Bug 1290398 - Unable to connect to KDC server if kdcproxy is configured when using kpasswd
Summary: Unable to connect to KDC server if kdcproxy is configured when using kpasswd
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: krb5
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Robbie Harwood
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-10 12:39 UTC by Abhijeet Kasurde
Modified: 2015-12-14 15:18 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-12-10 21:12:26 UTC


Attachments (Terms of Use)
KRB5_client.log (11.29 KB, text/plain)
2015-12-10 12:39 UTC, Abhijeet Kasurde
no flags Details

Description Abhijeet Kasurde 2015-12-10 12:39:54 UTC
Created attachment 1104320 [details]
KRB5_client.log

Description of problem:
If user configures krb5.conf with kdcproxy, and tries to change password using 'kpasswd' then fails with error 

kpasswd: Cannot contact any KDC for requested realm changing password

See attachment for log

Version-Release number of selected component (if applicable):
ipa-server-4.2.0-15.el7_2.3.x86_64
ipa-client-4.2.0-15.el7_2.3.x86_64

How reproducible:
100%

Steps to Reproduce:
1. On Server install using ipa-server-install
2. On Client machine, install ipa-client
3. Configure client to use IPA server using ipa-client-install 
4. Configure krb5.conf for using 'KdcProxy'
5. Do 'kpasswd'

Actual results:
Password change procedure fails 

Expected results:
Password should be changed from client machine.

Comment 1 Christian Heimes 2015-12-10 13:03:19 UTC
kpasswd cannot change the password because it connects to the wrong TCP port. Instead of port 443/TCP it uses 464/TCP (kpasswd port):

[24062] 1449752052.476728: Resolving hostname vm-239.abc.idm.lab.eng.brq.redhat.com
[24062] 1449752052.488004: TLS error: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
[24062] 1449752052.488140: HTTPS error sending to https 10.34.78.239:464
[24062] 1449752052.489039: Terminating TCP connection to https 10.34.78.239:464

It looks like krb5_change_password() doesn't implement the necessary checks for HTTPS transport. change_set_password() https://github.com/krb5/krb5/blob/master/src/lib/krb5/os/changepw.c#L207 calls locate_kpasswd() https://github.com/krb5/krb5/blob/master/src/lib/krb5/os/changepw.c#L61 which uses k5_locate_server() https://github.com/krb5/krb5/blob/master/src/lib/krb5/os/locate_kdc.c#L639 to find the kpasswd server. k5_locate_server() either uses TCP or TCP_OR_UDP transport but never HTTPS transport.

Comment 2 Robbie Harwood 2015-12-10 19:54:06 UTC
Doesn't kdcproxy require you to configure kpasswd currently as per the documentation https://github.com/npmccallum/kdcproxy ?  This seems like something IPA should set up.  What do you think Christian?

Comment 3 Christian Heimes 2015-12-10 20:37:11 UTC
You are right. I thought that admin_server is enough. Apparently it's not. kpasswd works correctly with a kpasswd_server entry. In case only an admin_server is configured, libkrb5 seems to ignore port and protocol. It takes the host name, adds port 464 and then connects to it.

kpasswd_server
    Points to the server where all the password changes are performed.  If there is no such entry, the port 464 on the admin_server host will be tried.


Note You need to log in before you can comment on or make changes to this bug.