RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2162656 - Passwordless (GSSAPI) SSH not working for subdomain.
Summary: Passwordless (GSSAPI) SSH not working for subdomain.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: ipa
Version: 9.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: anuja
URL:
Whiteboard:
Depends On:
Blocks: 2144442
TreeView+ depends on / blocked
 
Reported: 2023-01-20 12:21 UTC by anuja
Modified: 2023-05-09 08:26 UTC (History)
6 users (show)

Fixed In Version: ipa-4.10.1-5.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2166324 (view as bug list)
Environment:
Last Closed: 2023-05-09 07:33:20 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Fedora Pagure freeipa issue 9316 0 None None None 2023-02-07 10:15:16 UTC
Red Hat Issue Tracker FREEIPA-9366 0 None None None 2023-01-20 12:21:47 UTC
Red Hat Issue Tracker RHELPLAN-145891 0 None None None 2023-01-20 12:21:50 UTC
Red Hat Product Errata RHBA-2023:2205 0 None None None 2023-05-09 07:33:35 UTC

Description anuja 2023-01-20 12:21:00 UTC 
Description of problem:
Passwordless (GSSAPI) SSH not working for subdomain.

Version-Release number of selected component (if applicable):
sssd-ipa-2.8.2-1.el9.x86_64
ipa-server-4.10.1-2.el9.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Install ipa-server with trust established to AD
2. kdestroy -A ; kinit aduser1.test
3. ssh -K -l aduser1.test master.ipa.test 'echo login successful' 

Actual results:
ssh fails.
(aduser1.test.test) Password: 
(aduser1.test.test) Password: 
(aduser1.test.test) Password: 
aduser1.test.test: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).
[root@master ~]# echo $?
255
Expected results:
SSH should be successful.

Additional info:
Same steps are working for root domain.
Comment 4 Florence Blanc-Renaud 2023-01-24 19:29:12 UTC 
Not 100% sure about this but it looks like the tests started failing with ipa 4.10.1-1 on RHEL 9.2 (were green with 4.10.0-8), and with ipa 4.9.11-3 on RHEL 8.8 (were green with ipa-server-4.9.10-8).

The 2 rebases contain the patch for 9083: Support MIT Kerberos KDB version 9
(see https://www.freeipa.org/page/Releases/4.10.1 and https://www.freeipa.org/page/Releases/4.9.11)
that modified ipa-kdb driver, making this change a (maybe too) obvious suspect.


Reproducer steps:
install trust with AD, where AD domain is windows.test and a child domain sub1.windows.test contains the user aduser1
obtain a kerberos ticket for aduser1.test and use this ticket for ssh

# echo Secret123|kinit aduser1.TEST
Password for aduser1.TEST: 
# ssh -K -l aduser1.TEST `hostname` 'echo Success'

What can be seen in /var/log/krb5kdc.log when the test is run:

Jan 24 14:21:18 ip-10-0-191-232.user2k16.test krb5kdc[43892](Error): PAC Info mismatch: domain = windows.test, expected flat name = WINDOWS, found logon name = SUB1
Jan 24 14:21:18 ip-10-0-191-232.user2k16.test krb5kdc[43892](info): TGS_REQ : handle_authdata (22)
Jan 24 14:21:18 ip-10-0-191-232.user2k16.test krb5kdc[43892](info): TGS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.0.191.232: HANDLE_AUTHDATA: authtime 1674588051, etypes {rep=UNSUPPORTED:(0)} aduser1.TEST for host/ip-10-0-191-232.user2k16.test, Invalid argument
Jan 24 14:21:18 ip-10-0-191-232.user2k16.test krb5kdc[43892](info): closing down fd 11
Jan 24 14:21:18 ip-10-0-191-232.user2k16.test krb5kdc[43892](Error): PAC Info mismatch: domain = windows.test, expected flat name = WINDOWS, found logon name = SUB1
Jan 24 14:21:18 ip-10-0-191-232.user2k16.test krb5kdc[43892](info): TGS_REQ : handle_authdata (22)
Jan 24 14:21:18 ip-10-0-191-232.user2k16.test krb5kdc[43892](info): TGS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.0.191.232: HANDLE_AUTHDATA: authtime 1674588051, etypes {rep=UNSUPPORTED:(0)} aduser1.TEST for host/ip-10-0-191-232.user2k16.test, Invalid argument
Jan 24 14:21:18 ip-10-0-191-232.user2k16.test krb5kdc[43892](info): closing down fd 11


The error message is produced from the filter_logon_info() method
https://github.com/freeipa/freeipa/blob/295b4e23b44c74817fd83428f9ffe4cdb1e7bb8a/daemons/ipa-kdb/ipa_kdb_mspac.c#L1801
which is called from ipadb_check_logon_info() method
https://github.com/freeipa/freeipa/blob/295b4e23b44c74817fd83428f9ffe4cdb1e7bb8a/daemons/ipa-kdb/ipa_kdb_mspac.c#L2027

The parameters provided to the method are evaluated in these lines:
https://github.com/freeipa/freeipa/blob/master/daemons/ipa-kdb/ipa_kdb_mspac.c#L2104-L2113

    if (client != NULL) {
        origin_realm = client->princ->realm;
    } else {
        origin_realm = signing_krbtgt->princ->realm;
    }

    kerr = filter_logon_info(context, tmpctx, &origin_realm, &info);
    if (kerr) {
        goto done;
    }

It looks like the PAC contains references to sub1 (the child domain) but the code expects the parent domain instead.
Comment 5 Alexander Bokovoy 2023-01-30 11:59:17 UTC 
I think the catch here is that signing krbtgt will always be the forest root's one because that's the only one we have for the trust. 
It means we probably need to allow here any domain/NetBIOS name from that forest, not just be strict on the forest root.

In MIT Krb 5 1.20 we don't even get an original client principal at all so nothing else could be done.
Comment 6 Alexander Bokovoy 2023-01-30 19:09:49 UTC 
PR: https://github.com/freeipa/freeipa/pull/6644
Comment 7 Florence Blanc-Renaud 2023-02-07 10:15:14 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/9316
Comment 8 Rob Crittenden 2023-02-09 19:31:28 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/0c32ebf85859858eb27bcc712dfec91e2d1c85d3
https://pagure.io/freeipa/c/0b762d2b2a214cc6a392514e0d82e2c15200082b
Comment 9 Rob Crittenden 2023-02-10 02:52:40 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/2d7cc19d238e0a20a44bb5422fd369d1e5cf764f
https://pagure.io/freeipa/c/ed1959dc0cf8823a0ce60e32ce0de7a389ecb942

Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/0206369eec8530e96c66986c4ca501d8962193ce
https://pagure.io/freeipa/c/a6cb905de74da38d62f9c3bd7957018924282521
Comment 15 errata-xmlrpc 2023-05-09 07:33:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2205
Note You need to log in before you can comment on or make changes to this bug.