Red Hat Bugzilla – Bug 1249015
KDC proxy not working with SSSD krb5_use_kdcinfo enabled
Last modified: 2015-11-19 06:39:44 EST
This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/2652 krb5 has recently grown a feature to tunnel Kerberos requests over HTTPS [1]. The KDC proxy package [2] provides an implementation of the MS-KKDCP protocol. The proxy support is configured in /etc/krb5.conf like this: {{{ [realms] FREEIPA.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt http_anchors = FILE:/etc/ipa/ca.crt kdc = https://ipasrv.freeipa.local/KdcProxy kpasswd_server = https://ipasrv.freeipa.local/KdcProxy } }}} However feature does '''not''' work with sssd_krb5_locator_plugin from sssd-krb5-1.12.4 when krb5_use_kdcinfo is enabled for the domain. The locator plugin overwrites the settings from krb5.conf and kinit still use Kerberos transport over 88/TCP. This setting is enabled by default. Alexander Bokovoy has suggested to check for ''http_anchors'' in order to detect KDC proxy. == krb5_use_kdcinfo = true == {{{ # env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit admin [7315] 1431433477.481824: Getting initial credentials for admin@FREEIPA.LOCAL [7315] 1431433477.481944: Sending request (169 bytes) to FREEIPA.LOCAL [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [192.168.122.95] in [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL]. [sssd_krb5_locator] sssd_realm[FREEIPA.LOCAL] requested realm[FREEIPA.LOCAL] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[192.168.122.95:88] family[2] socktype[2] [sssd_krb5_locator] [192.168.122.95] used [sssd_krb5_locator] sssd_realm[FREEIPA.LOCAL] requested realm[FREEIPA.LOCAL] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[192.168.122.95:88] family[2] socktype[1] [sssd_krb5_locator] [192.168.122.95] used [sssd_krb5_locator] sssd_krb5_locator_close called [7315] 1431433477.482438: Initiating TCP connection to stream 192.168.122.95:88 [7315] 1431433477.482624: Sending TCP request to stream 192.168.122.95:88 [7315] 1431433477.484229: Received answer (344 bytes) from stream 192.168.122.95:88 [7315] 1431433477.484234: Terminating TCP connection to stream 192.168.122.95:88 [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [192.168.122.95] in [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL]. [sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kpasswdinfo.FREEIPA.LOCAL][2][No such file or directory]. [sssd_krb5_locator] reading kpasswd address failed, using kdc address. [sssd_krb5_locator] sssd_realm[FREEIPA.LOCAL] requested realm[FREEIPA.LOCAL] family[0] socktype[1] locate_service[2] [sssd_krb5_locator] addr[192.168.122.95:88] family[2] socktype[1] [sssd_krb5_locator] [192.168.122.95] used [sssd_krb5_locator] sssd_krb5_locator_close called [7315] 1431433477.484292: Response was from master KDC [7315] 1431433477.484327: Received error from KDC: -1765328359/Additional pre-authentication required [7315] 1431433477.484355: Processing preauth types: 136, 19, 2, 133 [7315] 1431433477.484363: Selected etype info: etype aes256-cts, salt "=J 5DD|(71ZR,GNW", params "" [7315] 1431433477.484365: Received cookie: MIT }}} == krb5_use_kdcinfo = false == {{{ # env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit admin [7330] 1431433557.257480: Getting initial credentials for admin@FREEIPA.LOCAL [7330] 1431433557.257681: Sending request (169 bytes) to FREEIPA.LOCAL [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL][2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [7330] 1431433557.257829: Resolving hostname ipasrv.freeipa.local [7330] 1431433557.262156: TLS certificate name matched "ipasrv.freeipa.local" [7330] 1431433557.264513: Sending HTTPS request to https 192.168.122.95:443 [7330] 1431433557.269857: Received answer (344 bytes) from https 192.168.122.95:443 [7330] 1431433557.269867: Terminating TCP connection to https 192.168.122.95:443 [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL][2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [7330] 1431433557.270003: Response was not from master KDC [7330] 1431433557.270026: Received error from KDC: -1765328359/Additional pre-authentication required [7330] 1431433557.270061: Processing preauth types: 136, 19, 2, 133 [7330] 1431433557.270069: Selected etype info: etype aes256-cts, salt "=J 5DD|(71ZR,GNW", params "" [7330] 1431433557.270072: Received cookie: MIT }}} [1] http://web.mit.edu/kerberos/krb5-current/doc/admin/https.html [2] https://www.freeipa.org/page/V4/KDC_Proxy
Upstream ticket: https://fedorahosted.org/sssd/ticket/2700
* master: * 05ed6a29cbd3cbec177364487a2afeade51d6546 * 67c68b563e1afc409aeadbcc828f9bdf33c57c84
Pls add steps to verify
(In reply to Namita Soman from comment #3) > Pls add steps to verify * Configure IPA server with KDC proxy * Configure the client so that the KDC is available (since it's over https://) but the IPA/LDAP server is not * Authenticate Previously, the authentication would fail (unless credentials were cached). With the fixed packages, the sssd detects the situation properly and stays online, allowing to authenticate.
Created attachment 1078676 [details] Verify log for bz Verified sssd-1.13.0-35.el7.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2355.html