unconfined_u:s0-s0:c0.c1023
transport.py               558 DEBUG      Default PAC types: MS-PAC, nfs:NONE
transport.py               558 DEBUG      Default user authentication types: password, hardened
transport.py               558 DEBUG      IPA masters: master.testrelm.test
transport.py               558 DEBUG      IPA master capable of PKINIT: master.testrelm.test
transport.py               558 DEBUG      IPA CA servers: master.testrelm.test
transport.py               558 DEBUG      IPA CA renewal master: master.testrelm.test
transport.py               558 DEBUG      IPA DNS servers: master.testrelm.test
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['ipa', 'krbtpolicy-mod', 'testuser1', '--hardened-maxlife', '600']
transport.py               513 DEBUG    RUN ['ipa', 'krbtpolicy-mod', 'testuser1', '--hardened-maxlife', '600']
transport.py               558 DEBUG      Max life: 86400
transport.py               558 DEBUG      Hardened max life: 600
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['kdestroy', '-A']
transport.py               513 DEBUG    RUN ['kdestroy', '-A']
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['kinit', 'testuser1']
transport.py               513 DEBUG    RUN ['kinit', 'testuser1']
transport.py               558 DEBUG    Password for testuser1: 
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN klist | grep krbtgt
transport.py               513 DEBUG    RUN klist | grep krbtgt
transport.py               558 DEBUG    02/23/2022 12:47:10  02/23/2022 12:57:10  krbtgt/TESTRELM.TEST
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['kdestroy', '-A']
transport.py               513 DEBUG    RUN ['kdestroy', '-A']
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['kinit', 'testuser2']
transport.py               513 DEBUG    RUN ['kinit', 'testuser2']
transport.py               558 DEBUG    Password for testuser2: 
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN klist | grep krbtgt
transport.py               513 DEBUG    RUN klist | grep krbtgt
transport.py               558 DEBUG    02/23/2022 12:47:10  02/24/2022 11:51:49  krbtgt/TESTRELM.TEST
transport.py               217 DEBUG    Exit code: 0

http://idm-artifacts.usersys.redhat.com/mvarun/trigger//3929/test-suite/report.html.gz
Based on the test result, marking the bug VERIFIED.

Comment 13 errata-xmlrpc 2022-05-10 14:09:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:1884