Red Hat Bugzilla – Bug 1457942
certauth: use canonical principal for lookups
Last modified: 2017-08-01 05:51:24 EDT
Description of problem: Currently the certauth plugin use the unmodified principal from the request to lookup the user. This might fial if e.g. enterprise principals are use. On the client: kinit -E -X X509_user_identity=.... scuser@IPAF25.DEVEL In krb5kdc.log: Mär 22 11:09:12 ipa-devel-f25.ipaf25.devel krb5kdc[26868](info): Doing certauth authorize for [scuser\@IPAF25.DEVEL@IPAF25.DEVEL] Mär 22 11:09:12 ipa-devel-f25.ipaf25.devel krb5kdc[26868](info): Got cert filter [(...)] Mär 22 11:09:12 ipa-devel-f25.ipaf25.devel krb5kdc[26868](info): No matching entry found Mär 22 11:09:12 ipa-devel-f25.ipaf25.devel krb5kdc[26868](info): preauth (pkinit) verify failure: Certificate mismatch To not fail the canonical principal which is also available in the certauth plugin should be used.
Upstream ticket: https://pagure.io/freeipa/issue/6993
Fixed upstream master: https://pagure.io/freeipa/c/117d6e9be0c386f134bd27eee3377e70df77f0f0 ipa-4-5: https://pagure.io/freeipa/c/e8d8aab469ca634f4ec38b869767316806c739f1
I think this is failing: # On IPA SERVER: ipa-server-4.5.0-16.el7.x86_64 # From the client: [root@dhcp129-184 yum.local.d]# kinit -E -X X509_user_identity=PKCS11:module_name=/usr/lib64/opensc-pkcs11.so demosc1@TESTRELM.TEST demosc1 (OpenSC Card) PIN: # From server logs: Jun 07 15:25:28 auto-hv-02-guest08.testrelm.test krb5kdc[9325](info): Initializing IPA certauth plugin. Jun 07 15:25:28 auto-hv-02-guest08.testrelm.test krb5kdc[9325](info): sss_certmap initialized. Jun 07 15:25:28 auto-hv-02-guest08.testrelm.test krb5kdc[9325](info): Doing certauth authorize for [demosc1@TESTRELM.TEST] Jun 07 15:25:28 auto-hv-02-guest08.testrelm.test krb5kdc[9325](info): Got cert filter [(|(userCertificate;binary=\30\82\04\... Jun 07 15:25:28 auto-hv-02-guest08.testrelm.test krb5kdc[9325](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) IPSCRUBBED: ISSUE: authtime 1496863528, etypes {rep=18 tkt=18 ses=18}, demosc1\@TESTRELM.TEST@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST Jun 07 15:25:28 auto-hv-02-guest08.testrelm.test krb5kdc[9325](info): closing down fd 11 # ^^ So this is working before I change the principal for the user in IPA ^^ # Now I change the user principal alias: [root@dhcp129-184 yum.local.d]# kinit admin Password for admin@TESTRELM.TEST: 2017-06-07 13:25:42 MDT [root@dhcp129-184 yum.local.d]# ipa user-mod demosc1 --principal=alias_demosc1@TESTRELM.TEST ----------------------- Modified user "demosc1" ----------------------- User login: demosc1 First name: demo Last name: sc1 Home directory: /home/demosc1 Login shell: /bin/sh Principal name: demosc1@TESTRELM.TEST Principal alias: alias_demosc1@TESTRELM.TEST Email address: demosc1@testrelm.test UID: 1505600004 GID: 1505600004 Certificate: MII... Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True # First trying with demosc1@TESTRELM.TEST [root@dhcp129-184 yum.local.d]# kinit -E -X X509_user_identity=PKCS11:module_name=/usr/lib64/opensc-pkcs11.so demosc1@TESTRELM.TEST kinit: Client 'demosc1\@TESTRELM.TEST@TESTRELM.TEST' not found in Kerberos database while getting initial credentials Jun 07 15:25:48 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) IPSCRUBBED: CLIENT_NOT_FOUND: demosc1\@TESTRELM.TEST@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST, Client not found in Kerberos database # Next trying with alias_demosc1@TESTRELM.TEST [root@dhcp129-184 yum.local.d]# kinit -E -X X509_user_identity=PKCS11:module_name=/usr/lib64/opensc-pkcs11.so alias_demosc1@TESTRELM.TEST demosc1 (OpenSC Card) PIN: kinit: Certificate mismatch while getting initial credentials 2017-06-07 13:25:57 MDT Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): Initializing IPA certauth plugin. Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): sss_certmap initialized. Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): Doing certauth authorize for [demosc1@TESTRELM.TEST] Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): Got cert filter [(|(userCertificate;binary=\30\82\04 Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): No matching entry found Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): preauth (pkinit) verify failure: Certificate mismatch Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) IPSCRUBBED: PREAUTH_FAILED: alias_demosc1\@TESTRELM.TEST@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST, Certificate mismatch Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): closing down fd 11
