Bug 1290761 – [RFE] Support Automatic Renewing of Kerberos Host Keytabs

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1290761 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs

Summary:	[RFE] Support Automatic Renewing of Kerberos Host Keytabs

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd (Show other bugs)
Sub Component:
Version:	6.0
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Sumit Bose
QA Contact:	Namita Soman
Docs Contact:	Aneta Šteflová Petrová

URL:
Whiteboard:
Keywords:	FutureFeature

Depends On:	1290731
Blocks:	1310877
	Show dependency tree / graph

Reported:	2015-12-11 06:28 EST by Jakub Hrozek
Modified:	2017-07-14 15:56 EDT (History)
CC List:	12 users (show)

See Also:
Fixed In Version:	sssd-1.13.3-8.el6
Doc Type:	Release Note
Doc Text:	SSSD is now able to automatically renew the host credentials of Linux clients joined to AD Certain Windows utilities can remove hosts from Active Directory (AD) after their password has not been updated for a long time. This is because these utilities consider such clients inactive. With this feature, the host password of Linux clients joined to AD is regularly updated, which indicates the client is still actively used. As a result, Red Hat Enterprise Linux clients joined to AD are not removed in the described situation.
Story Points:	---
Clone Of:
Clones:	1310877 (view as bug list)
Environment:
Last Closed:	2016-05-10 16:25:41 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:0782	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2016-05-10 18:36:00 EDT

Groups: None (edit)

Description Jakub Hrozek 2015-12-11 06:28:58 EST

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1041

Often with AD a Kerberos host keytab is needed to bind with SASL/GSSAPI for LDAP operations. On many sites security policies do not allow never-expiring passwords so the keytab needs to renewed eventually, currently requiring manual steps to obtain a new keytab.

SSSD should support automated renewal of Kerberos host keytabs as Samba/Winbind does.

Comment 1 Jakub Hrozek 2016-01-19 12:00:18 EST

* master:
    * 8167761a1e1d7575d49babcea45937fc9cd45fdc
    * 7fdec78178440855058be8ca1011e0b1aa45de31
    * 5a7f17aedad34a8618765bc33342c109a6958ab5
    * 5f7cd30c865046a7ea69944f7e07c85b4c43465a
    * e89c2cb5ec77d57ed93952dae08df51738834faf
    * 9dcc7dbf04466cd8cd90aa0bb8acbebef9aca832
* sssd-1-13:
    * 95024cd9a24164cbaf6704aace93e1592edd9733
    * 11271254205e9f7c1caf363be8822b3f9756f061
    * d4844683cbbb6e366afd56e7753adb79c20e93a5
    * 20ed1a2063e0463c9e97870ea4e5e607467b041e
    * 375772251671797fa7ffe47491e7f8a9ac35aa72
    * 831883be77a2c60a44df99798bf4091bf450adb2

Comment 3 Niranjan Mallapadi Raghavender 2016-02-19 07:27:56 EST

Versions:
=========
sssd-1.13.3-15.el6.x86_64
krb5-workstation-1.10.3-55.el6.x86_64
Windows 2008R2 64-bit

Steps on Windows AD
===================
Configure Domain using dcpromo and setup AD REALM for WINPKI1.TESTPKI.TEST

Steps:
=====
1. Configure system authentication to use sssd and krb5

$ authconfig --enablesssd --enablesssdauth --krb5kdc=WIN-Q8VKBEJ7H39.winpki1.testpki.test --krb5adminserver=WIN-Q8VKBEJ7H39.winpki1.testpki.test -krb5realm=WINPKI1.TESTPKI.TEST --enablemkhomedir --updateall

2. Get Administrator credentials
kinit Administrator

3. Join to AD and create keytab
net ads join -U Administrator%Secret123 -k
net ads keytab create -k

<snip>
cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = WINPKI1.TESTPKI.TEST
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com
  admin_server = kerberos.example.com
 }

 WKINPKI1.TESTPKI.TEST = {
  kdc = WIN-Q8VKBEJ7H39.winpki1.testpki.test
  admin_server = WIN-Q8VKBEJ7H39.winpki1.testpki.test
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
 wkinpki1.testpki.test = WKINPKI1.TESTPKI.TEST
 .wkinpki1.testpki.test = WKINPKI1.TESTPKI.TEST
 winpki1.testpki.test = WINPKI1.TESTPKI.TEST
 .winpki1.testpki.test = WINPKI1.TESTPKI.TEST
</snip>


