1979625 – Add checks to prevent assigning authentication indicators to internal IPA services

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1979625 - Add checks to prevent assigning authentication indicators to internal IPA services

Summary: Add checks to prevent assigning authentication indicators to internal IPA ser...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	8.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	beta
Target Release:	---
Assignee:	Thomas Woerner
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-07-06 15:06 UTC by Florence Blanc-Renaud
Modified:	2021-11-10 00:01 UTC (History)
CC List:	6 users (show)
Fixed In Version:	idm-client-8050020210715144943.de73ecb2
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-09 18:29:52 UTC
Type:	---
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-7287	0	None	None	None	2021-11-09 18:33:00 UTC
Red Hat Product Errata	RHBA-2021:4230	0	None	None	None	2021-11-09 18:30:16 UTC

Description Florence Blanc-Renaud 2021-07-06 15:06:43 UTC

Cloned from upstream: https://pagure.io/freeipa/issue/8206

Authentication indicators currently should not be enforced against internal IPA services because not all users of those services can produce Kerberos tickets with required authentication indicators. Enforcing the indicators will lead to a broken FreeIPA deployment for such services. Thus, we should add a logic that prevents such broken setup.

`host/...`, `ldap/..`, `HTTP/..`, and 'cifs/..` principals on IPA masters should not allow setting any authentication indicators as of the moment.

In Active Directory infrastructure all services running on the machine are aliases of the machine account (represented with `host/...` service principal). It means they all have the same Kerberos keys. In FreeIPA there is no strong aliasing between the services running on a host; `host/...` and `cifs/...` keys can be different. However, `host/...` service principal on any IPA system running Samba plays important role for DCE RPC calls authenticated with the help of Kerberos because DCE RPC clients will use `host/...` key to encrypt a request and DCE RPC server will have to use own `host/..` keys to decrypt that request. It means DCE RPC clients will attempt to obtain a service ticket to `host/..` on a target DCE RPC server automatically. Assigning an authentication indicator to it will prevent this operation, rendering SMB (and DCE RPC) services impossible to use.

This means that for IPA clients which have Samba services enabled (have `cifs/...` service principal), there should also be not possible to assign authentication indicator to `host/...` and `cifs/..` principals on the hosts.

We need to figure out if using `hardened` authentication indicator could be permitted.

Comment 1 Florence Blanc-Renaud 2021-07-06 15:09:04 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/8206

Comment 2 Florence Blanc-Renaud 2021-07-06 15:10:15 UTC

Fixed upstream:
master:

    0bdbf11 Add checks to prevent adding auth indicators to internal IPA services
    da72a57 ipatests: ensure auth indicators can't be added to internal IPA services

Comment 3 Florence Blanc-Renaud 2021-07-06 15:11:37 UTC

Adding TestCaseProvided as a new test is available in 
ipatests/test_xmlrpc/test_host_plugin.py::TestProtectedMaster::test_try_add_auth_ind_master
ipatests/test_xmlrpc/test_service_plugin.py::TestAuthenticationIndicators::test_update_indicator_internal_service

Comment 4 Florence Blanc-Renaud 2021-07-06 15:37:48 UTC

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/a5d2857297cfcf87ed8973df96e89ebcef22850d
https://pagure.io/freeipa/c/28484c3dee225662e41acc691bfe6b1c1cee99c8

Comment 8 anuja 2021-07-12 12:56:52 UTC

Verified with : ipa-server-4.9.6-2.module+el8.5.0+11725+f7f58359.x86_64

with ipa host-add should fail with correct error on ipa-server.

logs from downstream: src/otp/test_0004_authentication_indicators.py::TestAuthIndent::()::test009
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
transport.py               519 DEBUG    RUN ['ipa', 'host-add', '--auth-ind=otp', '--force', 'another01.TESTREALM.TEST']
channel.py                1212 DEBUG    [chan 861] Sesch channel 861 request ok
transport.py               563 DEBUG    ipa: ERROR: an internal error has occurred
channel.py                1212 DEBUG    [chan 861] EOF received (861)

