Bug 1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled
KDC proxy not working with SSSD krb5_use_kdcinfo enabled
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.0
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Pavel Picka
Kaushik Banerjee
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-31 06:44 EDT by Jakub Hrozek
Modified: 2015-11-19 06:39 EST (History)
10 users (show)

See Also:
Fixed In Version: sssd-1.13.0-20.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-19 06:39:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Verify log for bz (7.21 KB, text/plain)
2015-09-30 10:37 EDT, Pavel Picka
no flags Details

  None (edit)
Description Jakub Hrozek 2015-07-31 06:44:47 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2652

krb5 has recently grown a feature to tunnel Kerberos requests over HTTPS [1]. The KDC proxy package [2] provides an implementation of the MS-KKDCP protocol. The proxy support is configured in /etc/krb5.conf like this:


{{{
[realms]
  FREEIPA.LOCAL = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt
    http_anchors = FILE:/etc/ipa/ca.crt
    kdc = https://ipasrv.freeipa.local/KdcProxy
    kpasswd_server = https://ipasrv.freeipa.local/KdcProxy
  }
}}}


However feature does '''not''' work with sssd_krb5_locator_plugin from sssd-krb5-1.12.4 when krb5_use_kdcinfo is enabled for the domain. The locator plugin overwrites the settings from krb5.conf and kinit still use Kerberos transport over 88/TCP. This setting is enabled by default.

Alexander Bokovoy has suggested to check for ''http_anchors'' in order to detect KDC proxy.


== krb5_use_kdcinfo = true ==

{{{
# env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit admin
[7315] 1431433477.481824: Getting initial credentials for admin@FREEIPA.LOCAL
[7315] 1431433477.481944: Sending request (169 bytes) to FREEIPA.LOCAL
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [192.168.122.95] in [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL].
[sssd_krb5_locator] sssd_realm[FREEIPA.LOCAL] requested realm[FREEIPA.LOCAL] family[0] socktype[2] locate_service[1]
[sssd_krb5_locator] addr[192.168.122.95:88] family[2] socktype[2]
[sssd_krb5_locator] [192.168.122.95] used
[sssd_krb5_locator] sssd_realm[FREEIPA.LOCAL] requested realm[FREEIPA.LOCAL] family[0] socktype[1] locate_service[1]
[sssd_krb5_locator] addr[192.168.122.95:88] family[2] socktype[1]
[sssd_krb5_locator] [192.168.122.95] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[7315] 1431433477.482438: Initiating TCP connection to stream 192.168.122.95:88
[7315] 1431433477.482624: Sending TCP request to stream 192.168.122.95:88
[7315] 1431433477.484229: Received answer (344 bytes) from stream 192.168.122.95:88
[7315] 1431433477.484234: Terminating TCP connection to stream 192.168.122.95:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [192.168.122.95] in [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL].
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kpasswdinfo.FREEIPA.LOCAL][2][No such file or directory].
[sssd_krb5_locator] reading kpasswd address failed, using kdc address.
[sssd_krb5_locator] sssd_realm[FREEIPA.LOCAL] requested realm[FREEIPA.LOCAL] family[0] socktype[1] locate_service[2]
[sssd_krb5_locator] addr[192.168.122.95:88] family[2] socktype[1]
[sssd_krb5_locator] [192.168.122.95] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[7315] 1431433477.484292: Response was from master KDC
[7315] 1431433477.484327: Received error from KDC: -1765328359/Additional pre-authentication required
[7315] 1431433477.484355: Processing preauth types: 136, 19, 2, 133
[7315] 1431433477.484363: Selected etype info: etype aes256-cts, salt "=J 5DD|(71ZR,GNW", params ""
[7315] 1431433477.484365: Received cookie: MIT
}}}

== krb5_use_kdcinfo = false ==


{{{
# env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit admin
[7330] 1431433557.257480: Getting initial credentials for admin@FREEIPA.LOCAL
[7330] 1431433557.257681: Sending request (169 bytes) to FREEIPA.LOCAL
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[7330] 1431433557.257829: Resolving hostname ipasrv.freeipa.local
[7330] 1431433557.262156: TLS certificate name matched "ipasrv.freeipa.local"
[7330] 1431433557.264513: Sending HTTPS request to https 192.168.122.95:443
[7330] 1431433557.269857: Received answer (344 bytes) from https 192.168.122.95:443
[7330] 1431433557.269867: Terminating TCP connection to https 192.168.122.95:443
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[7330] 1431433557.270003: Response was not from master KDC
[7330] 1431433557.270026: Received error from KDC: -1765328359/Additional pre-authentication required
[7330] 1431433557.270061: Processing preauth types: 136, 19, 2, 133
[7330] 1431433557.270069: Selected etype info: etype aes256-cts, salt "=J 5DD|(71ZR,GNW", params ""
[7330] 1431433557.270072: Received cookie: MIT
}}}


[1] http://web.mit.edu/kerberos/krb5-current/doc/admin/https.html
[2] https://www.freeipa.org/page/V4/KDC_Proxy
Comment 1 Jakub Hrozek 2015-07-31 06:45:40 EDT
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2700
Comment 2 Jakub Hrozek 2015-08-07 05:16:38 EDT
* master:
 * 05ed6a29cbd3cbec177364487a2afeade51d6546 
 * 67c68b563e1afc409aeadbcc828f9bdf33c57c84
Comment 3 Namita Soman 2015-08-07 15:43:04 EDT
Pls add steps to verify
Comment 4 Jakub Hrozek 2015-08-09 03:05:09 EDT
(In reply to Namita Soman from comment #3)
> Pls add steps to verify

* Configure IPA server with KDC proxy
* Configure the client so that the KDC is available (since it's over https://) but the IPA/LDAP server is not
* Authenticate

Previously, the authentication would fail (unless credentials were cached). With the fixed packages, the sssd detects the situation properly and stays online, allowing to authenticate.
Comment 6 Pavel Picka 2015-09-30 10:37 EDT
Created attachment 1078676 [details]
Verify log for bz

Verified

sssd-1.13.0-35.el7.x86_64
Comment 7 errata-xmlrpc 2015-11-19 06:39:44 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html

Note You need to log in before you can comment on or make changes to this bug.