Bug 1438731 – Extend ipa-server-certinstall and ipa-certupdate to handle PKINIT certificates/anchors

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1438731 - Extend ipa-server-certinstall and ipa-certupdate to handle PKINIT certificates/anchors

Summary:	Extend ipa-server-certinstall and ipa-certupdate to handle PKINIT certificate...

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	7.4
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	IPA Maintainers
QA Contact:	Michal Reznik
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2017-04-04 06:05 EDT by Petr Vobornik
Modified:	2017-08-01 05:47 EDT (History)
CC List:	7 users (show)

See Also:
Fixed In Version:	ipa-4.5.0-14.el7
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-08-01 05:47:49 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Verification logs (10.09 KB, text/plain) 2017-06-12 08:19 EDT, Michal Reznik	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2304	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2017-08-01 08:41:35 EDT

Groups: None (edit)

Description Petr Vobornik 2017-04-04 06:05:04 EDT

Cloned from upstream: https://pagure.io/freeipa/issue/6831

In order to fully support PKINIT configuration in CA-less deployments, the tools that manipulate 3rd party certificates must be extended to also install PKINIT server certificates and update KDC's PKINIT anchors when 3rd party CA certificates are to be used.

Comment 2 Petr Vobornik 2017-04-04 06:05:33 EDT

Upstream ticket:
https://pagure.io/freeipa/issue/6831

Comment 3 Martin Bašti 2017-05-19 06:32:55 EDT

Fixed upstream
master:
https://pagure.io/freeipa/c/235265a5f5436148dd8d7e63b7e3928689796560
https://pagure.io/freeipa/c/f0442a2d0ed54abe6567fce6d99fd31f7c6c7883
https://pagure.io/freeipa/c/52730c786f6bb11aa7992b11fa0f5c94c90f9eb8
https://pagure.io/freeipa/c/01a7416d305ddb11d5b83c99afbacf8ba854c148
https://pagure.io/freeipa/c/11b8a3434655932fa73f05d4bd864bed0194035c
https://pagure.io/freeipa/c/4d36cbf6ad412822b8fb029f517f9228e2c8d4ee
https://pagure.io/freeipa/c/f769045f0ae9c5fdc651e03c0c96af9cdec8f298
https://pagure.io/freeipa/c/b9fd123d61fa7adda090c05216906ba0cf4779a9
https://pagure.io/freeipa/c/0c5b2c42bf52dc75ecf9d95036ca8517670877d6
https://pagure.io/freeipa/c/cc572378a69a7e4d18b7297b7fa54e2fe8e33b2f
https://pagure.io/freeipa/c/3b5dbf7cdb4c03260057c8f7a2abd5c5712eca41
https://pagure.io/freeipa/c/b3855704f479eaf122139189b762b943b2dcc0fc
https://pagure.io/freeipa/c/9ea764ecf5c3118df0917d94c4940b4ee38b3a31
https://pagure.io/freeipa/c/96ca62f81d3505b050eb9b9d71d4fc4c18e1535e

Comment 4 Martin Bašti 2017-05-19 06:34:42 EDT

ipa-4-5:
https://pagure.io/freeipa/c/6338dbe47313a70b93bbf53855db451145d24544
https://pagure.io/freeipa/c/749d504f4335c375cf86bf44814177f03be61b52
https://pagure.io/freeipa/c/e68812331526269f3b556c339f65077f649110d3
https://pagure.io/freeipa/c/16b295c5a8580accfbbab016f3cc4eef0a704163
https://pagure.io/freeipa/c/63c4cbd619f81f16e0c08d3786b69d348c9dcfd7
https://pagure.io/freeipa/c/523a82652e2f95704a07ac25cc829a0782b9e22a
https://pagure.io/freeipa/c/b83ebe0e3ff692de37f28834d09a423d04e6ad68
https://pagure.io/freeipa/c/5cf5395eb51ff5ec8164075a5ee573abe76bc15e
https://pagure.io/freeipa/c/e6497f099c09dfa60bd6ae98e4692e99b7381752
https://pagure.io/freeipa/c/bc8deb118dce93fc380793c75090d9108ce61541
https://pagure.io/freeipa/c/cbdf6693cc8707dda9c1db42fb05dc5b1d70b7af
https://pagure.io/freeipa/c/77ef29ef30086c714025d97328507bd51e3f0421
https://pagure.io/freeipa/c/6f900ec60a426a2b97823d4612949a953fa6d49b
https://pagure.io/freeipa/c/e27b3e139ffff16f6e238ef6f9ff7d2ed02492bc

