RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2033342 - User can't log in after ipa-user-mod --user-auth-type=hardened
Summary: User can't log in after ipa-user-mod --user-auth-type=hardened
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Julien Rische
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks: 2049104
TreeView+ depends on / blocked
 
Reported: 2021-12-16 15:01 UTC by Sam Morris
Modified: 2022-05-10 14:35 UTC (History)
9 users (show)

Fixed In Version: idm-DL1-8060020220203151553.92098735
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2049104 (view as bug list)
Environment:
Last Closed: 2022-05-10 14:09:17 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Fedora Pagure freeipa issue 9065 0 None None None 2021-12-16 15:26:10 UTC
Red Hat Issue Tracker FREEIPA-7640 0 None None None 2021-12-16 15:11:53 UTC
Red Hat Issue Tracker RHELPLAN-106013 0 None None None 2021-12-16 15:11:56 UTC
Red Hat Product Errata RHEA-2022:1884 0 None None None 2022-05-10 14:09:52 UTC

Description Sam Morris 2021-12-16 15:01:13 UTC 
Description of problem:
I've a user for which I've run:

$ ipa user-mod user --user-auth-type=hardened

Now they can't use kinit any more:

[admin@ipa-test0 ~]$ KRB5_TRACE=/dev/stderr KRB5CCNAME=MEMORY: kinit htest
[3910683] 1639666477.833986: Getting initial credentials for htest
[3910683] 1639666477.833988: Sending unauthenticated request
[3910683] 1639666477.833989: Sending request (167 bytes) to IPATEST.QQ
[3910683] 1639666477.833990: Initiating TCP connection to stream 192.168.0.7:88
[3910683] 1639666477.833991: Sending TCP request to stream 192.168.0.7:88
[3910683] 1639666477.833992: Received answer (234 bytes) from stream 192.168.0.7:88
[3910683] 1639666477.833993: Terminating TCP connection to stream 192.168.0.7:88
[3910683] 1639666477.833994: Response was from primary KDC
[3910683] 1639666477.833995: Received error from KDC: -1765328359/Additional pre-authentication required
[3910683] 1639666477.833998: Preauthenticating using KDC method data
[3910683] 1639666477.833999: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-PKINIT-KX (147), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133)
[3910683] 1639666477.834000: Received cookie: MIT
[3910683] 1639666477.834001: PKINIT client has no configured identity; giving up
[3910683] 1639666477.834002: Preauth module pkinit (147) (info) returned: 0/Success
[3910683] 1639666477.834003: PKINIT client received freshness token from KDC
[3910683] 1639666477.834004: Preauth module pkinit (150) (info) returned: 0/Success
[3910683] 1639666477.834005: PKINIT client has no configured identity; giving up
[3910683] 1639666477.834006: Preauth module pkinit (16) (real) returned: 22/Invalid argument
kinit: Pre-authentication failed: Invalid argument while getting initial credentials

Nor can they log in via PAM:

==> /var/log/sssd/krb5_child.log <==
(2021-12-16 14:56:46): [krb5_child[3910812]] [get_and_save_tgt] (0x0020): 1724: [-1765328174][Pre-authentication failed: Invalid argument]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [main] (0x0400): krb5_child started.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [unpack_buffer] (0x1000): total buffer size: [107]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [unpack_buffer] (0x0100): cmd [241 (auth)] uid [1829800021] gid [1829800021] validate [true] enterprise principal [false] offline [false] UPN [htest]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [unpack_buffer] (0x0100): ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [switch_creds] (0x0200): Switch user to [1829800021][1829800021].
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [switch_creds] (0x0200): Switch user to [0][0].
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [k5c_check_old_ccache] (0x4000): Ccache_file is [KCM:] and is not active and TGT is  valid.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [k5c_precreate_ccache] (0x4000): Recreating ccache
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [k5c_setup_fast] (0x0100): Fast principal is set to [host/ipa-test0.example.qq]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [find_principal_in_keytab] (0x4000): Trying to find principal host/ipa-test0.example.qq in keytab.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [match_principal] (0x1000): Principal matched to the sample (host/ipa-test0.example.qq).
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [become_user] (0x0200): Trying to become user [1829800021][1829800021].
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [main] (0x2000): Running as [1829800021][1829800021].
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [set_lifetime_options] (0x0100): No specific lifetime requested.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [main] (0x0400): Will perform auth
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [main] (0x0400): Will perform online auth
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [tgt_req_child] (0x1000): Attempting to get a TGT
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [IPATEST.QQ]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [get_and_save_tgt] (0x0020): 1724: [-1765328174][Pre-authentication failed: Invalid argument]

********************** BACKTRACE DUMP ENDS HERE *********************************

(2021-12-16 14:56:46): [krb5_child[3910812]] [map_krb5_error] (0x0020): [1432158222][Failure setting user credentials].

