1308911 – adcli fails to update /etc/krb5.keytab for keytab renewal

Bug 1308911 - adcli fails to update /etc/krb5.keytab for keytab renewal

Summary: adcli fails to update /etc/krb5.keytab for keytab renewal

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.8
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-16 12:52 UTC by Niranjan Mallapadi Raghavender
Modified:	2016-05-10 20:05 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-05-10 20:05:09 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:0763	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2016-05-10 22:33:46 UTC

Description Niranjan Mallapadi Raghavender 2016-02-16 12:52:29 UTC

Description of problem:

adcli fails to update /etc/krb5.keytab for keytab renewal when machine password expires in AD. 

sssd-1.13.3-15 has the capability to renew machine password and rotate /etc/krb5.keytab containing the host principal for the client joined to AD.

sssd calls adcli which tries to update /etc/krb5.keytab file with latest host principal . Currently adcli fails because selinux policy 

Below is the AVC Message:

type=AVC msg=audit(1456533039.141:4631): avc:  denied  { write } for  pid=9329 comm="adcli" name="krb5.keytab" dev=dm-0 ino=131196 scontext=unconfined_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
type=SYSCALL msg=audit(1456533039.141:4631): arch=c000003e syscall=2 success=no exit=-13 a0=2590030 a1=2 a2=1b6 a3=0 items=0 ppid=9314 pid=9329 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="adcli" exe="/usr/sbin/adcli" subj=unconfined_u:system_r:sssd_t:s0 key=(null)



Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-287.el6.noarch
selinux-policy-3.7.19-287.el6.noarch
sssd-1.13.3-15.el6.x86_64
adcli-0.8.1-1.el6.x86_64


How reproducible:


Steps to Reproduce:
1.On RHEL6.8 system install sssd-1.13.3-15, 
2.Join the system to Active Directory using net ads join -k
3.Create a keytab using net ads keytab create -k 
4. Modify sssd.conf to use ad provider

<sssd.conf>

[sssd]
config_file_version = 2
domains = winpki1.testpki.test
services = nss, pam

[domain/winpki1.testpki.test]
id_provider = ad
auth_provider = ad
access_provider = ad
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
use_fully_qualified_names = True
ad_maximum_machine_account_password_age = 1
ad_machine_account_password_renewal_opts = 300:15
debug_level = 9
enumerate = true
</sssd.conf>
5. set the ad_maximum_machine_account_password_age = 1 and Modify system date to 1 day ahead (both client and the AD). 

6.Restart sssd to enable renewal of Machine password. this fails with below error message:

<snip>

(Sat Feb 27 06:00:39 2016) [sssd[be[winpki1.testpki.test]]] [ad_machine_account_password_renewal_done] (0x1000): --- adcli output start---
 * Found realm in keytab: WINPKI1.TESTPKI.TEST
 * Found service principal in keytab: host/dhcp201-182.winpki1.testpki.test
 * Found host qualified name in keytab: host/dhcp201-182.winpki1.testpki.test
 * Found service principal in keytab: host/dhcp201-182
 * Found computer name in keytab: DHCP201-182
 * Using fully qualified name: dhcp201-182.winpki1.testpki.test
 * Using domain name: winpki1.testpki.test
 * Calculated computer account name from fqdn: DHCP201-182
 * Using domain realm: winpki1.testpki.test
 * Sending netlogon pings to domain controller: cldap://10.65.201.109
 * Received NetLogon info from: WIN-Q8VKBEJ7H39.winpki1.testpki.test
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-wJYqsJ/krb5.d/adcli-krb5-conf-yhMUup
 * Authenticated as default/reset computer account: DHCP201-182
 * Looked up short domain name: WINPKI1
 * Using fully qualified name: dhcp201-182.winpki1.testpki.test
 * Using domain name: winpki1.testpki.test
 * Using computer account name: DHCP201-182
 * Using domain realm: winpki1.testpki.test
 * Using fully qualified name: dhcp201-182.winpki1.testpki.test
 * Enrolling computer name: DHCP201-182
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Found computer account for DHCP201-182$ at: CN=dhcp201-182,CN=Computers,DC=winpki1,DC=testpki,DC=test
 * Retrieved kvno '10' for computer account in directory: CN=dhcp201-182,CN=Computers,DC=winpki1,DC=testpki,DC=test
 * Changed computer password
 * kvno incremented to 11
 * Modifying computer account: userAccountControl
 ! Couldn't set userAccountControl on computer account: CN=dhcp201-182,CN=Computers,DC=winpki1,DC=testpki,DC=test: Insufficient access
 * Updated existing computer account: CN=dhcp201-182,CN=Computers,DC=winpki1,DC=testpki,DC=test
 ! Couldn't update keytab: FILE:/etc/krb5.keytab: Permission denied
adcli: updating membership with domain winpki1.testpki.test failed: Couldn't update keytab: FILE:/etc/krb5.keytab: Permission denied
</snip>



Actual results:
adcli is not able to update /etc/krb5.keytab 

Expected results:
adcli should be able to update /etc/krb5.keytab when in enforcing mode.


Additional info:

selinux label of sssd process:

unconfined_u:system_r:sssd_t:s0 root      9313     1  0 06:00 ?        00:00:00 /usr/sbin/sssd -f -D
unconfined_u:system_r:sssd_t:s0 root      9314  9313  0 06:00 ?        00:00:00 /usr/libexec/sssd/sssd_be --domain winpki1.testpki.test --uid 0 --gid 0 --debug-to-files
unconfined_u:system_r:sssd_t:s0 root      9315  9313  0 06:00 ?        00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
unconfined_u:system_r:sssd_t:s0 root      9316  9313  0 06:00 ?        00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 9389 7023  0 06:05 pts/0 00:00:00 grep sssd

[root@dhcp201-182 sssd]# ls -lZ /etc/krb5.keytab
-rw-------. root root unconfined_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab

[root@dhcp201-182 sssd]# ls -lZ `which adcli`
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/adcli

Comment 2 Milos Malik 2016-02-16 13:02:49 UTC

Please, re-run your scenario in permissive mode, collect SELinux denials and attach them here.

Comment 3 Niranjan Mallapadi Raghavender 2016-02-16 13:14:54 UTC

Below is the selinux denial when in permissive mode.


type=AVC msg=audit(1455722015.945:4696): avc:  denied  { write } for  pid=11647 comm="adcli" name="krb5.keytab" dev=dm-0 ino=131196 scontext=unconfined_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
type=SYSCALL msg=audit(1455722015.945:4696): arch=c000003e syscall=2 success=yes exit=6 a0=fbc580 a1=2 a2=1b6 a3=0 items=0 ppid=11632 pid=11647 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="adcli" exe="/usr/sbin/adcli" subj=unconfined_u:system_r:sssd_t:s0 key=(null)

Comment 8 Miroslav Grepl 2016-03-04 09:10:19 UTC

You can create the following local policy as a workaround for now

----

# cat mysssd.te
policy_module(mysssd,1.0)

require{
 type sssd_t;
}

kerberos_rw_keytab(sssd_t)

----


and execute

# make -f /usr/share/selinux/Devel/Makefile mysssd.pp
# semodule -i mysssd.pp


To remove this local policy, please execute

# semodule -r mysssd

Comment 10 errata-xmlrpc 2016-05-10 20:05:09 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0763.html

Note You need to log in before you can comment on or make changes to this bug.