Bug 1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled
Summary: KDC proxy not working with SSSD krb5_use_kdcinfo enabled
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Pavel Picka
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-07-31 10:44 UTC by Jakub Hrozek
Modified: 2020-05-02 18:06 UTC (History)
10 users (show)

Fixed In Version: sssd-1.13.0-20.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-19 11:39:44 UTC
Target Upstream Version:


Attachments (Terms of Use)
Verify log for bz (7.21 KB, text/plain)
2015-09-30 14:37 UTC, Pavel Picka
no flags Details


Links
System ID Priority Status Summary Last Updated
Github SSSD sssd issues 3693 None closed KDC proxy not working with SSSD krb5_use_kdcinfo enabled 2020-05-12 21:07:47 UTC
Github SSSD sssd issues 3741 None closed krb5_child should always consider online state to allow use of MS-KKDC proxy 2020-05-12 21:07:47 UTC
Red Hat Product Errata RHSA-2015:2355 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2015-11-19 10:27:42 UTC

Description Jakub Hrozek 2015-07-31 10:44:47 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2652

krb5 has recently grown a feature to tunnel Kerberos requests over HTTPS [1]. The KDC proxy package [2] provides an implementation of the MS-KKDCP protocol. The proxy support is configured in /etc/krb5.conf like this:


{{{
[realms]
  FREEIPA.LOCAL = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt
    http_anchors = FILE:/etc/ipa/ca.crt
    kdc = https://ipasrv.freeipa.local/KdcProxy
    kpasswd_server = https://ipasrv.freeipa.local/KdcProxy
  }
}}}


However feature does '''not''' work with sssd_krb5_locator_plugin from sssd-krb5-1.12.4 when krb5_use_kdcinfo is enabled for the domain. The locator plugin overwrites the settings from krb5.conf and kinit still use Kerberos transport over 88/TCP. This setting is enabled by default.

Alexander Bokovoy has suggested to check for ''http_anchors'' in order to detect KDC proxy.


== krb5_use_kdcinfo = true ==

{{{
# env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit admin
[7315] 1431433477.481824: Getting initial credentials for admin@FREEIPA.LOCAL
[7315] 1431433477.481944: Sending request (169 bytes) to FREEIPA.LOCAL
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [192.168.122.95] in [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL].
[sssd_krb5_locator] sssd_realm[FREEIPA.LOCAL] requested realm[FREEIPA.LOCAL] family[0] socktype[2] locate_service[1]
[sssd_krb5_locator] addr[192.168.122.95:88] family[2] socktype[2]
[sssd_krb5_locator] [192.168.122.95] used
[sssd_krb5_locator] sssd_realm[FREEIPA.LOCAL] requested realm[FREEIPA.LOCAL] family[0] socktype[1] locate_service[1]
[sssd_krb5_locator] addr[192.168.122.95:88] family[2] socktype[1]
[sssd_krb5_locator] [192.168.122.95] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[7315] 1431433477.482438: Initiating TCP connection to stream 192.168.122.95:88
[7315] 1431433477.482624: Sending TCP request to stream 192.168.122.95:88
[7315] 1431433477.484229: Received answer (344 bytes) from stream 192.168.122.95:88
[7315] 1431433477.484234: Terminating TCP connection to stream 192.168.122.95:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [192.168.122.95] in [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL].
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kpasswdinfo.FREEIPA.LOCAL][2][No such file or directory].
[sssd_krb5_locator] reading kpasswd address failed, using kdc address.
[sssd_krb5_locator] sssd_realm[FREEIPA.LOCAL] requested realm[FREEIPA.LOCAL] family[0] socktype[1] locate_service[2]
[sssd_krb5_locator] addr[192.168.122.95:88] family[2] socktype[1]
[sssd_krb5_locator] [192.168.122.95] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[7315] 1431433477.484292: Response was from master KDC
[7315] 1431433477.484327: Received error from KDC: -1765328359/Additional pre-authentication required
[7315] 1431433477.484355: Processing preauth types: 136, 19, 2, 133
[7315] 1431433477.484363: Selected etype info: etype aes256-cts, salt "=J 5DD|(71ZR,GNW", params ""
[7315] 1431433477.484365: Received cookie: MIT
}}}

== krb5_use_kdcinfo = false ==


{{{
# env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit admin
[7330] 1431433557.257480: Getting initial credentials for admin@FREEIPA.LOCAL
[7330] 1431433557.257681: Sending request (169 bytes) to FREEIPA.LOCAL
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[7330] 1431433557.257829: Resolving hostname ipasrv.freeipa.local
[7330] 1431433557.262156: TLS certificate name matched "ipasrv.freeipa.local"
[7330] 1431433557.264513: Sending HTTPS request to https 192.168.122.95:443
[7330] 1431433557.269857: Received answer (344 bytes) from https 192.168.122.95:443
[7330] 1431433557.269867: Terminating TCP connection to https 192.168.122.95:443
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[7330] 1431433557.270003: Response was not from master KDC
[7330] 1431433557.270026: Received error from KDC: -1765328359/Additional pre-authentication required
[7330] 1431433557.270061: Processing preauth types: 136, 19, 2, 133
[7330] 1431433557.270069: Selected etype info: etype aes256-cts, salt "=J 5DD|(71ZR,GNW", params ""
[7330] 1431433557.270072: Received cookie: MIT
}}}


[1] http://web.mit.edu/kerberos/krb5-current/doc/admin/https.html
[2] https://www.freeipa.org/page/V4/KDC_Proxy

Comment 1 Jakub Hrozek 2015-07-31 10:45:40 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2700

Comment 2 Jakub Hrozek 2015-08-07 09:16:38 UTC
* master:
 * 05ed6a29cbd3cbec177364487a2afeade51d6546 
 * 67c68b563e1afc409aeadbcc828f9bdf33c57c84

Comment 3 Namita Soman 2015-08-07 19:43:04 UTC
Pls add steps to verify

Comment 4 Jakub Hrozek 2015-08-09 07:05:09 UTC
(In reply to Namita Soman from comment #3)
> Pls add steps to verify

* Configure IPA server with KDC proxy
* Configure the client so that the KDC is available (since it's over https://) but the IPA/LDAP server is not
* Authenticate

Previously, the authentication would fail (unless credentials were cached). With the fixed packages, the sssd detects the situation properly and stays online, allowing to authenticate.

Comment 6 Pavel Picka 2015-09-30 14:37:29 UTC
Created attachment 1078676 [details]
Verify log for bz

Verified

sssd-1.13.0-35.el7.x86_64

Comment 7 errata-xmlrpc 2015-11-19 11:39:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html


Note You need to log in before you can comment on or make changes to this bug.