Version-Release number of selected component (if applicable):
ipa-server-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64 (RHEL 8)
ipa-server-4.9.6-9.el9.x86_64 (CentOS Stream 9)

How reproducible:
100% on both RHEL 8 and CentOS Stream 9


Steps to Reproduce:
1. ipa-server-install
2. ipa user-add htest
3. ipa user-mod htest --user-auth-type=hardened

Actual results:
User can't use kinit to authenticate with SPAKE; nor can they use kinit -T to authenticate via a FAST channel. pam_sss doesn't let them in either.

Expected results:
kinit and pam_sss should let user log in.

Additional info:
Forwarded from https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/B2NGHAIUTWWO2QLHZS6UWRTJWXW4MB6K/
Comment 1 Alexander Bokovoy 2021-12-16 15:18:34 UTC 
Thoughts:

I think it is due to this handling of 'ua' (user auth) in case 0 below where IPADB_USER_AUTH_HARDENED should have also be considered:
https://pagure.io/freeipa/blob/master/f/daemons/ipa-kdb/ipa_kdb_principals.c#_786

    ret = ipadb_ldap_attr_to_key_data(lcontext, lentry,
                                      "krbPrincipalKey",
                                      &res_key_data, &result, &mkvno);
    switch (ret) {
    case 0:
        /* Only set a principal's key if password auth can be used. Otherwise
         * the KDC would add pre-authentication methods to the NEEDED_PREAUTH
         * reply for AS-REQs which indicate the password authentication is
         * available. This might confuse applications like e.g. SSSD which try
         * to determine suitable authentication methods and corresponding
         * prompts with the help of MIT Kerberos' responder interface which
         * acts on the returned pre-authentication methods. A typical example
         * is enforced OTP authentication where of course keys are available
         * for the first factor but password authentication should not be
         * advertised by the KDC. */
        if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) {
            /* This is the same behavior as ENOENT below. */
            ipa_krb5_free_key_data(res_key_data, result);
            break;
        }

        entry->key_data = res_key_data;
        entry->n_key_data = result;
        if (mkvno) {
            krb5_int16 kvno16le = htole16((krb5_int16)mkvno);

            kerr = ipadb_set_tl_data(entry, KRB5_TL_MKVNO,
                                     sizeof(kvno16le),
                                     (krb5_octet *)&kvno16le);
            if (kerr) {
                goto done;
            }
        }
    case ENOENT:
        break;
    default:
        kerr = KRB5_KDB_INTERNAL_ERROR;
        goto done;
    }
Comment 2 Sam Morris 2021-12-16 15:19:53 UTC 
Upstream bug: https://pagure.io/freeipa/issue/9065
Comment 3 Trivino 2022-02-02 12:46:58 UTC 
Upstream PR: https://github.com/freeipa/freeipa/pull/6161
Comment 4 Florence Blanc-Renaud 2022-02-02 14:44:15 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/35e94bee0e0da4cf43c613a5296d57f7e04b583a
https://pagure.io/freeipa/c/97d123ccccb50098e21884a0aa9d90ed017ef97e
Comment 5 Florence Blanc-Renaud 2022-02-02 20:52:39 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/6d70421f57d0eca066a922e09416ef7195ee96d4
https://pagure.io/freeipa/c/294ae35a61e6ca8816b261c57508e4be21221864
Comment 11 Varun Mylaraiah 2022-02-23 18:04:34 UTC 
Verified
ipa-server-4.9.8-6.module+el8.6.0+14224+4c38d4ea.x86_64

