RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2049104 - User can't log in after ipa-user-mod --user-auth-type=hardened
Summary: User can't log in after ipa-user-mod --user-auth-type=hardened
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: ipa
Version: 9.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On: 2033342
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-02-01 14:46 UTC by Rafael Jeffman
Modified: 2022-05-17 13:00 UTC (History)
11 users (show)

Fixed In Version: ipa-4.9.8-2.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2033342
Environment:
Last Closed: 2022-05-17 12:44:20 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-7774 0 None None None 2022-02-01 15:02:19 UTC
Red Hat Issue Tracker RHELPLAN-110543 0 None None None 2022-02-01 15:02:33 UTC
Red Hat Product Errata RHBA-2022:2387 0 None None None 2022-05-17 12:44:43 UTC

Description Rafael Jeffman 2022-02-01 14:46:54 UTC 
+++ This bug was initially created as a clone of Bug #2033342 +++

Description of problem:
I've a user for which I've run:

$ ipa user-mod user --user-auth-type=hardened

Now they can't use kinit any more:

[admin@ipa-test0 ~]$ KRB5_TRACE=/dev/stderr KRB5CCNAME=MEMORY: kinit htest
[3910683] 1639666477.833986: Getting initial credentials for htest
[3910683] 1639666477.833988: Sending unauthenticated request
[3910683] 1639666477.833989: Sending request (167 bytes) to IPATEST.QQ
[3910683] 1639666477.833990: Initiating TCP connection to stream 192.168.0.7:88
[3910683] 1639666477.833991: Sending TCP request to stream 192.168.0.7:88
[3910683] 1639666477.833992: Received answer (234 bytes) from stream 192.168.0.7:88
[3910683] 1639666477.833993: Terminating TCP connection to stream 192.168.0.7:88
[3910683] 1639666477.833994: Response was from primary KDC
[3910683] 1639666477.833995: Received error from KDC: -1765328359/Additional pre-authentication required
[3910683] 1639666477.833998: Preauthenticating using KDC method data
[3910683] 1639666477.833999: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-PKINIT-KX (147), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133)
[3910683] 1639666477.834000: Received cookie: MIT
[3910683] 1639666477.834001: PKINIT client has no configured identity; giving up
[3910683] 1639666477.834002: Preauth module pkinit (147) (info) returned: 0/Success
[3910683] 1639666477.834003: PKINIT client received freshness token from KDC
[3910683] 1639666477.834004: Preauth module pkinit (150) (info) returned: 0/Success
[3910683] 1639666477.834005: PKINIT client has no configured identity; giving up
[3910683] 1639666477.834006: Preauth module pkinit (16) (real) returned: 22/Invalid argument
kinit: Pre-authentication failed: Invalid argument while getting initial credentials

Nor can they log in via PAM:

==> /var/log/sssd/krb5_child.log <==
(2021-12-16 14:56:46): [krb5_child[3910812]] [get_and_save_tgt] (0x0020): 1724: [-1765328174][Pre-authentication failed: Invalid argument]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [main] (0x0400): krb5_child started.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [unpack_buffer] (0x1000): total buffer size: [107]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [unpack_buffer] (0x0100): cmd [241 (auth)] uid [1829800021] gid [1829800021] validate [true] enterprise principal [false] offline [false] UPN [htest]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [unpack_buffer] (0x0100): ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [switch_creds] (0x0200): Switch user to [1829800021][1829800021].
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [switch_creds] (0x0200): Switch user to [0][0].
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [k5c_check_old_ccache] (0x4000): Ccache_file is [KCM:] and is not active and TGT is  valid.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [k5c_precreate_ccache] (0x4000): Recreating ccache
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [k5c_setup_fast] (0x0100): Fast principal is set to [host/ipa-test0.example.qq]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [find_principal_in_keytab] (0x4000): Trying to find principal host/ipa-test0.example.qq in keytab.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [match_principal] (0x1000): Principal matched to the sample (host/ipa-test0.example.qq).
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [become_user] (0x0200): Trying to become user [1829800021][1829800021].
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [main] (0x2000): Running as [1829800021][1829800021].
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [set_lifetime_options] (0x0100): No specific lifetime requested.
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [main] (0x0400): Will perform auth
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [main] (0x0400): Will perform online auth
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [tgt_req_child] (0x1000): Attempting to get a TGT
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [IPATEST.QQ]
   *  (2021-12-16 14:56:46): [krb5_child[3910812]] [get_and_save_tgt] (0x0020): 1724: [-1765328174][Pre-authentication failed: Invalid argument]

********************** BACKTRACE DUMP ENDS HERE *********************************

(2021-12-16 14:56:46): [krb5_child[3910812]] [map_krb5_error] (0x0020): [1432158222][Failure setting user credentials].

