Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1441316 - WebUI cert auth fails after ipa-adtrust-install
WebUI cert auth fails after ipa-adtrust-install
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Scott Poore
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-11 12:22 EDT by Petr Vobornik
Modified: 2017-08-01 05:48 EDT (History)
6 users (show)

See Also:
Fixed In Version: ipa-4.5.0-6.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 05:48:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 08:41:35 EDT

  None (edit)
Description Petr Vobornik 2017-04-11 12:22:57 EDT 
Cloned from upstream: https://pagure.io/freeipa/issue/6862

IPA 4.5.0-5.el7
gssproxy 0.7.0-3.el7

IPA configured for WebUI certificate authentication, with a user entry demoCert containing a user certificate delivered by IPA CA
Web UI certificate authentication stops working when an AD trust is configured. The web page shows:
    Authentication with personal certificate failed

httpd error_log displays:

    [Tue Apr 11 08:09:33.787693 2017] [auth_gssapi:error] [pid 44111] [client 10.36.116.124:50694] GSS ERROR In S4U2Self: gss_acquire_cred_impersonate_name(): [A required input parameter could not be read, No credentials were supplied, or the credentials were unavailable or inaccessible (Unknown error)]
    [Tue Apr 11 08:09:33.791505 2017] [:error] [pid 44109] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
    [Tue Apr 11 08:09:33.791853 2017] [:error] [pid 44109] ipa: DEBUG: WSGI login_x509.__call__:
    [Tue Apr 11 08:09:33.792102 2017] [:error] [pid 44109] ipa: INFO: 401 Unauthorized: KRB5CCNAME not set

krb5.kdc log:

    Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): TGS_REQ : handle_authdata (-1765328240)
    Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.34.58.20: HANDLE_AUTHDATA: authtime 1491839345,  HTTP/ipaserver.example.com@EXAMPLE.COM for HTTP/ipaserver.example.com@EXAMPLE.COM, Wrong principal in request
    Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): ... PROTOCOL-TRANSITION s4u-client=democert@EXAMPLE.COM
    Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): closing down fd 11
Comment 2 Petr Vobornik 2017-04-11 12:23:14 EDT 
Upstream ticket:
https://pagure.io/freeipa/issue/6862
Comment 5 Scott Poore 2017-05-11 23:51:44 EDT 
Verified.

Version ::

ipa-server-4.5.0-11.el7.x86_64
gssproxy-0.7.0-3.el7.x86_64


Results ::

# First confirm WebUI cert login without AD Trust:


[root@dhcp129-184 ~]# ipa certmap-match /root/testing/demosc1_cert1.crt 
---------------
2 users matched
---------------
  Domain: TESTRELM.TEST
  User logins: demosc1, demosc2
----------------------------
Number of entries returned 1
----------------------------

# WebUI login with demosc1 works with cert on card after entering pin


[root@auto-hv-02-guest08 ~]# ipa-adtrust-install -a Secret123 --add-sids -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.


Configuring CIFS
  [1/23]: validate server hostname
  [2/23]: stopping smbd
  [3/23]: creating samba domain object
  [4/23]: creating samba config registry
  [5/23]: writing samba config file
  [6/23]: adding cifs Kerberos principal
  [7/23]: adding cifs and host Kerberos principals to the adtrust agents group
  [8/23]: check for cifs services defined on other replicas
  [9/23]: adding cifs principal to S4U2Proxy targets
  [10/23]: adding admin(group) SIDs
  [11/23]: adding RID bases
  [12/23]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [13/23]: activating CLDAP plugin
  [14/23]: activating sidgen task
  [15/23]: configuring smbd to start on boot
  [16/23]: adding special DNS service records
  [17/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [18/23]: adding fallback group
  [19/23]: adding Default Trust View
  [20/23]: setting SELinux booleans
  [21/23]: starting CIFS services
  [22/23]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
  [23/23]: restarting smbd
Done configuring CIFS.

=============================================================================
Setup complete

You must make sure these network ports are open:
	TCP Ports:
	  * 135: epmap
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 445: microsoft-ds
	  * 1024..1300: epmap listener range
	  * 3268: msft-gc
	UDP Ports:
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 389: (C)LDAP
	  * 445: microsoft-ds

See the ipa-adtrust-install(1) man page for more details

=============================================================================


# Login to WebUI worked with demosc1 with pin

[root@auto-hv-02-guest08 ~]# ipactl restart
Stopping pki-tomcatd Service
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
Starting smb Service
Starting winbind Service
ipa: INFO: The ipactl command was successful

# Login to WebUI worked with demosc1 with pin


[root@auto-hv-02-guest08 ~]# ipa trust-add ipaadcs12r2.test --admin Administrator --password
Active Directory domain administrator's password: 
---------------------------------------------------------
Added Active Directory trust for realm "ipaadcs12r2.test"
---------------------------------------------------------
  Realm name: ipaadcs12r2.test
  Domain NetBIOS name: IPAADCS12R2
  Domain Security Identifier: S-1-5-21-2104345585-122664420-2375807449
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@auto-hv-02-guest08 ~]# vim /etc/sssd/sssd.conf
...
subdomains_provider = ipa
[sssd]
services = sudo, nss, ifp, pam, ssh, pac
...

[root@auto-hv-02-guest08 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

# Showing that AD Trust is working:

[root@auto-hv-02-guest08 ~]# id tempuser1@ipaadcs12r2.test
uid=1664401105(tempuser1@ipaadcs12r2.test) gid=1664401105(tempuser1@ipaadcs12r2.test) groups=1664401105(tempuser1@ipaadcs12r2.test),1664400513(domain users@ipaadcs12r2.test)

# Login to WebUI worked with demosc1 with pin
Comment 6 errata-xmlrpc 2017-08-01 05:48:56 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.