5.Do kinit by using HOST credentials from keytab

klist -k /etc/krb5.keytab
kinit -k DHCP201-182\$@WINPKI1.TESTPKI.TEST

$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: DHCP201-182$@WINPKI1.TESTPKI.TEST

Valid starting     Expires            Service principal
02/19/16 17:15:24  02/20/16 03:15:15  krbtgt/WINPKI1.TESTPKI.TEST@WINPKI1.TESTPKI.TEST
        renew until 02/26/16 17:15:24

6. Verify keytab and kvno. 
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/dhcp201-182.winpki1.testpki.test@WINPKI1.TESTPKI.TEST
   2 host/dhcp201-182.winpki1.testpki.test@WINPKI1.TESTPKI.TEST
   2 host/dhcp201-182.winpki1.testpki.test@WINPKI1.TESTPKI.TEST
   2 host/dhcp201-182.winpki1.testpki.test@WINPKI1.TESTPKI.TEST
   2 host/dhcp201-182.winpki1.testpki.test@WINPKI1.TESTPKI.TEST
   2 host/dhcp201-182@WINPKI1.TESTPKI.TEST
   2 host/dhcp201-182@WINPKI1.TESTPKI.TEST
   2 host/dhcp201-182@WINPKI1.TESTPKI.TEST
   2 host/dhcp201-182@WINPKI1.TESTPKI.TEST
   2 host/dhcp201-182@WINPKI1.TESTPKI.TEST
   2 DHCP201-182$@WINPKI1.TESTPKI.TEST
   2 DHCP201-182$@WINPKI1.TESTPKI.TEST
   2 DHCP201-182$@WINPKI1.TESTPKI.TEST
   2 DHCP201-182$@WINPKI1.TESTPKI.TEST
   2 DHCP201-182$@WINPKI1.TESTPKI.TEST

<snip from sssd.conf>

cat /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
domains = winpki1.testpki.test
services = nss, pam

[domain/winpki1.testpki.test]
id_provider = ad
auth_provider = ad
access_provider = ad
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
use_fully_qualified_names = True
ad_maximum_machine_account_password_age = 1
ad_machine_account_password_renewal_opts = 300:15
debug_level = 9
enumerate = true
</snip>

7. service sssd restart

8. Do ldapsearch using GSSAPI credentials:

ldapsearch -H ldap://WIN-Q8VKBEJ7H39.WINPKI1.TESTPKI.TEST -Y GSSAPI  -N -b 'CN=users,dc=winpki1,dc=testpki,dc=test' "(&(objectClass=user))"                                
SASL/GSSAPI authentication started
SASL username: DHCP201-182$@WINPKI1.TESTPKI.TEST
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <CN=users,dc=winpki1,dc=testpki,dc=test> with scope subtree
# filter: (&(objectClass=user)(sAMAccountName=Administrator))
# requesting: ALL
#

# Administrator, Users, winpki1.testpki.test
dn: CN=Administrator,CN=Users,DC=winpki1,DC=testpki,DC=test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
distinguishedName: CN=Administrator,CN=Users,DC=winpki1,DC=testpki,DC=test
instanceType: 4
whenCreated: 20151015064716.0Z
whenChanged: 20160227003812.0Z
uSNCreated: 8196
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=winpki1,DC=testpki,DC=tes
 t
memberOf: CN=Domain Admins,CN=Users,DC=winpki1,DC=testpki,DC=test
memberOf: CN=Enterprise Admins,CN=Users,DC=winpki1,DC=testpki,DC=test
memberOf: CN=Schema Admins,CN=Users,DC=winpki1,DC=testpki,DC=test
memberOf: CN=Administrators,CN=Builtin,DC=winpki1,DC=testpki,DC=test
uSNChanged: 24934
name: Administrator
objectGUID:: bl498Y//gkSwJ9p4vFMYjQ==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 131004369631250000
lastLogoff: 0
lastLogon: 131003553875156250
logonHours:: ////////////////////////////
pwdLastSet: 130997685379687500
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAxMt6qMi0zmzL6cTl9AEAAA==
adminCount: 1
accountExpires: 0
logonCount: 77
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=winpki1,DC=testpki,DC=
 test
isCriticalSystemObject: TRUE
dSCorePropagationData: 20151015070419.0Z
dSCorePropagationData: 20151015070419.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 131010070924843750