Version-Release number of selected component (if applicable):
ipa-server-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64 (RHEL 8)
ipa-server-4.9.6-9.el9.x86_64 (CentOS Stream 9)

How reproducible:
100% on both RHEL 8 and CentOS Stream 9


Steps to Reproduce:
1. ipa-server-install
2. ipa user-add htest
3. ipa user-mod htest --user-auth-type=hardened

Actual results:
User can't use kinit to authenticate with SPAKE; nor can they use kinit -T to authenticate via a FAST channel. pam_sss doesn't let them in either.

Expected results:
kinit and pam_sss should let user log in.

Additional info:
Forwarded from https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/B2NGHAIUTWWO2QLHZS6UWRTJWXW4MB6K/

--- Additional comment from Alexander Bokovoy on 2021-12-16 15:18:34 UTC ---

Thoughts:

I think it is due to this handling of 'ua' (user auth) in case 0 below where IPADB_USER_AUTH_HARDENED should have also be considered:
https://pagure.io/freeipa/blob/master/f/daemons/ipa-kdb/ipa_kdb_principals.c#_786

    ret = ipadb_ldap_attr_to_key_data(lcontext, lentry,
                                      "krbPrincipalKey",
                                      &res_key_data, &result, &mkvno);
    switch (ret) {
    case 0:
        /* Only set a principal's key if password auth can be used. Otherwise
         * the KDC would add pre-authentication methods to the NEEDED_PREAUTH
         * reply for AS-REQs which indicate the password authentication is
         * available. This might confuse applications like e.g. SSSD which try
         * to determine suitable authentication methods and corresponding
         * prompts with the help of MIT Kerberos' responder interface which
         * acts on the returned pre-authentication methods. A typical example
         * is enforced OTP authentication where of course keys are available
         * for the first factor but password authentication should not be
         * advertised by the KDC. */
        if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) {
            /* This is the same behavior as ENOENT below. */
            ipa_krb5_free_key_data(res_key_data, result);
            break;
        }

        entry->key_data = res_key_data;
        entry->n_key_data = result;
        if (mkvno) {
            krb5_int16 kvno16le = htole16((krb5_int16)mkvno);

            kerr = ipadb_set_tl_data(entry, KRB5_TL_MKVNO,
                                     sizeof(kvno16le),
                                     (krb5_octet *)&kvno16le);
            if (kerr) {
                goto done;
            }
        }
    case ENOENT:
        break;
    default:
        kerr = KRB5_KDB_INTERNAL_ERROR;
        goto done;
    }

--- Additional comment from Sam Morris on 2021-12-16 15:19:53 UTC ---

Upstream bug: https://pagure.io/freeipa/issue/9065
Comment 1 Florence Blanc-Renaud 2022-02-02 14:44:48 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/35e94bee0e0da4cf43c613a5296d57f7e04b583a
https://pagure.io/freeipa/c/97d123ccccb50098e21884a0aa9d90ed017ef97e
Comment 2 Florence Blanc-Renaud 2022-02-02 20:52:44 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/6d70421f57d0eca066a922e09416ef7195ee96d4
https://pagure.io/freeipa/c/294ae35a61e6ca8816b261c57508e4be21221864
Comment 7 Mohammad Rizwan 2022-02-10 06:50:16 UTC 
version:
ipa-server-4.9.8-2.el9.x86_64


Automation passed, hence marking the bug verified.
http://idm-artifacts.usersys.redhat.com/freeipa/Nightly/RHEL9.0/2022-02-04/tier-1/upstream-krbtpolicy/20//report.html
Comment 9 errata-xmlrpc 2022-05-17 12:44:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: ipa), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2387
Note You need to log in before you can comment on or make changes to this bug.