Bug 2162656
Summary: | Passwordless (GSSAPI) SSH not working for subdomain. | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | anuja <amore> | |
Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> | |
Status: | CLOSED ERRATA | QA Contact: | anuja <amore> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 9.2 | CC: | abokovoy, ftrivino, jrische, pasik, rcritten, tscherf | |
Target Milestone: | rc | Keywords: | Regression, Triaged | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | ipa-4.10.1-5.el9 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 2166324 (view as bug list) | Environment: | ||
Last Closed: | 2023-05-09 07:33:20 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 2144442 |
Description
anuja
2023-01-20 12:21:00 UTC
Not 100% sure about this but it looks like the tests started failing with ipa 4.10.1-1 on RHEL 9.2 (were green with 4.10.0-8), and with ipa 4.9.11-3 on RHEL 8.8 (were green with ipa-server-4.9.10-8). The 2 rebases contain the patch for 9083: Support MIT Kerberos KDB version 9 (see https://www.freeipa.org/page/Releases/4.10.1 and https://www.freeipa.org/page/Releases/4.9.11) that modified ipa-kdb driver, making this change a (maybe too) obvious suspect. Reproducer steps: install trust with AD, where AD domain is windows.test and a child domain sub1.windows.test contains the user aduser1 obtain a kerberos ticket for aduser1.test and use this ticket for ssh # echo Secret123|kinit aduser1.TEST Password for aduser1.TEST: # ssh -K -l aduser1.TEST `hostname` 'echo Success' What can be seen in /var/log/krb5kdc.log when the test is run: Jan 24 14:21:18 ip-10-0-191-232.user2k16.test krb5kdc[43892](Error): PAC Info mismatch: domain = windows.test, expected flat name = WINDOWS, found logon name = SUB1 Jan 24 14:21:18 ip-10-0-191-232.user2k16.test krb5kdc[43892](info): TGS_REQ : handle_authdata (22) Jan 24 14:21:18 ip-10-0-191-232.user2k16.test krb5kdc[43892](info): TGS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.0.191.232: HANDLE_AUTHDATA: authtime 1674588051, etypes {rep=UNSUPPORTED:(0)} aduser1.TEST for host/ip-10-0-191-232.user2k16.test, Invalid argument Jan 24 14:21:18 ip-10-0-191-232.user2k16.test krb5kdc[43892](info): closing down fd 11 Jan 24 14:21:18 ip-10-0-191-232.user2k16.test krb5kdc[43892](Error): PAC Info mismatch: domain = windows.test, expected flat name = WINDOWS, found logon name = SUB1 Jan 24 14:21:18 ip-10-0-191-232.user2k16.test krb5kdc[43892](info): TGS_REQ : handle_authdata (22) Jan 24 14:21:18 ip-10-0-191-232.user2k16.test krb5kdc[43892](info): TGS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.0.191.232: HANDLE_AUTHDATA: authtime 1674588051, etypes {rep=UNSUPPORTED:(0)} aduser1.TEST for host/ip-10-0-191-232.user2k16.test, Invalid argument Jan 24 14:21:18 ip-10-0-191-232.user2k16.test krb5kdc[43892](info): closing down fd 11 The error message is produced from the filter_logon_info() method https://github.com/freeipa/freeipa/blob/295b4e23b44c74817fd83428f9ffe4cdb1e7bb8a/daemons/ipa-kdb/ipa_kdb_mspac.c#L1801 which is called from ipadb_check_logon_info() method https://github.com/freeipa/freeipa/blob/295b4e23b44c74817fd83428f9ffe4cdb1e7bb8a/daemons/ipa-kdb/ipa_kdb_mspac.c#L2027 The parameters provided to the method are evaluated in these lines: https://github.com/freeipa/freeipa/blob/master/daemons/ipa-kdb/ipa_kdb_mspac.c#L2104-L2113 if (client != NULL) { origin_realm = client->princ->realm; } else { origin_realm = signing_krbtgt->princ->realm; } kerr = filter_logon_info(context, tmpctx, &origin_realm, &info); if (kerr) { goto done; } It looks like the PAC contains references to sub1 (the child domain) but the code expects the parent domain instead. I think the catch here is that signing krbtgt will always be the forest root's one because that's the only one we have for the trust. It means we probably need to allow here any domain/NetBIOS name from that forest, not just be strict on the forest root. In MIT Krb 5 1.20 we don't even get an original client principal at all so nothing else could be done. Upstream ticket: https://pagure.io/freeipa/issue/9316 Fixed upstream master: https://pagure.io/freeipa/c/0c32ebf85859858eb27bcc712dfec91e2d1c85d3 https://pagure.io/freeipa/c/0b762d2b2a214cc6a392514e0d82e2c15200082b Fixed upstream ipa-4-9: https://pagure.io/freeipa/c/2d7cc19d238e0a20a44bb5422fd369d1e5cf764f https://pagure.io/freeipa/c/ed1959dc0cf8823a0ce60e32ce0de7a389ecb942 Fixed upstream ipa-4-10: https://pagure.io/freeipa/c/0206369eec8530e96c66986c4ca501d8962193ce https://pagure.io/freeipa/c/a6cb905de74da38d62f9c3bd7957018924282521 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ipa bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2205 |