1915820 – ipa server does not authenticate a user with enterprise principal

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1915820 - ipa server does not authenticate a user with enterprise principal

Summary: ipa server does not authenticate a user with enterprise principal

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	beta
Target Release:	---
Assignee:	Alexander Bokovoy
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-01-13 13:35 UTC by Filip Dvorak
Modified:	2022-07-13 07:28 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-07-13 07:28:26 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-7829	0	None	None	None	2022-02-10 13:17:26 UTC

Description Filip Dvorak 2021-01-13 13:35:13 UTC

Description of problem:
The IPA server doesn't authenticate a user who uses an enterprise principal.

Version-Release number of selected component (if applicable):
RHEL-8.4.0-20210107.n.0
ipa-server-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601
krb5-server-1.18.2-7.el8.x86_64

Steps to Reproduce:

Environment setup
=================
hostnamectl set-hostname master.test.ipa
dnf module reset idm -y
dnf module enable -y idm:DL1/dns
dnf install -y ipa-server

echo '$ip_addr master.test.ipa' >>/etc/hosts
ipa-server-install --hostname=master.test.ipa -r TESTREALM.COM -n test.ipa -p Secret123 -a Secret123 --unattended --ip-address $ip_addr'
dnf install -y freeradius freeradius-ldap freeradius-utils

Test setup
==========
echo Secret123 | kinit admin
echo -e "Secret123" | ipa user-add otpuser --first=otp --last=user --password
ipa user-add-principal otpuser altuser "raduser\@test.ipa"
echo -e "Secret123" | kinit -c otpuser.cache otpuser
printf "testing123\ntesting123\n" | ipa radiusproxy-add localradius --server=master.test.ipa
ipa user-mod otpuser --radius=localradius 
ipa user-mod otpuser --user-auth-type=otp --user-auth-type=radius

File '/etc/raddb/clients.conf' should contain 'ipaddr = $ip_addr'
File '/etc/raddb/clients.conf' should contain 'secret = testing123'
 
echo "otpuser Cleartext-Password := 123otp" >> /etc/raddb/users
systemctl start radiusd
echo -e "Secret123" | kinit -c otpuser.cache otpuser

Actual results:
echo 123otp | kinit -T otpuser.cache altuser
Enter OTP Token Value: 

echo 123otp | kinit -T otpuser.cache -E raduser
kinit: Client 'raduser\@test.ipa' not found in Kerberos database while getting initial credentials


Expected results:
The user should be authenticated with the help of an enterprise principal.

echo 123otp | kinit -T otpuser.cache -E raduser
Enter OTP Token Value: 

Additional info:

Kerberos debug
==============
# export KRB5_TRACE=/dev/stdout
# echo 123otp | kinit -T otpuser.cache -E raduser
[13254] 1610544256.068307: Resolving unique ccache of type KCM
[13254] 1610544256.068308: Getting initial credentials for raduser\@test.ipa
[13254] 1610544256.068309: FAST armor ccache: otpuser.cache
[13254] 1610544256.068310: Retrieving otpuser -> krb5_ccache_conf_data/fast_avail/krbtgt\/TESTREALM.COM\@TESTREALM.COM@X-CACHECONF: from FILE:otpuser.cache with result: 0/Success
[13254] 1610544256.068311: Read config in FILE:otpuser.cache for krbtgt/TESTREALM.COM: fast_avail: yes
[13254] 1610544256.068312: Using FAST due to armor ccache negotiation result
[13254] 1610544256.068313: Getting credentials otpuser -> krbtgt/TESTREALM.COM using ccache FILE:otpuser.cache
[13254] 1610544256.068314: Retrieving otpuser -> krbtgt/TESTREALM.COM from FILE:otpuser.cache with result: 0/Success
[13254] 1610544256.068315: Armor ccache sesion key: aes256-cts/AD06
[13254] 1610544256.068317: Creating authenticator for otpuser -> krbtgt/TESTREALM.COM, seqnum 0, subkey aes256-cts/84C0, session key aes256-cts/AD06
[13254] 1610544256.068319: FAST armor key: aes256-cts/9F56
[13254] 1610544256.068321: Sending unauthenticated request
[13254] 1610544256.068322: Encoding request body and padata into FAST request
[13254] 1610544256.068323: Sending request (1122 bytes) to TESTREALM.COM
[13254] 1610544256.068324: Initiating TCP connection to stream 10.0.139.84:88
[13254] 1610544256.068325: Sending TCP request to stream 10.0.139.84:88
[13254] 1610544256.068326: Received answer (449 bytes) from stream 10.0.139.84:88
[13254] 1610544256.068327: Terminating TCP connection to stream 10.0.139.84:88
[13254] 1610544256.068328: Response was from master KDC
[13254] 1610544256.068329: Received error from KDC: -1765328378/Client not found in Kerberos database
[13254] 1610544256.068330: Decoding FAST response
kinit: Client 'raduser\@test.ipa' not found in Kerberos database while getting initial credentials