Passed	test_integration/test_krbtpolicy.py::TestPWPolicy::()::test_krbtpolicy_password_and_hardended
------------------------------ Captured log setup ------------------------------
transport.py               391 INFO     RUN ['kinit', 'admin']
transport.py               513 DEBUG    RUN ['kinit', 'admin']
transport.py               558 DEBUG    Password for admin: 
transport.py               217 DEBUG    Exit code: 0
------------------------------ Captured log call -------------------------------
transport.py               391 INFO     RUN ['ipa', 'user-mod', 'testuser1', '--user-auth-type', 'password', '--user-auth-type', 'hardened']
transport.py               513 DEBUG    RUN ['ipa', 'user-mod', 'testuser1', '--user-auth-type', 'password', '--user-auth-type', 'hardened']
transport.py               558 DEBUG    -------------------------
transport.py               558 DEBUG    Modified user "testuser1"
transport.py               558 DEBUG    -------------------------
transport.py               558 DEBUG      User login: testuser1
transport.py               558 DEBUG      First name: test
transport.py               558 DEBUG      Last name: user
transport.py               558 DEBUG      Home directory: /home/testuser1
transport.py               558 DEBUG      Login shell: /bin/sh
transport.py               558 DEBUG      Principal name: testuser1
transport.py               558 DEBUG      Principal alias: testuser1
transport.py               558 DEBUG      Email address: testuser1
transport.py               558 DEBUG      UID: 15200003
transport.py               558 DEBUG      GID: 15200003
transport.py               558 DEBUG      User authentication types: password, hardened
transport.py               558 DEBUG      Account disabled: False
transport.py               558 DEBUG      Password: True
transport.py               558 DEBUG      Member of groups: ipausers
transport.py               558 DEBUG      Kerberos keys available: True
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['ipa', 'config-mod', '--user-auth-type', 'password', '--user-auth-type', 'hardened']
transport.py               513 DEBUG    RUN ['ipa', 'config-mod', '--user-auth-type', 'password', '--user-auth-type', 'hardened']
transport.py               558 DEBUG      Maximum username length: 32
transport.py               558 DEBUG      Maximum hostname length: 64
transport.py               558 DEBUG      Home directory base: /home
transport.py               558 DEBUG      Default shell: /bin/sh
transport.py               558 DEBUG      Default users group: ipausers
transport.py               558 DEBUG      Default e-mail domain: testrelm.test
transport.py               558 DEBUG      Search time limit: 2
transport.py               558 DEBUG      Search size limit: 100
transport.py               558 DEBUG      User search fields: uid,givenname,sn,telephonenumber,ou,title
transport.py               558 DEBUG      Group search fields: cn,description
transport.py               558 DEBUG      Enable migration mode: FALSE
transport.py               558 DEBUG      Certificate Subject base: O=TESTRELM.TEST
transport.py               558 DEBUG      Password Expiration Notification (days): 4
transport.py               558 DEBUG      Password plugin features: AllowNThash, KDC:Disable Last Success
transport.py               558 DEBUG      SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
transport.py               558 DEBUG      Default SELinux user: unconfined_u:s0-s0:c0.c1023
transport.py               558 DEBUG      Default PAC types: MS-PAC, nfs:NONE
transport.py               558 DEBUG      Default user authentication types: password, hardened
transport.py               558 DEBUG      IPA masters: master.testrelm.test
transport.py               558 DEBUG      IPA master capable of PKINIT: master.testrelm.test
transport.py               558 DEBUG      IPA CA servers: master.testrelm.test
transport.py               558 DEBUG      IPA CA renewal master: master.testrelm.test
transport.py               558 DEBUG      IPA DNS servers: master.testrelm.test
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['ipa', 'krbtpolicy-mod', 'testuser1', '--hardened-maxlife', '600']
transport.py               513 DEBUG    RUN ['ipa', 'krbtpolicy-mod', 'testuser1', '--hardened-maxlife', '600']
transport.py               558 DEBUG      Max life: 86400
transport.py               558 DEBUG      Hardened max life: 600
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['kdestroy', '-A']
transport.py               513 DEBUG    RUN ['kdestroy', '-A']
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['kinit', 'testuser1']
transport.py               513 DEBUG    RUN ['kinit', 'testuser1']
transport.py               558 DEBUG    Password for testuser1: 
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN klist | grep krbtgt
transport.py               513 DEBUG    RUN klist | grep krbtgt
transport.py               558 DEBUG    02/23/2022 12:47:10  02/23/2022 12:57:10  krbtgt/TESTRELM.TEST
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['kdestroy', '-A']
transport.py               513 DEBUG    RUN ['kdestroy', '-A']
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['kinit', 'testuser2']
transport.py               513 DEBUG    RUN ['kinit', 'testuser2']
transport.py               558 DEBUG    Password for testuser2: 
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN klist | grep krbtgt
transport.py               513 DEBUG    RUN klist | grep krbtgt
transport.py               558 DEBUG    02/23/2022 12:47:10  02/24/2022 11:51:49  krbtgt/TESTRELM.TEST
transport.py               217 DEBUG    Exit code: 0

http://idm-artifacts.usersys.redhat.com/mvarun/trigger//3929/test-suite/report.html.gz
Based on the test result, marking the bug VERIFIED.
Comment 13 errata-xmlrpc 2022-05-10 14:09:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:1884
Note You need to log in before you can comment on or make changes to this bug.