Bug 1290398 - Unable to connect to KDC server if kdcproxy is configured when using kpasswd
Summary: Unable to connect to KDC server if kdcproxy is configured when using kpasswd
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: krb5
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Robbie Harwood
QA Contact: BaseOS QE Security Team
Depends On:
TreeView+ depends on / blocked
Reported: 2015-12-10 12:39 UTC by Abhijeet Kasurde
Modified: 2015-12-14 15:18 UTC (History)
4 users (show)

Clone Of:
Last Closed: 2015-12-10 21:12:26 UTC

Attachments (Terms of Use)
KRB5_client.log (11.29 KB, text/plain)
2015-12-10 12:39 UTC, Abhijeet Kasurde
no flags Details

Description Abhijeet Kasurde 2015-12-10 12:39:54 UTC
Created attachment 1104320 [details]

Description of problem:
If user configures krb5.conf with kdcproxy, and tries to change password using 'kpasswd' then fails with error 

kpasswd: Cannot contact any KDC for requested realm changing password

See attachment for log

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. On Server install using ipa-server-install
2. On Client machine, install ipa-client
3. Configure client to use IPA server using ipa-client-install 
4. Configure krb5.conf for using 'KdcProxy'
5. Do 'kpasswd'

Actual results:
Password change procedure fails 

Expected results:
Password should be changed from client machine.

Comment 1 Christian Heimes 2015-12-10 13:03:19 UTC
kpasswd cannot change the password because it connects to the wrong TCP port. Instead of port 443/TCP it uses 464/TCP (kpasswd port):

[24062] 1449752052.476728: Resolving hostname vm-239.abc.idm.lab.eng.brq.redhat.com
[24062] 1449752052.488004: TLS error: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
[24062] 1449752052.488140: HTTPS error sending to https
[24062] 1449752052.489039: Terminating TCP connection to https

It looks like krb5_change_password() doesn't implement the necessary checks for HTTPS transport. change_set_password() https://github.com/krb5/krb5/blob/master/src/lib/krb5/os/changepw.c#L207 calls locate_kpasswd() https://github.com/krb5/krb5/blob/master/src/lib/krb5/os/changepw.c#L61 which uses k5_locate_server() https://github.com/krb5/krb5/blob/master/src/lib/krb5/os/locate_kdc.c#L639 to find the kpasswd server. k5_locate_server() either uses TCP or TCP_OR_UDP transport but never HTTPS transport.

Comment 2 Robbie Harwood 2015-12-10 19:54:06 UTC
Doesn't kdcproxy require you to configure kpasswd currently as per the documentation https://github.com/npmccallum/kdcproxy ?  This seems like something IPA should set up.  What do you think Christian?

Comment 3 Christian Heimes 2015-12-10 20:37:11 UTC
You are right. I thought that admin_server is enough. Apparently it's not. kpasswd works correctly with a kpasswd_server entry. In case only an admin_server is configured, libkrb5 seems to ignore port and protocol. It takes the host name, adds port 464 and then connects to it.

    Points to the server where all the password changes are performed.  If there is no such entry, the port 464 on the admin_server host will be tried.

Note You need to log in before you can comment on or make changes to this bug.