The same scenario works on RHEL8.2:
===================================
Used version:
krb5-server-1.17-18.el8.x86_64
ipa-server-4.8.4-7.module+el8.2.0+6046+aaa49f96.x86_64

# echo 123otp | kinit -T otpuser.cache -E raduser
[12893] 1610544354.192789: Resolving unique ccache of type KCM
[12893] 1610544354.192790: Getting initial credentials for raduser\@test.ipa
[12893] 1610544354.192791: FAST armor ccache: otpuser.cache
[12893] 1610544354.192792: Retrieving otpuser -> krb5_ccache_conf_data/fast_avail/krbtgt\/TESTREALM.COM\@TESTREALM.COM@X-CACHECONF: from FILE:otpuser.cache with result: 0/Success
[12893] 1610544354.192793: Read config in FILE:otpuser.cache for krbtgt/TESTREALM.COM: fast_avail: yes
[12893] 1610544354.192794: Using FAST due to armor ccache negotiation result
[12893] 1610544354.192795: Getting credentials otpuser -> krbtgt/TESTREALM.COM using ccache FILE:otpuser.cache
[12893] 1610544354.192796: Retrieving otpuser -> krbtgt/TESTREALM.COM from FILE:otpuser.cache with result: 0/Success
[12893] 1610544354.192797: Armor ccache sesion key: aes256-cts/58B3
[12893] 1610544354.192799: Creating authenticator for otpuser -> krbtgt/TESTREALM.COM, seqnum 0, subkey aes256-cts/724A, session key aes256-cts/58B3
[12893] 1610544354.192801: FAST armor key: aes256-cts/4250
[12893] 1610544354.192803: Sending unauthenticated request
[12893] 1610544354.192804: Encoding request body and padata into FAST request
[12893] 1610544354.192805: Sending request (1134 bytes) to TESTREALM.COM
[12893] 1610544354.192806: Initiating TCP connection to stream 10.0.138.18:88
[12893] 1610544354.192807: Sending TCP request to stream 10.0.138.18:88
[12893] 1610544354.192808: Received answer (623 bytes) from stream 10.0.138.18:88
[12893] 1610544354.192809: Terminating TCP connection to stream 10.0.138.18:88
[12893] 1610544354.192810: Response was from master KDC
[12893] 1610544354.192811: Received error from KDC: -1765328359/Additional pre-authentication required
[12893] 1610544354.192812: Decoding FAST response
[12893] 1610544354.192815: Preauthenticating using KDC method data
[12893] 1610544354.192816: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133), PA-FX-ERROR (137)
[12893] 1610544354.192817: Received cookie: MIT
[12893] 1610544354.192818: PKINIT client has no configured identity; giving up
[12893] 1610544354.192819: Preauth module pkinit (147) (info) returned: 0/Success
[12893] 1610544354.192820: PKINIT client received freshness token from KDC
[12893] 1610544354.192821: Preauth module pkinit (150) (info) returned: 0/Success
[12893] 1610544354.192822: PKINIT client has no configured identity; giving up
[12893] 1610544354.192823: Preauth module pkinit (16) (real) returned: 22/Invalid argument
[12893] 1610544354.192824: PKINIT client ignoring draft 9 offer from RFC 4556 KDC
[12893] 1610544354.192825: Preauth module pkinit (15) (real) returned: -1765328360/Preauthentication failed
[12893] 1610544354.192826: PKINIT client ignoring draft 9 offer from RFC 4556 KDC
[12893] 1610544354.192827: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed
Enter OTP Token Value: 
[12893] 1610544354.192828: Preauth module otp (141) (real) returned: 0/Success
[12893] 1610544354.192829: Produced preauth for next request: PA-FX-COOKIE (133), PA-OTP-REQUEST (142)
[12893] 1610544354.192830: Encoding request body and padata into FAST request
[12893] 1610544354.192831: Sending request (1267 bytes) to TESTREALM.COM
[12893] 1610544354.192832: Initiating TCP connection to stream 10.0.138.18:88
[12893] 1610544354.192833: Sending TCP request to stream 10.0.138.18:88
[12893] 1610544354.192834: Received answer (1025 bytes) from stream 10.0.138.18:88
[12893] 1610544354.192835: Terminating TCP connection to stream 10.0.138.18:88
[12893] 1610544354.192836: Response was from master KDC
[12893] 1610544354.192837: Decoding FAST response
[12893] 1610544354.192838: Processing preauth types: (empty)
[12893] 1610544354.192839: Produced preauth for next request: (empty)
[12893] 1610544354.192840: Salt derived from principal: TESTREALM.COMotpuser
[12893] 1610544354.192841: AS key determined by preauth: aes256-cts/4250
[12893] 1610544354.192842: FAST reply key: aes256-cts/5E40
[12893] 1610544354.192843: Decrypted AS reply; session key is: aes256-cts/B56B
[12893] 1610544354.192844: FAST negotiation: available
[12893] 1610544354.192845: Initializing KCM:0:72001 with default princ otpuser
[12893] 1610544354.192846: Storing otpuser -> krbtgt/TESTREALM.COM in KCM:0:72001
[12893] 1610544354.192847: Storing config in KCM:0:72001 for krbtgt/TESTREALM.COM: fast_avail: yes
[12893] 1610544354.192848: Storing otpuser -> krb5_ccache_conf_data/fast_avail/krbtgt\/TESTREALM.COM\@TESTREALM.COM@X-CACHECONF: in KCM:0:72001
[12893] 1610544354.192849: Storing config in KCM:0:72001 for krbtgt/TESTREALM.COM: pa_type: 141
[12893] 1610544354.192850: Storing otpuser -> krb5_ccache_conf_data/pa_type/krbtgt\/TESTREALM.COM\@TESTREALM.COM@X-CACHECONF: in KCM:0:72001