9. Verify kerberos tickets

[root@dhcp201-182 pam.d]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: DHCP201-182$@WINPKI1.TESTPKI.TEST

Valid starting     Expires            Service principal
02/19/16 17:15:24  02/20/16 03:15:15  krbtgt/WINPKI1.TESTPKI.TEST@WINPKI1.TESTPKI.TEST
        renew until 02/26/16 17:15:24
02/19/16 17:18:52  02/20/16 03:15:15  ldap/win-q8vkbej7h39.winpki1.testpki.test@WINPKI1.TESTPKI.TEST
        renew until 02/26/16 17:15:24

10. Move the system to 1 day ahead in both sssd client and Windows AD

date -s "Fri Feb 19 17:39:59 IST 2016 + 1 day"

11. Restart sssd
service sssd restart

12. Verify keytab gets rotated with both new and old kvno.

[root@dhcp201-182 sssd]# klist -k /etc/krb5.keytab                                                                                                                                                   
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/dhcp201-182.winpki1.testpki.test@WINPKI1.TESTPKI.TEST
   2 host/dhcp201-182.winpki1.testpki.test@WINPKI1.TESTPKI.TEST
   2 host/dhcp201-182.winpki1.testpki.test@WINPKI1.TESTPKI.TEST
   2 host/dhcp201-182.winpki1.testpki.test@WINPKI1.TESTPKI.TEST
   2 host/dhcp201-182.winpki1.testpki.test@WINPKI1.TESTPKI.TEST
   2 host/dhcp201-182@WINPKI1.TESTPKI.TEST
   2 host/dhcp201-182@WINPKI1.TESTPKI.TEST
   2 host/dhcp201-182@WINPKI1.TESTPKI.TEST
   2 host/dhcp201-182@WINPKI1.TESTPKI.TEST
   2 host/dhcp201-182@WINPKI1.TESTPKI.TEST
   2 DHCP201-182$@WINPKI1.TESTPKI.TEST
   2 DHCP201-182$@WINPKI1.TESTPKI.TEST
   2 DHCP201-182$@WINPKI1.TESTPKI.TEST
   2 DHCP201-182$@WINPKI1.TESTPKI.TEST
   2 DHCP201-182$@WINPKI1.TESTPKI.TEST
   3 DHCP201-182$@WINPKI1.TESTPKI.TEST
   3 DHCP201-182$@WINPKI1.TESTPKI.TEST
   3 DHCP201-182$@WINPKI1.TESTPKI.TEST
   3 DHCP201-182$@WINPKI1.TESTPKI.TEST
   3 DHCP201-182$@WINPKI1.TESTPKI.TEST
   3 host/dhcp201-182.winpki1.testpki.test@WINPKI1.TESTPKI.TEST
   3 host/dhcp201-182.winpki1.testpki.test@WINPKI1.TESTPKI.TEST
   3 host/dhcp201-182.winpki1.testpki.test@WINPKI1.TESTPKI.TEST
   3 host/dhcp201-182.winpki1.testpki.test@WINPKI1.TESTPKI.TEST
   3 host/dhcp201-182.winpki1.testpki.test@WINPKI1.TESTPKI.TEST
   3 host/dhcp201-182@WINPKI1.TESTPKI.TEST
   3 host/dhcp201-182@WINPKI1.TESTPKI.TEST
   3 host/dhcp201-182@WINPKI1.TESTPKI.TEST
   3 host/dhcp201-182@WINPKI1.TESTPKI.TEST
   3 host/dhcp201-182@WINPKI1.TESTPKI.TEST


13. Destroy current kerbeos tickets
$ kdestroy

14. Get a new ticket with host TGT
$kinit -k DHCP201-182\$@WINPKI1.TESTPKI.TEST

15. Do ldapsearch again 
$ ldapsearch -H ldap://WIN-Q8VKBEJ7H39.WINPKI1.TESTPKI.TEST -Y GSSAPI  -N -b 'CN=users,dc=winpki1,dc=testpki,dc=test' "(&(objectClass=user)(sAMAccountName=Administrator))"

