Bug 1457942 - certauth: use canonical principal for lookups
Summary: certauth: use canonical principal for lookups
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Scott Poore
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-01 15:24 UTC by Sumit Bose
Modified: 2017-08-01 09:51 UTC (History)
7 users (show)

Fixed In Version: ipa-4.5.0-16.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:51:24 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Sumit Bose 2017-06-01 15:24:31 UTC
Description of problem:
Currently the certauth plugin use the unmodified principal from the request to lookup the user. This might fial if e.g. enterprise principals are use.

On the client:
    kinit -E -X X509_user_identity=.... scuser@IPAF25.DEVEL
In krb5kdc.log:
    Mär 22 11:09:12 ipa-devel-f25.ipaf25.devel krb5kdc[26868](info): Doing certauth authorize for [scuser\@IPAF25.DEVEL@IPAF25.DEVEL]
Mär 22 11:09:12 ipa-devel-f25.ipaf25.devel krb5kdc[26868](info): Got cert filter [(...)]
Mär 22 11:09:12 ipa-devel-f25.ipaf25.devel krb5kdc[26868](info): No matching entry found
Mär 22 11:09:12 ipa-devel-f25.ipaf25.devel krb5kdc[26868](info): preauth (pkinit) verify failure: Certificate mismatch


To not fail the canonical principal which is also available in the certauth plugin should be used.

Comment 1 Petr Vobornik 2017-06-01 15:35:37 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/6993

Comment 6 Scott Poore 2017-06-07 19:39:29 UTC
I think this is failing:

# On IPA SERVER:

ipa-server-4.5.0-16.el7.x86_64


# From the client:

[root@dhcp129-184 yum.local.d]# kinit -E -X X509_user_identity=PKCS11:module_name=/usr/lib64/opensc-pkcs11.so demosc1@TESTRELM.TEST
demosc1 (OpenSC Card)            PIN: 

# From server logs:

Jun 07 15:25:28 auto-hv-02-guest08.testrelm.test krb5kdc[9325](info): Initializing IPA certauth plugin.
Jun 07 15:25:28 auto-hv-02-guest08.testrelm.test krb5kdc[9325](info): sss_certmap initialized.
Jun 07 15:25:28 auto-hv-02-guest08.testrelm.test krb5kdc[9325](info): Doing certauth authorize for [demosc1@TESTRELM.TEST]
Jun 07 15:25:28 auto-hv-02-guest08.testrelm.test krb5kdc[9325](info): Got cert filter [(|(userCertificate;binary=\30\82\04\...
Jun 07 15:25:28 auto-hv-02-guest08.testrelm.test krb5kdc[9325](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) IPSCRUBBED: ISSUE: authtime 1496863528, etypes {rep=18 tkt=18 ses=18}, demosc1\@TESTRELM.TEST@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST
Jun 07 15:25:28 auto-hv-02-guest08.testrelm.test krb5kdc[9325](info): closing down fd 11

# ^^ So this is working before I change the principal for the user in IPA ^^

# Now I change the user principal alias:

[root@dhcp129-184 yum.local.d]# kinit admin
Password for admin@TESTRELM.TEST: 

2017-06-07 13:25:42 MDT 
[root@dhcp129-184 yum.local.d]# ipa user-mod demosc1 --principal=alias_demosc1@TESTRELM.TEST
-----------------------
Modified user "demosc1"
-----------------------
  User login: demosc1
  First name: demo
  Last name: sc1
  Home directory: /home/demosc1
  Login shell: /bin/sh
  Principal name: demosc1@TESTRELM.TEST
  Principal alias: alias_demosc1@TESTRELM.TEST
  Email address: demosc1@testrelm.test
  UID: 1505600004
  GID: 1505600004
  Certificate: MII...
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True


# First trying with demosc1@TESTRELM.TEST

[root@dhcp129-184 yum.local.d]# kinit -E -X X509_user_identity=PKCS11:module_name=/usr/lib64/opensc-pkcs11.so demosc1@TESTRELM.TEST
kinit: Client 'demosc1\@TESTRELM.TEST@TESTRELM.TEST' not found in Kerberos database while getting initial credentials


Jun 07 15:25:48 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) IPSCRUBBED: CLIENT_NOT_FOUND: demosc1\@TESTRELM.TEST@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST, Client not found in Kerberos database




# Next trying with alias_demosc1@TESTRELM.TEST

[root@dhcp129-184 yum.local.d]# kinit -E -X X509_user_identity=PKCS11:module_name=/usr/lib64/opensc-pkcs11.so alias_demosc1@TESTRELM.TEST
demosc1 (OpenSC Card)            PIN: 
kinit: Certificate mismatch while getting initial credentials

2017-06-07 13:25:57 MDT 

Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): Initializing IPA certauth plugin.
Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): sss_certmap initialized.
Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): Doing certauth authorize for [demosc1@TESTRELM.TEST]
Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): Got cert filter [(|(userCertificate;binary=\30\82\04
Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): No matching entry found
Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): preauth (pkinit) verify failure: Certificate mismatch
Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) IPSCRUBBED: PREAUTH_FAILED: alias_demosc1\@TESTRELM.TEST@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST, Certificate mismatch
Jun 07 15:25:57 auto-hv-02-guest08.testrelm.test krb5kdc[9326](info): closing down fd 11

Comment 7 Sumit Bose 2017-06-08 07:37:51 UTC
No, this is expected.

By calling 'ipa user-mod demosc1 --principal=alias_demosc1@TESTRELM.TEST' you say that only 'alias_demosc1@TESTRELM.TEST' can be used as input for kinit becasue you overwrite the default principal 'demosc1@TESTRELM.TEST'.

