RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1290398 - Unable to connect to KDC server if kdcproxy is configured when using kpasswd
Summary: Unable to connect to KDC server if kdcproxy is configured when using kpasswd
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: krb5
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Robbie Harwood
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-10 12:39 UTC by Abhijeet Kasurde
Modified: 2015-12-14 15:18 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-10 21:12:26 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
KRB5_client.log (11.29 KB, text/plain)
2015-12-10 12:39 UTC, Abhijeet Kasurde 		no flags Details
View All

Description Abhijeet Kasurde 2015-12-10 12:39:54 UTC 
Created attachment 1104320 [details]
KRB5_client.log

Description of problem:
If user configures krb5.conf with kdcproxy, and tries to change password using 'kpasswd' then fails with error 

kpasswd: Cannot contact any KDC for requested realm changing password

See attachment for log

Version-Release number of selected component (if applicable):
ipa-server-4.2.0-15.el7_2.3.x86_64
ipa-client-4.2.0-15.el7_2.3.x86_64

How reproducible:
100%

Steps to Reproduce:
1. On Server install using ipa-server-install
2. On Client machine, install ipa-client
3. Configure client to use IPA server using ipa-client-install 
4. Configure krb5.conf for using 'KdcProxy'
5. Do 'kpasswd'

Actual results:
Password change procedure fails 

Expected results:
Password should be changed from client machine.
Comment 1 Christian Heimes 2015-12-10 13:03:19 UTC 
kpasswd cannot change the password because it connects to the wrong TCP port. Instead of port 443/TCP it uses 464/TCP (kpasswd port):

[24062] 1449752052.476728: Resolving hostname vm-239.abc.idm.lab.eng.brq.redhat.com
[24062] 1449752052.488004: TLS error: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
[24062] 1449752052.488140: HTTPS error sending to https 10.34.78.239:464
[24062] 1449752052.489039: Terminating TCP connection to https 10.34.78.239:464

It looks like krb5_change_password() doesn't implement the necessary checks for HTTPS transport. change_set_password() https://github.com/krb5/krb5/blob/master/src/lib/krb5/os/changepw.c#L207 calls locate_kpasswd() https://github.com/krb5/krb5/blob/master/src/lib/krb5/os/changepw.c#L61 which uses k5_locate_server() https://github.com/krb5/krb5/blob/master/src/lib/krb5/os/locate_kdc.c#L639 to find the kpasswd server. k5_locate_server() either uses TCP or TCP_OR_UDP transport but never HTTPS transport.
Comment 2 Robbie Harwood 2015-12-10 19:54:06 UTC 
Doesn't kdcproxy require you to configure kpasswd currently as per the documentation https://github.com/npmccallum/kdcproxy ?  This seems like something IPA should set up.  What do you think Christian?
Comment 3 Christian Heimes 2015-12-10 20:37:11 UTC 
You are right. I thought that admin_server is enough. Apparently it's not. kpasswd works correctly with a kpasswd_server entry. In case only an admin_server is configured, libkrb5 seems to ignore port and protocol. It takes the host name, adds port 464 and then connects to it.

kpasswd_server
    Points to the server where all the password changes are performed.  If there is no such entry, the port 464 on the admin_server host will be tried.
Note You need to log in before you can comment on or make changes to this bug.