Bug 1002179 - PAC is not recognized in krb5 1.10 KDC at TGS-REQ from krb5-1.11 client
PAC is not recognized in krb5 1.10 KDC at TGS-REQ from krb5-1.11 client
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: krb5 (Show other bugs)
6.4
Unspecified Linux
high Severity high
: rc
: ---
Assigned To: Nalin Dahyabhai
BaseOS QE Security Team
: ZStream
Depends On: 951965
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-28 10:53 EDT by Libor Miksik
Modified: 2013-09-10 02:36 EDT (History)
16 users (show)

See Also:
Fixed In Version: krb5-1.10.3-10.el6_4.6
Doc Type: Bug Fix
Doc Text:
* When processing client requests transmitted to it using the flexible authentication secure tunneling (FAST) facility, the KDC would lose track of the type of the request that the client supplied, potentially causing it to fail to include authorization data in the ticket it would later issue in response to the request. In some environments, this would result in authorization to resources being incorrectly denied. This update sets the msg_type option when decoding FAST requests, and access control no longer fails in the described scenario.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-10 02:36:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Libor Miksik 2013-08-28 10:53:06 EDT
This bug has been copied from bug #951965 and has been proposed
to be backported to 6.4 z-stream (EUS).
Comment 6 Steeve Goveas 2013-09-06 08:28:11 EDT
[root@dhcp207-61 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.4 (Santiago)

[root@dhcp207-61 ~]# rpm -q ipa-server
ipa-server-3.0.0-25.el6.x86_64

[root@dhcp207-61 ~]# rpm -q krb5-server
krb5-server-1.10.3-10.el6.x86_64

[root@dhcp207-61 ~]# wget -O /etc/yum.repos.d/errata-15560.repo http://cosmos.lab.eng.pnq.redhat.com/errata-15560/errata-15560.repo

[root@dhcp207-61 ~]# yum update krb5-server
Loaded plugins: product-id, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package krb5-server.x86_64 0:1.10.3-10.el6 will be updated
---> Package krb5-server.x86_64 0:1.10.3-10.el6_4.6 will be an update
--> Processing Dependency: krb5-libs = 1.10.3-10.el6_4.6 for package: krb5-server-1.10.3-10.el6_4.6.x86_64
--> Running transaction check
---> Package krb5-libs.x86_64 0:1.10.3-10.el6 will be updated
--> Processing Dependency: krb5-libs = 1.10.3-10.el6 for package: krb5-workstation-1.10.3-10.el6.x86_64
---> Package krb5-libs.x86_64 0:1.10.3-10.el6_4.6 will be an update
--> Running transaction check
---> Package krb5-workstation.x86_64 0:1.10.3-10.el6 will be updated
---> Package krb5-workstation.x86_64 0:1.10.3-10.el6_4.6 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

======================================================================================================================================================
 Package                                Arch Version Repository                          Size
======================================================================================================================================================
Updating:
 krb5-server                            x86_64 1.10.3-10.el6_4.6 errata-15560                       2.0 M
Updating for dependencies:
 krb5-libs                              x86_64 1.10.3-10.el6_4.6 errata-15560                       760 k
 krb5-workstation                       x86_64 1.10.3-10.el6_4.6 errata-15560                       804 k

Transaction Summary
======================================================================================================================================================
Upgrade       3 Package(s)

Total download size: 3.5 M
Is this ok [y/N]: y
Downloading Packages:
(1/3): krb5-libs-1.10.3-10.el6_4.6.x86_64.rpm | 760 kB     00:00
(2/3): krb5-server-1.10.3-10.el6_4.6.x86_64.rpm | 2.0 MB     00:00
(3/3): krb5-workstation-1.10.3-10.el6_4.6.x86_64.rpm | 804 kB     00:00
------------------------------------------------------------------------------------------------------------------------------------------------------
Total 32 MB/s | 3.5 MB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : krb5-libs-1.10.3-10.el6_4.6.x86_64 1/6
  Updating   : krb5-server-1.10.3-10.el6_4.6.x86_64 2/6
  Updating   : krb5-workstation-1.10.3-10.el6_4.6.x86_64 3/6
  Cleanup    : krb5-workstation-1.10.3-10.el6.x86_64 4/6
  Cleanup    : krb5-server-1.10.3-10.el6.x86_64 5/6
  Cleanup    : krb5-libs-1.10.3-10.el6.x86_64 6/6
  Verifying  : krb5-server-1.10.3-10.el6_4.6.x86_64 1/6
  Verifying  : krb5-libs-1.10.3-10.el6_4.6.x86_64 2/6
  Verifying  : krb5-workstation-1.10.3-10.el6_4.6.x86_64 3/6
  Verifying  : krb5-libs-1.10.3-10.el6.x86_64 4/6
  Verifying  : krb5-workstation-1.10.3-10.el6.x86_64 5/6
  Verifying  : krb5-server-1.10.3-10.el6.x86_64 6/6

