Bug 2049104

Summary: User can't log in after ipa-user-mod --user-auth-type=hardened
Product: Red Hat Enterprise Linux 9 Reporter: Rafael Jeffman <rjeffman>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: abokovoy, frenaud, ftrivino, ipa-qe, myusuf, rcritten, rjeffman, sam, ssidhaye, tscherf, twoerner
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.9.8-2.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2033342 Environment:
Last Closed: 2022-05-17 12:44:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2033342    
Bug Blocks:    

Description Rafael Jeffman 2022-02-01 14:46:54 UTC 
+++ This bug was initially created as a clone of Bug #2033342 +++

Description of problem:
I've a user for which I've run:

$ ipa user-mod user --user-auth-type=hardened

Now they can't use kinit any more:

[admin@ipa-test0 ~]$ KRB5_TRACE=/dev/stderr KRB5CCNAME=MEMORY: kinit htest
[3910683] 1639666477.833986: Getting initial credentials for htest
[3910683] 1639666477.833988: Sending unauthenticated request
[3910683] 1639666477.833989: Sending request (167 bytes) to IPATEST.QQ
[3910683] 1639666477.833990: Initiating TCP connection to stream 192.168.0.7:88
[3910683] 1639666477.833991: Sending TCP request to stream 192.168.0.7:88
[3910683] 1639666477.833992: Received answer (234 bytes) from stream 192.168.0.7:88
[3910683] 1639666477.833993: Terminating TCP connection to stream 192.168.0.7:88
[3910683] 1639666477.833994: Response was from primary KDC
[3910683] 1639666477.833995: Received error from KDC: -1765328359/Additional pre-authentication required
[3910683] 1639666477.833998: Preauthenticating using KDC method data
[3910683] 1639666477.833999: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-PKINIT-KX (147), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133)
[3910683] 1639666477.834000: Received cookie: MIT
[3910683] 1639666477.834001: PKINIT client has no configured identity; giving up
[3910683] 1639666477.834002: Preauth module pkinit (147) (info) returned: 0/Success
[3910683] 1639666477.834003: PKINIT client received freshness token from KDC
[3910683] 1639666477.834004: Preauth module pkinit (150) (info) returned: 0/Success
[3910683] 1639666477.834005: PKINIT client has no configured identity; giving up
[3910683] 1639666477.834006: Preauth module pkinit (16) (real) returned: 22/Invalid argument
kinit: Pre-authentication failed: Invalid argument while getting initial credentials

Nor can they log in via PAM:

==> /var/log/sssd/krb5_child.log <==
(2021-12-16 14:56:46): [krb5_child[3910812]] [get_and_save_tgt] (0x0020): 1724: [-1765328174][Pre-authentication failed: Invalid argument]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [main] (0x0400): krb5_child started.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [unpack_buffer] (0x1000): total buffer size: [107]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [unpack_buffer] (0x0100): cmd [241 (auth)] uid [1829800021] gid [1829800021] validate [true] enterprise principal [false] offline [false] UPN [htest]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [unpack_buffer] (0x0100): ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [switch_creds] (0x0200): Switch user to [1829800021][1829800021].
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [switch_creds] (0x0200): Switch user to [0][0].
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [k5c_check_old_ccache] (0x4000): Ccache_file is [KCM:] and is not active and TGT is  valid.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [k5c_precreate_ccache] (0x4000): Recreating ccache
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [k5c_setup_fast] (0x0100): Fast principal is set to [host/ipa-test0.example.qq]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [find_principal_in_keytab] (0x4000): Trying to find principal host/ipa-test0.example.qq in keytab.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [match_principal] (0x1000): Principal matched to the sample (host/ipa-test0.example.qq).
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [become_user] (0x0200): Trying to become user [1829800021][1829800021].
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [main] (0x2000): Running as [1829800021][1829800021].
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [set_lifetime_options] (0x0100): No specific lifetime requested.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [main] (0x0400): Will perform auth
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [main] (0x0400): Will perform online auth
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [tgt_req_child] (0x1000): Attempting to get a TGT
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [IPATEST.QQ]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [get_and_save_tgt] (0x0020): 1724: [-1765328174][Pre-authentication failed: Invalid argument]

********************** BACKTRACE DUMP ENDS HERE *********************************

(2021-12-16 14:56:46): [krb5_child[3910812]] [map_krb5_error] (0x0020): [1432158222][Failure setting user credentials].