Comment 9 Michal Reznik 2017-06-09 09:04:52 EDT

Moving to assigned as verification failed:

ipa-server-4.5.0-16.el7.x86_64
selinux-policy-3.13.1-160.el7.noarch

Followed these steps:

1. install CA-less master without pkinit
2. generate KDC cert signed by different CA
3. issue "ipa-cacert-manage install" to add the CA
4. ipa-certupdate
5. ipa-server-certinstall --kdc ./pkinit-server.p12 --pin XXX
6. kinit -n

When attempting to get the anonymous ticket got:

[root@master ~]# KRB5_TRACE=/dev/stdout kinit -n
[12984] 1496992862.778766: Getting initial credentials for WELLKNOWN/ANONYMOUS@TESTRELM.TEST
[12984] 1496992862.781603: Sending request (190 bytes) to TESTRELM.TEST
[12984] 1496992862.781775: Initiating TCP connection to stream 192.168.222.10:88
[12984] 1496992862.782014: Sending TCP request to stream 192.168.222.10:88
[12984] 1496992862.785226: Received answer (344 bytes) from stream 192.168.222.10:88
[12984] 1496992862.785236: Terminating TCP connection to stream 192.168.222.10:88
[12984] 1496992862.785312: Response was from master KDC
[12984] 1496992862.785355: Received error from KDC: -1765328359/Additional pre-authentication required
[12984] 1496992862.785401: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133
[12984] 1496992862.785414: Selected etype info: etype aes256-cts, salt "TESTRELM.TESTWELLKNOWNANONYMOUS", params ""
[12984] 1496992862.785418: Received cookie: MIT
[12984] 1496992862.785448: Preauth module pkinit (147) (info) returned: 0/Success
[12984] 1496992862.785860: PKINIT client computed kdc-req-body checksum 9/146F1085B92F98D4745FD5EFB4DA2FE1EE3E0E65
[12984] 1496992862.785867: PKINIT client making DH request
[12984] 1496992862.811974: Preauth module pkinit (16) (real) returned: 0/Success
[12984] 1496992862.811990: Produced preauth for next request: 133, 16
[12984] 1496992862.812012: Sending request (1453 bytes) to TESTRELM.TEST
[12984] 1496992862.812087: Initiating TCP connection to stream 192.168.222.10:88
[12984] 1496992862.812143: Sending TCP request to stream 192.168.222.10:88
[12984] 1496992862.826079: Received answer (1622 bytes) from stream 192.168.222.10:88
[12984] 1496992862.826093: Terminating TCP connection to stream 192.168.222.10:88
[12984] 1496992862.826143: Response was from master KDC
[12984] 1496992862.826169: Processing preauth types: 17, 19, 147
[12984] 1496992862.826176: Selected etype info: etype aes256-cts, salt "TESTRELM.TESTWELLKNOWNANONYMOUS", params ""
[12984] 1496992862.826191: Preauth module pkinit (147) (info) returned: 0/Success
[12984] 1496992862.826302: PKINIT client could not verify DH reply
[12984] 1496992862.826328: Preauth module pkinit (17) (real) returned: -1765328360/Preauthentication failed
kinit: Preauthentication failed while getting initial credentials

After restarting krb5kdc service it works:

[root@master ~]# systemctl restart krb5kdc.service
[root@master ~]# 
[root@master ~]# kinit -n
[root@master ~]# 
[root@master ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS

Valid starting       Expires              Service principal
06/09/2017 05:13:30  06/10/2017 05:13:30  krbtgt/TESTRELM.TEST@TESTRELM.TEST
[root@master ~]# 
[root@master ~]# getenforce
Enforcing
[root@master ~]# ausearch -m avc
<no matches>

However manual restart should not be required obviously.

The issue looks like https://pagure.io/freeipa/issue/7003 however this time are not after an upgrade.

Comment 11 Michal Reznik 2017-06-12 08:18:37 EDT

Verified on:

ipa-server-4.5.0-16.el7.x86_64
selinux-policy-3.13.1-160.el7.noarch

[root@master ~]# getenforce
Enforcing

Update to comment #9. It turned out that there is currently no restart in "ipa_server_certinstall.py" code. In this case the restart is really expected.

Comment 12 Michal Reznik 2017-06-12 08:19 EDT

Created attachment 1287049 [details]
Verification logs

Comment 13 errata-xmlrpc 2017-08-01 05:47:49 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304

Note You need to log in before you can comment on or make changes to this bug.