Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1979629

Summary: Add checks to prevent assigning authentication indicators to internal IPA services
Product: Red Hat Enterprise Linux 9 Reporter: Florence Blanc-Renaud <frenaud>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED CURRENTRELEASE QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: ksiddiqu, rcritten, tscherf
Target Milestone: betaKeywords: TestCaseProvided
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.9.6-3.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-07 21:30:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Florence Blanc-Renaud 2021-07-06 15:12:38 UTC
Cloned from upstream: https://pagure.io/freeipa/issue/8206

Authentication indicators currently should not be enforced against internal IPA services because not all users of those services can produce Kerberos tickets with required authentication indicators. Enforcing the indicators will lead to a broken FreeIPA deployment for such services. Thus, we should add a logic that prevents such broken setup.

`host/...`, `ldap/..`, `HTTP/..`, and 'cifs/..` principals on IPA masters should not allow setting any authentication indicators as of the moment.
 
In Active Directory infrastructure all services running on the machine are aliases of the machine account (represented with `host/...` service principal). It means they all have the same Kerberos keys. In FreeIPA there is no strong aliasing between the services running on a host; `host/...` and `cifs/...` keys can be different. However, `host/...` service principal on any IPA system running Samba plays important role for DCE RPC calls authenticated with the help of Kerberos because DCE RPC clients will use `host/...` key to encrypt a request and DCE RPC server will have to use own `host/..` keys to decrypt that request. It means DCE RPC clients will attempt to obtain a service ticket to `host/..` on a target DCE RPC server automatically. Assigning an authentication indicator to it will prevent this operation, rendering SMB (and DCE RPC) services impossible to use.

This means that for IPA clients which have Samba services enabled (have `cifs/...` service principal), there should also be not possible to assign authentication indicator to `host/...` and `cifs/..` principals on the hosts.

We need to figure out if using `hardened` authentication indicator could be permitted.

Comment 1 Florence Blanc-Renaud 2021-07-06 15:13:54 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/8206

Comment 2 Florence Blanc-Renaud 2021-07-06 15:15:43 UTC
Fixed upstream:
master:

    0bdbf11 Add checks to prevent adding auth indicators to internal IPA services
    da72a57 ipatests: ensure auth indicators can't be added to internal IPA services

Comment 3 Florence Blanc-Renaud 2021-07-06 15:17:33 UTC
Adding TestCaseProvided as a new test is available in 
ipatests/test_xmlrpc/test_host_plugin.py::TestProtectedMaster::test_try_add_auth_ind_master
ipatests/test_xmlrpc/test_service_plugin.py::TestAuthenticationIndicators::test_update_indicator_internal_service

Comment 7 Rob Crittenden 2021-07-13 21:59:15 UTC
Added test test_xmlrpc/test_host_plugin.py::TestProtectedMaster:: test_add_non_master_with_auth_ind

Fixed upstream
master:
https://pagure.io/freeipa/c/bd0d43745072ec7976207c231cba8411efb41e17

Comment 8 Rob Crittenden 2021-07-13 22:00:14 UTC
This will fail QE per the 8.5 equivalent. Moving back to ASSIGNED.

Comment 9 Rob Crittenden 2021-07-14 13:56:32 UTC
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/8ad535b618d60fa016061212ff85d0ad28ccae59

Comment 11 Kaleem 2021-07-29 14:01:32 UTC
Following tests are executed and successful in nightly compose (RHEL-9.0.0-20210728.4), based on this info moving it to verified

snip from automation log files:

(A) test-result.txt.gz

(1) test_install_with_host_auth_ind_set from test_integration/test_replica_promotion.py
============================= test session starts ==============================
platform linux -- Python 3.9.6, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3
....
collecting ... collected 4 items

test_integration/test_replica_promotion.py::TestReplicaPromotionLevel1::test_install_with_host_auth_ind_set PASSED [ 75%]

(2) xmlrpc tests (test_try_add_auth_ind_master, test_update_indicator_internal_service, test_add_non_master_with_auth_ind)

test_xmlrpc/test_host_plugin.py::TestProtectedMaster::test_try_add_auth_ind_master PASSED [ 45%]
test_xmlrpc/test_host_plugin.py::TestProtectedMaster::test_add_non_master_with_auth_ind PASSED [ 45%]
test_xmlrpc/test_service_plugin.py::TestAuthenticationIndicators::test_update_indicator_internal_service PASSED [ 86%]


(B) runner.log 

2021-07-29T12:09:27+0000 ok: [master.testrelm.test] => (item=ipa-server) => 
2021-07-29T12:09:27+0000   msg:
2021-07-29T12:09:27+0000   - arch: x86_64
2021-07-29T12:09:27+0000     epoch: null
2021-07-29T12:09:27+0000     name: ipa-server
2021-07-29T12:09:27+0000     release: 4.el9
2021-07-29T12:09:27+0000     source: rpm
2021-07-29T12:09:27+0000     version: 4.9.6