Comment 1 Alexander Bokovoy 2021-01-13 14:10:04 UTC

I think the issue is on your side: when you define an alias, you should be defining it without our realm.

kinit -E raduser

will result in a search issued by KDC with the following LDAP filter:

"(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=raduser)(krbPrincipalName:caseIgnoreIA5Match:=raduser)))"

Comment 2 Filip Dvorak 2021-01-13 16:17:44 UTC

I have tried to use the same scenario except for "ipa user-add-principal". I used this command without REALM -> "ipa user-add-principal otpuser altuser "raduser\@test.ipa"". But the result is the same:

# ipa user-add-principal otpuser altuser "raduser\@test.ipa"
-----------------------------------
Added new aliases to user "otpuser"
-----------------------------------
  User login: otpuser
  Principal alias: otpuser, raduser\@test.ipa, altuser
[root@ci-vm-10-0-139-150 ~]# echo -e "Secret123" | kinit -c otpuser.cache otpuser
Password for otpuser: 
Password expired.  You must change it now.
Enter new password: 
kinit: Cannot read password while getting initial credentials
[root@ci-vm-10-0-139-150 ~]# kinit -c otpuser.cache otpuser
Password for otpuser: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

# ipa user-show otpuser
  User login: otpuser
  First name: otp
  Last name: user
  Home directory: /home/otpuser
  Login shell: /bin/sh
  Principal name: otpuser
  Principal alias: otpuser, raduser\@test.ipa, altuser
  Email address: otpuser
  UID: 1684400001
  GID: 1684400001
  User authentication types: otp, radius
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