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[root@master ~]# tail -20 /var/log/httpd/error_log 
[Mon Jul 12 08:49:09.703718 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396] Traceback (most recent call last):
[Mon Jul 12 08:49:09.703721 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]   File "/usr/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 405, in wsgi_execute
[Mon Jul 12 08:49:09.703724 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]     result = command(*args, **options)
[Mon Jul 12 08:49:09.703727 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]   File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__
[Mon Jul 12 08:49:09.703730 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]     return self.__do_call(*args, **options)
[Mon Jul 12 08:49:09.703733 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]   File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call
[Mon Jul 12 08:49:09.703735 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]     ret = self.run(*args, **options)
[Mon Jul 12 08:49:09.703738 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]   File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run
[Mon Jul 12 08:49:09.703741 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]     return self.execute(*args, **options)
[Mon Jul 12 08:49:09.703743 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]   File "/usr/lib/python3.6/site-packages/ipaserver/plugins/baseldap.py", line 1278, in execute
[Mon Jul 12 08:49:09.703746 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]     *keys, **options)
[Mon Jul 12 08:49:09.703749 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]   File "/usr/lib/python3.6/site-packages/ipaserver/plugins/host.py", line 738, in pre_callback
[Mon Jul 12 08:49:09.703752 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]     validate_auth_indicator(entry_attrs)
[Mon Jul 12 08:49:09.703755 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]   File "/usr/lib/python3.6/site-packages/ipaserver/plugins/service.py", line 213, in validate_auth_indicator
[Mon Jul 12 08:49:09.703758 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]     server = api.Command.server_find(principal.hostname)['result']
[Mon Jul 12 08:49:09.703761 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]   File "/usr/lib/python3.6/site-packages/ipapython/kerberos.py", line 174, in hostname
[Mon Jul 12 08:49:09.703764 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396]     "hostname is defined for host and service principals")
[Mon Jul 12 08:49:09.703768 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396] ValueError: hostname is defined for host and service principals
[Mon Jul 12 08:49:09.703775 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396] 
[Mon Jul 12 08:49:09.704126 2021] [wsgi:error] [pid 22624:tid 139630394898176] [remote 10.0.151.59:34396] ipa: INFO: [jsonserver_session] admin: host_add/1('test.IPA.TEST', krbprincipalauthind=('otp',), force=True, version='2.242'): InternalError
[root@master ~]#

Comment 9 Rob Crittenden 2021-07-13 21:58:58 UTC

Added test test_xmlrpc/test_host_plugin.py::TestProtectedMaster:: test_add_non_master_with_auth_ind

Fixed upstream
master:
https://pagure.io/freeipa/c/bd0d43745072ec7976207c231cba8411efb41e17

Comment 10 Rob Crittenden 2021-07-14 13:55:20 UTC

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/8ad535b618d60fa016061212ff85d0ad28ccae59

Comment 13 Ganna Kaihorodova 2021-08-05 10:56:17 UTC

Bugzilla verified with existing test automation 

ipa-server-4.9.6-4.module+el8.5.0+11912+1b4496cf.x86_64.rpm 


Passed 	test_xmlrpc/test_service_plugin.py::TestAuthenticationIndicators::()::test_create_service_with_otp_indicator
Passed 	test_xmlrpc/test_service_plugin.py::TestAuthenticationIndicators::()::test_adding_all_indicators 	
Passed	test_xmlrpc/test_service_plugin.py::TestAuthenticationIndicators::()::test_update_indicator
Passed 	test_xmlrpc/test_host_plugin.py::TestProtectedMaster::()::test_try_add_auth_ind_master 		
Passed 	test_xmlrpc/test_host_plugin.py::TestProtectedMaster::()::test_add_non_master_with_auth_ind

 	

Passed 	test_integration/test_replica_promotion.py::TestReplicaPromotionLevel1::()::test_kra_install_master 	299.45 	
Passed 	test_integration/test_replica_promotion.py::TestReplicaPromotionLevel1::()::test_one_step_install_pwd_and_admin_pwd 	31.08 	
Passed 	test_integration/test_replica_promotion.py::TestReplicaPromotionLevel1::()::test_one_command_installation 	264.34 	

Detailed verification log in attached files

Comment 15 errata-xmlrpc 2021-11-09 18:29:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4230

Note You need to log in before you can comment on or make changes to this bug.