#
# LDAPv3
# base <CN=users,dc=winpki1,dc=testpki,dc=test> with scope subtree
# filter: (&(objectClass=user)(sAMAccountName=Administrator))
# requesting: ALL
#

# Administrator, Users, winpki1.testpki.test
dn: CN=Administrator,CN=Users,DC=winpki1,DC=testpki,DC=test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
distinguishedName: CN=Administrator,CN=Users,DC=winpki1,DC=testpki,DC=test
instanceType: 4
whenCreated: 20151015064716.0Z
whenChanged: 20160227003812.0Z
uSNCreated: 8196
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=winpki1,DC=testpki,DC=tes
 t

Comment 4 Niranjan Mallapadi Raghavender 2016-02-19 07:30:19 EST

adcli output from sssd logs:

(Sat Feb 20 17:45:21 2016) [sssd[be[winpki1.testpki.test]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Sat Feb 20 17:45:21 2016) [sssd[be[winpki1.testpki.test]]] [ad_machine_account_password_renewal_done] (0x1000): --- adcli output start---
 * Found realm in keytab: WINPKI1.TESTPKI.TEST
 * Found service principal in keytab: host/dhcp201-182.winpki1.testpki.test
 * Found host qualified name in keytab: host/dhcp201-182.winpki1.testpki.test
 * Found service principal in keytab: host/dhcp201-182
 * Found computer name in keytab: DHCP201-182
 * Using fully qualified name: dhcp201-182.winpki1.testpki.test
 * Using domain name: winpki1.testpki.test
 * Calculated computer account name from fqdn: DHCP201-182
 * Using domain realm: winpki1.testpki.test
 * Sending netlogon pings to domain controller: cldap://10.65.201.109
 * Received NetLogon info from: WIN-Q8VKBEJ7H39.winpki1.testpki.test
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-W2SqfY/krb5.d/adcli-krb5-conf-FCF2tV
 * Authenticated as default/reset computer account: DHCP201-182
 * Looked up short domain name: WINPKI1
 * Using fully qualified name: dhcp201-182.winpki1.testpki.test
 * Using domain name: winpki1.testpki.test
 * Using computer account name: DHCP201-182
 * Using domain realm: winpki1.testpki.test
 * Using fully qualified name: dhcp201-182.winpki1.testpki.test
 * Enrolling computer name: DHCP201-182
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Found computer account for DHCP201-182$ at: CN=dhcp201-182,CN=Computers,DC=winpki1,DC=testpki,DC=test
 * Retrieved kvno '2' for computer account in directory: CN=dhcp201-182,CN=Computers,DC=winpki1,DC=testpki,DC=test
 * Changed computer password
 * kvno incremented to 3
 * Modifying computer account: userAccountControl
 ! Couldn't set userAccountControl on computer account: CN=dhcp201-182,CN=Computers,DC=winpki1,DC=testpki,DC=test: Insufficient access
 * Updated existing computer account: CN=dhcp201-182,CN=Computers,DC=winpki1,DC=testpki,DC=test
 * Discovered which keytab salt to use
 * Added the entries to the keytab: DHCP201-182$@WINPKI1.TESTPKI.TEST: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/dhcp201-182.winpki1.testpki.test@WINPKI1.TESTPKI.TEST: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/dhcp201-182@WINPKI1.TESTPKI.TEST: FILE:/etc/krb5.keytab
---adcli output end---

Comment 5 Niranjan Mallapadi Raghavender 2016-02-19 07:31:26 EST

Due to selinux issue adcli is unable to update /etc/krb5.keytab , Refer:https://bugzilla.redhat.com/show_bug.cgi?id=1308911 

If system is set to permissive mode, adcli is able to update /etc/krb5.keytab.

Comment 6 Niranjan Mallapadi Raghavender 2016-02-23 01:23:59 EST

Used updated selinux-policy version selinux-policy-3.7.19-289.el6.noarch and adcli updates /etc/krb5.keytab file in enforcing mode.

Comment 7 Niranjan Mallapadi Raghavender 2016-02-23 01:32:10 EST

Based on comment #3, #4, #5 and #6 , Marking this as verified

Comment 11 errata-xmlrpc 2016-05-10 16:25:41 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0782.html

Note You need to log in before you can comment on or make changes to this bug.