# echo 123otp | kinit -T otpuser.cache altuser
Enter OTP Token Value: 

# export KRB5_TRACE=/dev/stdout
# echo 123otp | kinit -T otpuser.cache -E raduser
[12843] 1610554244.837542: Resolving unique ccache of type KCM
[12843] 1610554244.837543: Getting initial credentials for raduser\@test.ipa
[12843] 1610554244.837544: FAST armor ccache: otpuser.cache
[12843] 1610554244.837545: Retrieving otpuser -> krb5_ccache_conf_data/fast_avail/krbtgt\/TESTREALM.COM\@TESTREALM.COM@X-CACHECONF: from FILE:otpuser.cache with result: 0/Success
[12843] 1610554244.837546: Read config in FILE:otpuser.cache for krbtgt/TESTREALM.COM: fast_avail: yes
[12843] 1610554244.837547: Using FAST due to armor ccache negotiation result
[12843] 1610554244.837548: Getting credentials otpuser -> krbtgt/TESTREALM.COM using ccache FILE:otpuser.cache
[12843] 1610554244.837549: Retrieving otpuser -> krbtgt/TESTREALM.COM from FILE:otpuser.cache with result: 0/Success
[12843] 1610554244.837550: Armor ccache sesion key: aes256-cts/97B4
[12843] 1610554244.837552: Creating authenticator for otpuser -> krbtgt/TESTREALM.COM, seqnum 0, subkey aes256-cts/B3EA, session key aes256-cts/97B4
[12843] 1610554244.837554: FAST armor key: aes256-cts/1D75
[12843] 1610554244.837556: Sending unauthenticated request
[12843] 1610554244.837557: Encoding request body and padata into FAST request
[12843] 1610554244.837558: Sending request (1122 bytes) to TESTREALM.COM
[12843] 1610554244.837559: Initiating TCP connection to stream 10.0.139.150:88
[12843] 1610554244.837560: Sending TCP request to stream 10.0.139.150:88
[12843] 1610554244.837561: Received answer (449 bytes) from stream 10.0.139.150:88
[12843] 1610554244.837562: Terminating TCP connection to stream 10.0.139.150:88
[12843] 1610554244.837563: Response was from master KDC
[12843] 1610554244.837564: Received error from KDC: -1765328378/Client not found in Kerberos database
[12843] 1610554244.837565: Decoding FAST response
kinit: Client 'raduser\@test.ipa' not found in Kerberos database while getting initial credentials

Comment 3 Alexander Bokovoy 2021-01-13 19:01:51 UTC

As for the alias lookup not working, this is in dbget_princ() in the first condition -- if we are asked for in-realm canonicalization, we unparse without outer realm and reparse without escaping @ and /, then ipadb_fetch_principals uses this principal (raduser) instead of raduser@IPA1.TEST. The logic here is the same as in upstream's KDB driver but we store principal alias fqdn with our realm. AD stores these aliases without own realm but it has a list of UPN suffixes to allow. We can add a code to dbget_alias() to have a list of own UPN suffixes that can be added to aliases and then don't add our realm to them when storing in LDAP it would require changes in both dbget_alias and to IPA framework.

# ipa user-add-principal foobar altuser raduser
ipa: ERROR: The realm for the principal does not match the realm for this IPA server

and if 'some.domain' would be a registered UPN suffix for our realm, then we would allow it. This, however, would only work for a canonicalised request as we don't have realm aliasing support yet.

Comment 7 Florence Blanc-Renaud 2021-07-06 13:55:36 UTC

Thank you taking your time and submitting this request for Red Hat Enterprise Linux 8. Unfortunately, this bug cannot be kept even as a stretch goal and was postponed to RHEL9.

Comment 11 Trivino 2022-05-10 07:24:18 UTC

Postponed for RHEL 9.2.0 (after krb5 1.20 migration is completed). Reason shortly: krb5 1.20 migration will affect canonicalization of the principals, the UPNs will be affected.

Comment 13 RHEL Program Management 2022-07-13 07:28:26 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Note You need to log in before you can comment on or make changes to this bug.