Please try:

    ipa user-mod demosc1 --principal=alias_demosc1@TESTRELM.TEST --principal=demosc1@TESTRELM.TEST

HTH

bye,
Sumit

Comment 8 Scott Poore 2017-06-08 13:20:45 UTC
Verified.

Version ::

ipa-server-4.5.0-16.el7.x86_64
sssd-1.15.2-43.el7.x86_64


Results ::

[root@dhcp129-184 ~]# ipa user-mod demosc1 --principal=alias_demosc1@TESTRELM.TEST --principal=demosc1@TESTRELM.TEST
-----------------------
Modified user "demosc1"
-----------------------
  User login: demosc1
  First name: demo
  Last name: sc1
  Home directory: /home/demosc1
  Login shell: /bin/sh
  Principal name: demosc1@TESTRELM.TEST
  Principal alias: demosc1@TESTRELM.TEST, alias_demosc1@TESTRELM.TEST
  Email address: demosc1@testrelm.test
  UID: 1505600004
  GID: 1505600004
  Certificate: MIIEDTCCAvWgAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNjAyMTU1ODI3WhcNMTkwNjAzMTU1ODI3WjAqMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMRAwDgYDVQQDDAdkZW1vc2MxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA279MmazwE5IgH0gZXQKxVARtWLA8aRkbGnEgMBzhZLwso2U54gPdRVlq1pDsY0WFhwj9+NXLn7MpUp6JiXMsnbKJCwqRZF4MypQ/bCbqYJaRoHJwlSsgoP/y1o9eIZAJDQ3y7+SIh0qgE9Mk5pYgqes4xIRnPEIVQSIazyvwSo+CwQftvA/6IagDIzfdSEMMcxMOCMYWajNOZsiLzCGQOGHM6Hsgekg9BHCF7sTQQ6rTTVOC4c0mrP26N2z3toAhtRoR++8TW5bIbl+gyo9bBm/QXTFgLaLhdep0sEiTKC4cs7IEL6JIzbq1vHkXjO26+XwmnFPrW1It6okkdEaH6wIDAQABo4IBLjCCASowHwYDVR0jBBgwFoAU20BgPgH5orN4AsHOeMHgHZpnRHAwPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzABhiNodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHgGA1UdHwRxMG8wbaA1oDOGMWh0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFKP4VQaLnn5CcEUgN4mhPESvLFZpMA0GCSqGSIb3DQEBCwUAA4IBAQBoHX0D/lZDuDb3kWFRStj9aYdhg2mR5yKQOewLeEXPnj1mwaltNn/sEzIBoD1SrhQ0Ov2lG9MN8T3QVTUQoMTUgcRR57odMn0VIwhQrU3jq8XEaalgzubyq+zSsYmEIfCn+B/bChosaG+WoUnsW6E2OV6y0iSi47jUapFSO7SLmfsG8EbRF3PC39f7pXI102/xzZ6WaxMhPD/ZIE2fkunPHDlAf2F6762h5s9mPGfVv0Hko2zrQKaYEQG8V4J3hqPDRbsxQRxl5aojghSWzDVPNfJUsTN3CiOSMhrMHQtdH+YBvAGjB54oW/gR1qKOw0kO87607xyONVyIsEhdVEQc
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True


[root@dhcp129-184 ~]# vim /etc/sssd/sssd.conf
# add krb5_use_enterprise_principal = True


[root@dhcp129-184 ~]# kdestroy -A

[root@dhcp129-184 ~]# kinit -E -X X509_user_identity=PKCS11:module_name=/usr/lib64/opensc-pkcs11.so alias_demosc1@TESTRELM.TEST
demosc1 (OpenSC Card)            PIN: 

[root@dhcp129-184 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_MPhy6EK
Default principal: demosc1@TESTRELM.TEST

Valid starting       Expires              Service principal
06/08/2017 07:14:32  06/09/2017 07:14:29  krbtgt/TESTRELM.TEST@TESTRELM.TEST

[root@dhcp129-184 ~]# kdestroy -A

[root@dhcp129-184 ~]# kinit -E -X X509_user_identity=PKCS11:module_name=/usr/lib64/opensc-pkcs11.so demosc1@TESTRELM.TEST
demosc1 (OpenSC Card)            PIN: 

[root@dhcp129-184 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_MPhy6EK
Default principal: demosc1@TESTRELM.TEST

Valid starting       Expires              Service principal
06/08/2017 07:14:46  06/09/2017 07:14:42  krbtgt/TESTRELM.TEST@TESTRELM.TEST


[root@dhcp129-184 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*;systemctl start sssd

[root@dhcp129-184 ~]# su - demosc1 -c "kdestroy -A"

[root@dhcp129-184 ~]# su - demosc2 -c "su - alias_demosc1@TESTRELM.TEST -c klist"
PIN for demosc1 (OpenSC Card)
Ticket cache: KEYRING:persistent:1505600004:krb_ccache_N6I0SB5
Default principal: demosc1@TESTRELM.TEST

Valid starting       Expires              Service principal
06/08/2017 07:17:58  06/09/2017 07:17:56  krbtgt/TESTRELM.TEST@TESTRELM.TEST

[root@dhcp129-184 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*;systemctl start sssd

[root@dhcp129-184 ~]# su - demosc1 -c "kdestroy -A"

[root@dhcp129-184 ~]# su - demosc2 -c "su - demosc1@TESTRELM.TEST -c klist"
PIN for demosc1 (OpenSC Card)
Ticket cache: KEYRING:persistent:1505600004:krb_ccache_0A5n1um
Default principal: demosc1@TESTRELM.TEST

Valid starting       Expires              Service principal
06/08/2017 07:18:28  06/09/2017 07:18:25  krbtgt/TESTRELM.TEST@TESTRELM.TEST

Comment 9 errata-xmlrpc 2017-08-01 09:51:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.