Updated:
  krb5-server.x86_64 0:1.10.3-10.el6_4.6

Dependency Updated:
  krb5-libs.x86_64 0:1.10.3-10.el6_4.6 krb5-workstation.x86_64 0:1.10.3-10.el6_4.6

Complete!

[root@dhcp207-61 ~]# yum install bind-dyndb-ldap -y

[root@dhcp207-61 ~]# /usr/sbin/ipa-server-install --setup-dns --no-forwarder --hostname=dhcp207-61.testrelm.com --ip-address 10.65.207.61 -r TESTRELM.COM -n testrelm.com -p Secret123 -P Secret123 -a Secret123 -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
.
.
.
Restarting the web server
==============================================================================
Setup complete

Next steps:
    1. You must make sure these network ports are open:
        TCP Ports:
          * 80, 443: HTTP/HTTPS
          * 389, 636: LDAP/LDAPS
          * 88, 464: kerberos
          * 53: bind
        UDP Ports:
          * 88, 464: kerberos
          * 53: bind
          * 123: ntp

    2. You can now obtain a kerberos ticket using the command: 'kinit admin'
       This ticket will allow you to use the IPA tools (e.g., ipa user-add)
       and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

[root@dhcp207-61 ~]# yum remove samba-winbind samba-common -y

[root@dhcp207-61 ~]# yum install ipa-server-trust-ad samba4-winbind-clients -y

[root@dhcp207-61 ~]# ipa-adtrust-install -a Secret123 --netbios-name TESTRELM -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the FreeIPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to FreeIPA LDAP server

To accept the default shown in brackets, press the Enter key.

Configuring CIFS
  [1/18]: stopping smbd
  [2/18]: creating samba domain object
  [3/18]: creating samba config registry
  [4/18]: writing samba config file
  [5/18]: adding cifs Kerberos principal
  [6/18]: adding cifs principal to S4U2Proxy targets
  [7/18]: adding admin(group) SIDs
  [8/18]: adding RID bases
  [9/18]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [10/18]: activating CLDAP plugin
  [11/18]: activating sidgen plugin and task
  [12/18]: activating extdom plugin
  [13/18]: configuring smbd to start on boot
  [14/18]: adding special DNS service records
  [15/18]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [16/18]: adding fallback group
  [17/18]: setting SELinux booleans
  [18/18]: starting CIFS services
Done configuring CIFS.

=============================================================================
Setup complete

You must make sure these network ports are open:
    TCP Ports:
      * 138: netbios-dgm
      * 139: netbios-ssn
      * 445: microsoft-ds
    UDP Ports:
      * 138: netbios-dgm
      * 139: netbios-ssn
      * 389: (C)LDAP
      * 445: microsoft-ds

Additionally you have to make sure the FreeIPA LDAP server is not reachable
by any domain controller in the Active Directory domain by closing down
the following ports for these servers:
    TCP Ports:
      * 389, 636: LDAP/LDAPS

You may want to choose to REJECT the network packets instead of DROPing
them to avoid timeouts on the AD domain controllers.

=============================================================================

[root@dhcp207-61 ~]# ipa dnszone-add adlabs.com --force --forwarder=10.65.207.6 --forward-policy=only --name-server win-i94qhqmthd4.adlabs.com --ip-address 10.65.207.6 --admin-email='hostmaster.adlabs.com'
  Zone name: adlabs.com
  Authoritative nameserver: win-i94qhqmthd4.adlabs.com
  Administrator e-mail address: hostmaster.adlabs.com.
  SOA serial: 1378464230
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
  Zone forwarders: 10.65.207.6
  Forward policy: only

[root@dhcp207-61 ~]# dig srv _ldap._tcp.adlabs.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> srv _ldap._tcp.adlabs.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32791
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;_ldap._tcp.adlabs.com.        IN    SRV

;; ANSWER SECTION:
_ldap._tcp.adlabs.com.    600    IN    SRV    0 100 389 win-i94qhqmthd4.adlabs.com.