Version-Release number of selected component (if applicable):
ipa-server-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64 (RHEL 8)
ipa-server-4.9.6-9.el9.x86_64 (CentOS Stream 9)

How reproducible:
100% on both RHEL 8 and CentOS Stream 9


Steps to Reproduce:
1. ipa-server-install
2. ipa user-add htest
3. ipa user-mod htest --user-auth-type=hardened

Actual results:
User can't use kinit to authenticate with SPAKE; nor can they use kinit -T to authenticate via a FAST channel. pam_sss doesn't let them in either.

Expected results:
kinit and pam_sss should let user log in.

Additional info:
Forwarded from https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/B2NGHAIUTWWO2QLHZS6UWRTJWXW4MB6K/

--- Additional comment from Alexander Bokovoy on 2021-12-16 15:18:34 UTC ---

Thoughts:

I think it is due to this handling of 'ua' (user auth) in case 0 below where IPADB_USER_AUTH_HARDENED should have also be considered:
https://pagure.io/freeipa/blob/master/f/daemons/ipa-kdb/ipa_kdb_principals.c#_786

    ret = ipadb_ldap_attr_to_key_data(lcontext, lentry,
                                      "krbPrincipalKey",
                                      &res_key_data, &result, &mkvno);
    switch (ret) {
    case 0:
        /* Only set a principal's key if password auth can be used. Otherwise
         * the KDC would add pre-authentication methods to the NEEDED_PREAUTH
         * reply for AS-REQs which indicate the password authentication is
         * available. This might confuse applications like e.g. SSSD which try
         * to determine suitable authentication methods and corresponding
         * prompts with the help of MIT Kerberos' responder interface which
         * acts on the returned pre-authentication methods. A typical example
         * is enforced OTP authentication where of course keys are available
         * for the first factor but password authentication should not be
         * advertised by the KDC. */
        if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) {
            /* This is the same behavior as ENOENT below. */
            ipa_krb5_free_key_data(res_key_data, result);
            break;
        }

        entry->key_data = res_key_data;
        entry->n_key_data = result;
        if (mkvno) {
            krb5_int16 kvno16le = htole16((krb5_int16)mkvno);

            kerr = ipadb_set_tl_data(entry, KRB5_TL_MKVNO,
                                     sizeof(kvno16le),
                                     (krb5_octet *)&kvno16le);
            if (kerr) {
                goto done;
            }
        }
    case ENOENT:
        break;
    default:
        kerr = KRB5_KDB_INTERNAL_ERROR;
        goto done;
    }

--- Additional comment from Sam Morris on 2021-12-16 15:19:53 UTC ---

Upstream bug: https://pagure.io/freeipa/issue/9065
Comment 1 Florence Blanc-Renaud 2022-02-02 14:44:48 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/35e94bee0e0da4cf43c613a5296d57f7e04b583a
https://pagure.io/freeipa/c/97d123ccccb50098e21884a0aa9d90ed017ef97e
Comment 2 Florence Blanc-Renaud 2022-02-02 20:52:44 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/6d70421f57d0eca066a922e09416ef7195ee96d4
https://pagure.io/freeipa/c/294ae35a61e6ca8816b261c57508e4be21221864
Comment 7 Mohammad Rizwan 2022-02-10 06:50:16 UTC 
version:
ipa-server-4.9.8-2.el9.x86_64


Automation passed, hence marking the bug verified.
http://idm-artifacts.usersys.redhat.com/freeipa/Nightly/RHEL9.0/2022-02-04/tier-1/upstream-krbtpolicy/20//report.html
Comment 9 errata-xmlrpc 2022-05-17 12:44:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: ipa), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2387