No, this is expected. By calling 'ipa user-mod demosc1 --principal=alias_demosc1@TESTRELM.TEST' you say that only 'alias_demosc1@TESTRELM.TEST' can be used as input for kinit becasue you overwrite the default principal 'demosc1@TESTRELM.TEST'. Please try: ipa user-mod demosc1 --principal=alias_demosc1@TESTRELM.TEST --principal=demosc1@TESTRELM.TEST HTH bye, Sumit
Verified. Version :: ipa-server-4.5.0-16.el7.x86_64 sssd-1.15.2-43.el7.x86_64 Results :: [root@dhcp129-184 ~]# ipa user-mod demosc1 --principal=alias_demosc1@TESTRELM.TEST --principal=demosc1@TESTRELM.TEST ----------------------- Modified user "demosc1" ----------------------- User login: demosc1 First name: demo Last name: sc1 Home directory: /home/demosc1 Login shell: /bin/sh Principal name: demosc1@TESTRELM.TEST Principal alias: demosc1@TESTRELM.TEST, alias_demosc1@TESTRELM.TEST Email address: demosc1@testrelm.test UID: 1505600004 GID: 1505600004 Certificate: MIIEDTCCAvWgAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNjAyMTU1ODI3WhcNMTkwNjAzMTU1ODI3WjAqMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMRAwDgYDVQQDDAdkZW1vc2MxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA279MmazwE5IgH0gZXQKxVARtWLA8aRkbGnEgMBzhZLwso2U54gPdRVlq1pDsY0WFhwj9+NXLn7MpUp6JiXMsnbKJCwqRZF4MypQ/bCbqYJaRoHJwlSsgoP/y1o9eIZAJDQ3y7+SIh0qgE9Mk5pYgqes4xIRnPEIVQSIazyvwSo+CwQftvA/6IagDIzfdSEMMcxMOCMYWajNOZsiLzCGQOGHM6Hsgekg9BHCF7sTQQ6rTTVOC4c0mrP26N2z3toAhtRoR++8TW5bIbl+gyo9bBm/QXTFgLaLhdep0sEiTKC4cs7IEL6JIzbq1vHkXjO26+XwmnFPrW1It6okkdEaH6wIDAQABo4IBLjCCASowHwYDVR0jBBgwFoAU20BgPgH5orN4AsHOeMHgHZpnRHAwPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzABhiNodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHgGA1UdHwRxMG8wbaA1oDOGMWh0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFKP4VQaLnn5CcEUgN4mhPESvLFZpMA0GCSqGSIb3DQEBCwUAA4IBAQBoHX0D/lZDuDb3kWFRStj9aYdhg2mR5yKQOewLeEXPnj1mwaltNn/sEzIBoD1SrhQ0Ov2lG9MN8T3QVTUQoMTUgcRR57odMn0VIwhQrU3jq8XEaalgzubyq+zSsYmEIfCn+B/bChosaG+WoUnsW6E2OV6y0iSi47jUapFSO7SLmfsG8EbRF3PC39f7pXI102/xzZ6WaxMhPD/ZIE2fkunPHDlAf2F6762h5s9mPGfVv0Hko2zrQKaYEQG8V4J3hqPDRbsxQRxl5aojghSWzDVPNfJUsTN3CiOSMhrMHQtdH+YBvAGjB54oW/gR1qKOw0kO87607xyONVyIsEhdVEQc Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True [root@dhcp129-184 ~]# vim /etc/sssd/sssd.conf # add krb5_use_enterprise_principal = True [root@dhcp129-184 ~]# kdestroy -A [root@dhcp129-184 ~]# kinit -E -X X509_user_identity=PKCS11:module_name=/usr/lib64/opensc-pkcs11.so alias_demosc1@TESTRELM.TEST demosc1 (OpenSC Card) PIN: [root@dhcp129-184 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_MPhy6EK Default principal: demosc1@TESTRELM.TEST Valid starting Expires Service principal 06/08/2017 07:14:32 06/09/2017 07:14:29 krbtgt/TESTRELM.TEST@TESTRELM.TEST [root@dhcp129-184 ~]# kdestroy -A [root@dhcp129-184 ~]# kinit -E -X X509_user_identity=PKCS11:module_name=/usr/lib64/opensc-pkcs11.so demosc1@TESTRELM.TEST demosc1 (OpenSC Card) PIN: [root@dhcp129-184 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_MPhy6EK Default principal: demosc1@TESTRELM.TEST Valid starting Expires Service principal 06/08/2017 07:14:46 06/09/2017 07:14:42 krbtgt/TESTRELM.TEST@TESTRELM.TEST [root@dhcp129-184 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*;systemctl start sssd [root@dhcp129-184 ~]# su - demosc1 -c "kdestroy -A" [root@dhcp129-184 ~]# su - demosc2 -c "su - alias_demosc1@TESTRELM.TEST -c klist" PIN for demosc1 (OpenSC Card) Ticket cache: KEYRING:persistent:1505600004:krb_ccache_N6I0SB5 Default principal: demosc1@TESTRELM.TEST Valid starting Expires Service principal 06/08/2017 07:17:58 06/09/2017 07:17:56 krbtgt/TESTRELM.TEST@TESTRELM.TEST [root@dhcp129-184 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*;systemctl start sssd [root@dhcp129-184 ~]# su - demosc1 -c "kdestroy -A" [root@dhcp129-184 ~]# su - demosc2 -c "su - demosc1@TESTRELM.TEST -c klist" PIN for demosc1 (OpenSC Card) Ticket cache: KEYRING:persistent:1505600004:krb_ccache_0A5n1um Default principal: demosc1@TESTRELM.TEST Valid starting Expires Service principal 06/08/2017 07:18:28 06/09/2017 07:18:25 krbtgt/TESTRELM.TEST@TESTRELM.TEST
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304