Bug 1441316 - WebUI cert auth fails after ipa-adtrust-install
Summary: WebUI cert auth fails after ipa-adtrust-install
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Scott Poore
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-11 16:22 UTC by Petr Vobornik
Modified: 2017-08-01 09:48 UTC (History)
6 users (show)

Fixed In Version: ipa-4.5.0-6.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:48:56 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-04-11 16:22:57 UTC
Cloned from upstream: https://pagure.io/freeipa/issue/6862

IPA 4.5.0-5.el7
gssproxy 0.7.0-3.el7

IPA configured for WebUI certificate authentication, with a user entry demoCert containing a user certificate delivered by IPA CA
Web UI certificate authentication stops working when an AD trust is configured. The web page shows:
    Authentication with personal certificate failed

httpd error_log displays:

    [Tue Apr 11 08:09:33.787693 2017] [auth_gssapi:error] [pid 44111] [client 10.36.116.124:50694] GSS ERROR In S4U2Self: gss_acquire_cred_impersonate_name(): [A required input parameter could not be read, No credentials were supplied, or the credentials were unavailable or inaccessible (Unknown error)]
    [Tue Apr 11 08:09:33.791505 2017] [:error] [pid 44109] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
    [Tue Apr 11 08:09:33.791853 2017] [:error] [pid 44109] ipa: DEBUG: WSGI login_x509.__call__:
    [Tue Apr 11 08:09:33.792102 2017] [:error] [pid 44109] ipa: INFO: 401 Unauthorized: KRB5CCNAME not set

krb5.kdc log:

    Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): TGS_REQ : handle_authdata (-1765328240)
    Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.34.58.20: HANDLE_AUTHDATA: authtime 1491839345,  HTTP/ipaserver.example.com@EXAMPLE.COM for HTTP/ipaserver.example.com@EXAMPLE.COM, Wrong principal in request
    Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): ... PROTOCOL-TRANSITION s4u-client=democert@EXAMPLE.COM
    Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): closing down fd 11

Comment 2 Petr Vobornik 2017-04-11 16:23:14 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/6862

Comment 5 Scott Poore 2017-05-12 03:51:44 UTC
Verified.

Version ::

ipa-server-4.5.0-11.el7.x86_64
gssproxy-0.7.0-3.el7.x86_64


Results ::

# First confirm WebUI cert login without AD Trust:


[root@dhcp129-184 ~]# ipa certmap-match /root/testing/demosc1_cert1.crt 
---------------
2 users matched
---------------
  Domain: TESTRELM.TEST
  User logins: demosc1, demosc2
----------------------------
Number of entries returned 1
----------------------------

# WebUI login with demosc1 works with cert on card after entering pin


[root@auto-hv-02-guest08 ~]# ipa-adtrust-install -a Secret123 --add-sids -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.


Configuring CIFS
  [1/23]: validate server hostname
  [2/23]: stopping smbd
  [3/23]: creating samba domain object
  [4/23]: creating samba config registry
  [5/23]: writing samba config file
  [6/23]: adding cifs Kerberos principal
  [7/23]: adding cifs and host Kerberos principals to the adtrust agents group
  [8/23]: check for cifs services defined on other replicas
  [9/23]: adding cifs principal to S4U2Proxy targets
  [10/23]: adding admin(group) SIDs
  [11/23]: adding RID bases
  [12/23]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [13/23]: activating CLDAP plugin
  [14/23]: activating sidgen task
  [15/23]: configuring smbd to start on boot
  [16/23]: adding special DNS service records
  [17/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [18/23]: adding fallback group
  [19/23]: adding Default Trust View
  [20/23]: setting SELinux booleans
  [21/23]: starting CIFS services
  [22/23]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
  [23/23]: restarting smbd
Done configuring CIFS.

=============================================================================
Setup complete

You must make sure these network ports are open:
	TCP Ports:
	  * 135: epmap
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 445: microsoft-ds
	  * 1024..1300: epmap listener range
	  * 3268: msft-gc
	UDP Ports:
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 389: (C)LDAP
	  * 445: microsoft-ds

See the ipa-adtrust-install(1) man page for more details

=============================================================================


# Login to WebUI worked with demosc1 with pin

[root@auto-hv-02-guest08 ~]# ipactl restart
Stopping pki-tomcatd Service
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
Starting smb Service
Starting winbind Service
ipa: INFO: The ipactl command was successful

# Login to WebUI worked with demosc1 with pin


[root@auto-hv-02-guest08 ~]# ipa trust-add ipaadcs12r2.test --admin Administrator --password
Active Directory domain administrator's password: 
---------------------------------------------------------
Added Active Directory trust for realm "ipaadcs12r2.test"
---------------------------------------------------------
  Realm name: ipaadcs12r2.test
  Domain NetBIOS name: IPAADCS12R2
  Domain Security Identifier: S-1-5-21-2104345585-122664420-2375807449
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@auto-hv-02-guest08 ~]# vim /etc/sssd/sssd.conf
...
subdomains_provider = ipa
[sssd]
services = sudo, nss, ifp, pam, ssh, pac
...

[root@auto-hv-02-guest08 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

# Showing that AD Trust is working:

[root@auto-hv-02-guest08 ~]# id tempuser1@ipaadcs12r2.test
uid=1664401105(tempuser1@ipaadcs12r2.test) gid=1664401105(tempuser1@ipaadcs12r2.test) groups=1664401105(tempuser1@ipaadcs12r2.test),1664400513(domain users@ipaadcs12r2.test)

# Login to WebUI worked with demosc1 with pin

Comment 6 errata-xmlrpc 2017-08-01 09:48:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.