;; ADDITIONAL SECTION:
win-i94qhqmthd4.adlabs.com. 1200 IN    A    10.65.207.6
win-i94qhqmthd4.adlabs.com. 1200 IN    AAAA 2620:52:0:41ce:5dbd:d0b2:6cc0:6a56

;; Query time: 11 msec
;; SERVER: 10.65.207.61#53(10.65.207.61)
;; WHEN: Fri Sep  6 16:14:12 2013
;; MSG SIZE  rcvd: 129

[root@dhcp207-61 ~]# dig @10.65.207.6 srv  _ldap._tcp.testrelm.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> @10.65.207.6 srv _ldap._tcp.testrelm.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60106
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;_ldap._tcp.testrelm.com.    IN    SRV

;; ANSWER SECTION:
_ldap._tcp.testrelm.com. 86388    IN    SRV    0 100 389 dhcp207-61.testrelm.com.

;; ADDITIONAL SECTION:
dhcp207-61.testrelm.com. 1188    IN    A    10.65.207.61

;; Query time: 1 msec
;; SERVER: 10.65.207.6#53(10.65.207.6)
;; WHEN: Fri Sep  6 16:20:05 2013
;; MSG SIZE  rcvd: 100

[root@dhcp207-61 ~]# ipa trust-add --type=ad adlabs.com --admin Administrator --password
Active directory domain administrator's password:
ipa: ERROR: Insufficient access: CIFS server denied your credentials

[root@dhcp207-61 ~]# ipactl restart
Restarting Directory Service
Shutting down dirsrv:
    PKI-IPA...                                             [  OK  ]
    TESTRELM-COM...                                        [  OK  ]
Starting dirsrv:
    PKI-IPA...                                             [  OK  ]
    TESTRELM-COM...                                        [  OK  ]
Restarting KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Starting Kerberos 5 KDC:                                   [  OK  ]
Restarting KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Starting Kerberos 5 Admin Server:                          [  OK  ]
Restarting DNS Service
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]
Restarting MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Starting ipa_memcached:                                    [  OK  ]
Restarting HTTP Service
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
Restarting CA Service
Stopping pki-ca:                                           [  OK  ]
Starting pki-ca:                                           [  OK  ]
Restarting ADTRUST Service
Shutting down SMB services:                                [  OK  ]
Starting SMB services:                                     [  OK  ]
Restarting EXTID Service

Shutting down Winbind services:                            [  OK  ]
Starting Winbind services:                                 [  OK  ]

[root@dhcp207-61 ~]# wbinfo --online-status
BUILTIN : online
TESTRELM : online

[root@dhcp207-61 ~]# ipa trust-add --type=ad adlabs.com --admin Administrator --password
Active directory domain administrator's password:
---------------------------------------------------
Added Active Directory trust for realm "adlabs.com"
---------------------------------------------------
  Realm name: adlabs.com
  Domain NetBIOS name: ADLABS
  Domain Security Identifier: S-1-5-21-3069109027-1612402048-776712048
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified
[root@dhcp207-61 ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adlabs.com
  Domain NetBIOS name: ADLABS
  Domain Security Identifier: S-1-5-21-3069109027-1612402048-776712048
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

Verified in version
[root@dhcp207-61 ~]# rpm -q ipa-server krb5-server
ipa-server-3.0.0-25.el6.x86_64
krb5-server-1.10.3-10.el6_4.6.x86_64

[root@dhcp207-61 ~]# kdestroy

[root@dhcp207-61 ~]# kinit admin
Password for admin@TESTRELM.COM:

[root@dhcp207-61 ~]# ls -la /`klist | grep cache | cut -d':' -f2-|cut -d/ -f2-`
-rw-------. 1 root root 1267 Sep  6 16:25 /tmp/krb5cc_0

[root@dhcp207-61 ~]# kvno cifs/`hostname`
cifs/dhcp207-61.testrelm.com@TESTRELM.COM: kvno = 1

[root@dhcp207-61 ~]# ls -la /`klist | grep cache | cut -d':' -f2-|cut -d/ -f2-`
-rw-------. 1 root root 2344 Sep  6 16:26 /tmp/krb5cc_0
Comment 8 errata-xmlrpc 2013-09-10 02:36:05 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1222.html

Note You need to log in before you can comment on or make changes to this bug.