1441316 – WebUI cert auth fails after ipa-adtrust-install

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1441316 - WebUI cert auth fails after ipa-adtrust-install

Summary: WebUI cert auth fails after ipa-adtrust-install

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Scott Poore
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-04-11 16:22 UTC by Petr Vobornik
Modified:	2017-08-01 09:48 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-4.5.0-6.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 09:48:56 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2304	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-04-11 16:22:57 UTC

Cloned from upstream: https://pagure.io/freeipa/issue/6862

IPA 4.5.0-5.el7
gssproxy 0.7.0-3.el7

IPA configured for WebUI certificate authentication, with a user entry demoCert containing a user certificate delivered by IPA CA
Web UI certificate authentication stops working when an AD trust is configured. The web page shows:
    Authentication with personal certificate failed

httpd error_log displays:

    [Tue Apr 11 08:09:33.787693 2017] [auth_gssapi:error] [pid 44111] [client 10.36.116.124:50694] GSS ERROR In S4U2Self: gss_acquire_cred_impersonate_name(): [A required input parameter could not be read, No credentials were supplied, or the credentials were unavailable or inaccessible (Unknown error)]
    [Tue Apr 11 08:09:33.791505 2017] [:error] [pid 44109] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
    [Tue Apr 11 08:09:33.791853 2017] [:error] [pid 44109] ipa: DEBUG: WSGI login_x509.__call__:
    [Tue Apr 11 08:09:33.792102 2017] [:error] [pid 44109] ipa: INFO: 401 Unauthorized: KRB5CCNAME not set

krb5.kdc log:

    Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): TGS_REQ : handle_authdata (-1765328240)
    Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.34.58.20: HANDLE_AUTHDATA: authtime 1491839345,  HTTP/ipaserver.example.com for HTTP/ipaserver.example.com, Wrong principal in request
    Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): ... PROTOCOL-TRANSITION s4u-client=democert
    Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): closing down fd 11

Comment 2 Petr Vobornik 2017-04-11 16:23:14 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/6862

Comment 3 Pavel Vomacka 2017-04-12 07:48:23 UTC

Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/b5114070ae55bcc7ec1abe57b4c303cee4822930
master:
https://pagure.io/freeipa/c/e88d5e815ea440bcef4acdc5f8fcb3a29e6eaec9

Comment 5 Scott Poore 2017-05-12 03:51:44 UTC

Verified.

Version ::

ipa-server-4.5.0-11.el7.x86_64
gssproxy-0.7.0-3.el7.x86_64


Results ::

# First confirm WebUI cert login without AD Trust:


[root@dhcp129-184 ~]# ipa certmap-match /root/testing/demosc1_cert1.crt 
---------------
2 users matched
---------------
  Domain: TESTRELM.TEST
  User logins: demosc1, demosc2
----------------------------
Number of entries returned 1
----------------------------

# WebUI login with demosc1 works with cert on card after entering pin


[root@auto-hv-02-guest08 ~]# ipa-adtrust-install -a Secret123 --add-sids -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.


Configuring CIFS
  [1/23]: validate server hostname
  [2/23]: stopping smbd
  [3/23]: creating samba domain object
  [4/23]: creating samba config registry
  [5/23]: writing samba config file
  [6/23]: adding cifs Kerberos principal
  [7/23]: adding cifs and host Kerberos principals to the adtrust agents group
  [8/23]: check for cifs services defined on other replicas
  [9/23]: adding cifs principal to S4U2Proxy targets
  [10/23]: adding admin(group) SIDs
  [11/23]: adding RID bases
  [12/23]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [13/23]: activating CLDAP plugin
  [14/23]: activating sidgen task
  [15/23]: configuring smbd to start on boot
  [16/23]: adding special DNS service records
  [17/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [18/23]: adding fallback group
  [19/23]: adding Default Trust View
  [20/23]: setting SELinux booleans
  [21/23]: starting CIFS services
  [22/23]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
  [23/23]: restarting smbd
Done configuring CIFS.

=============================================================================
Setup complete

You must make sure these network ports are open:
	TCP Ports:
	  * 135: epmap
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 445: microsoft-ds
	  * 1024..1300: epmap listener range
	  * 3268: msft-gc
	UDP Ports:
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 389: (C)LDAP
	  * 445: microsoft-ds

See the ipa-adtrust-install(1) man page for more details

=============================================================================


# Login to WebUI worked with demosc1 with pin

[root@auto-hv-02-guest08 ~]# ipactl restart
Stopping pki-tomcatd Service
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
Starting smb Service
Starting winbind Service
ipa: INFO: The ipactl command was successful

# Login to WebUI worked with demosc1 with pin


[root@auto-hv-02-guest08 ~]# ipa trust-add ipaadcs12r2.test --admin Administrator --password
Active Directory domain administrator's password: 
---------------------------------------------------------
Added Active Directory trust for realm "ipaadcs12r2.test"
---------------------------------------------------------
  Realm name: ipaadcs12r2.test
  Domain NetBIOS name: IPAADCS12R2
  Domain Security Identifier: S-1-5-21-2104345585-122664420-2375807449
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@auto-hv-02-guest08 ~]# vim /etc/sssd/sssd.conf
...
subdomains_provider = ipa
[sssd]
services = sudo, nss, ifp, pam, ssh, pac
...

[root@auto-hv-02-guest08 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

# Showing that AD Trust is working:

[root@auto-hv-02-guest08 ~]# id tempuser1
uid=1664401105(tempuser1) gid=1664401105(tempuser1) groups=1664401105(tempuser1),1664400513(domain users)

# Login to WebUI worked with demosc1 with pin

Comment 6 errata-xmlrpc 2017-08-01 09:48:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304

Note You need to log in before you can comment on or make changes to this bug.