785907 – [RFE] Add support to request canonicalization on krb AS requests

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 785907 - [RFE] Add support to request canonicalization on krb AS requests

Summary: [RFE] Add support to request canonicalization on krb AS requests

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Stephen Gallagher
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-01-30 21:05 UTC by Stephen Gallagher
Modified:	2020-05-02 16:23 UTC (History)
CC List:	5 users (show)
Fixed In Version:	sssd-1.8.0-2.el6.beta2
Doc Type:	Enhancement
Doc Text:	A new option krb5_canonicalize has been added to SSSD configuration. When set to true, it will set a flag in krb5 request and the host and user principals will be canonicalized and returned to SSSD by server. Note that this feature requires Kerberos >= 1.7
Clone Of:
Environment:
Last Closed:	2012-06-20 11:54:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 1999	0	None	closed	[RFE] Add support to request canonicalization on krb AS requests	2020-06-16 13:51:18 UTC
Red Hat Product Errata	RHBA-2012:0747	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2012-06-19 19:31:43 UTC

Description Stephen Gallagher 2012-01-30 21:05:33 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/957

We should add support to set the canonicalization option with krb5_get_init_creds_opt_set_canonicalize() when asking for a TGT.

We should do that both in get_and_save_tgt_with_keytab() and probably krb5_child_setup()

Comment 1 Jenny Severance 2012-02-01 21:37:40 UTC

<jgalipea> sgallagh, ping re: https://bugzilla.redhat.com/show_bug.cgi?id=785907
<jgalipea> sgallagh, how is this tested???

<sgallagh> jgalipea: It's a compatibility feature with older KDCs

<simo> jgalipea, the quick line is that it allows people to use bad cases in hostnames and have things still working

<simo> so that if you call your host QEnacksme.redhat.com you get back host/qenacksme.redhat.com
<simo> but our KDC can still check case-insensitively if canonicalization is requested
<simo> w/o that request the KDC will return that the principal was not found
<jgalipea> okay ... got it ... but assume they must user --hostname with ipa-client-install for that to work
<jgalipea> s/user/use
<simo> possibly
<simo> when I opened the bug I think we didn't check yet
<simo> but helps in general
<jgalipea> I think so cuz I saw another bug ... looking ...
<sgallagh> jgalipea: Incorrect
<simo> so if you ssh jgalipea@Myqemachine you can still get a ticket for myqemachine
<jgalipea> oh ... okay ... got it

sgallagh> jgalipea: if their machine hostname is JGALIPEA.redhat.com and they use ipa-client install, the host on the IPA server will be normalized to lowercase, but the client will try to use host/JGALIPEA.redhat.com 
<sgallagh> See https://bugzilla.redhat.com/show_bug.cgi?id=786237 for an example of this

Comment 4 Jan Zeleny 2012-04-26 14:12:01 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
A new option krb5_canonicalize has been added to SSSD configuration. When set to true, it will set a flag in krb5 request and the host and user principals will be canonicalized and returned to SSSD by server. Note that this feature requires Kerberos >= 1.7

Comment 5 Kaleem 2012-05-29 13:31:38 UTC

Steps to verify this is needed.

Comment 6 Jan Zeleny 2012-05-29 14:39:54 UTC

This should be tested with older IPA server (I recall that Stephen suggested 2.1 should work). Just try to install ipa client with some part of your hostname uppercase. At least this is what I understand from comment 1.

Comment 7 Jenny Severance 2012-05-30 18:38:26 UTC

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/rodimus.lab.eng.pnq.redhat.com

Valid starting     Expires            Service principal
05/30/12 10:16:30  05/31/12 10:16:30  krbtgt/EXAMPLE.COM
	renew until 05/30/12 10:16:30
05/30/12 10:20:30  05/31/12 10:16:30  host/rodimus.lab.eng.pnq.redhat.com
	renew until 05/30/12 10:16:30

# hostname
RODIMUS.lab.eng.pnq.redhat.com



#########################################################################
WITH "krb5_canonicalize = true"
sssd.conf

[domain/example.com]
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
id_provider = ldap
auth_provider = krb5
ldap_uri = ldap://goldbug.lab.eng.pnq.redhat.com
ldap_search_base = dc=example,dc=com
cache_credentials = true
enumerate = False
debug_level = 9
krb5_server = goldbug.lab.eng.pnq.redhat.com
krb5_realm = EXAMPLE.COM
krb5_canonicalize = true
krb5_validate = true
ldap_sasl_mech = GSSAPI
krb5_keytab = /etc/krb5.keytab

[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = example.com
[nss]

[pam]

[sudo]

[autofs]

[ssh]

# getent passwd blah

sssd domain log

{{{

(Wed May 30 14:14:59 2012) [sssd[be[example.com]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT...
(Wed May 30 14:14:59 2012) [sssd[be[example.com]]] [create_tgt_req_send_buffer] (0x1000): buffer size: 27
(Wed May 30 14:14:59 2012) [sssd[be[example.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [7972]
(Wed May 30 14:14:59 2012) [sssd[be[example.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [7972]
(Wed May 30 14:14:59 2012) [sssd[be[example.com]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child
(Wed May 30 14:14:59 2012) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x250e300], connected[1], ops[(nil)], ldap[0x250e4e0]
(Wed May 30 14:14:59 2012) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Wed May 30 14:14:59 2012) [sssd[be[example.com]]] [write_pipe_handler] (0x0400): All data has been sent!
(Wed May 30 14:15:00 2012) [sssd[be[example.com]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Wed May 30 14:15:00 2012) [sssd[be[example.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_EXAMPLE.COM], expired on [13
38488099]
(Wed May 30 14:15:00 2012) [sssd[be[example.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: (null)
(Wed May 30 14:15:01 2012) [sssd[be[example.com]]] [child_sig_handler] (0x1000): Waiting for child [7972].
(Wed May 30 14:15:01 2012) [sssd[be[example.com]]] [child_sig_handler] (0x0100): child [7972] finished successfully.
(Wed May 30 14:15:01 2012) [sssd[be[example.com]]] [sss_child_handler] (0x2000): waitpid failed [10]: No child processes
(Wed May 30 14:15:01 2012) [sssd[be[example.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'goldbug.lab.eng.pnq.redhat.com' as 'working'
(Wed May 30 14:15:01 2012) [sssd[be[example.com]]] [set_server_common_status] (0x0100): Marking server 'goldbug.lab.eng.pnq.redhat.com' as 'working'
(Wed May 30 14:15:01 2012) [sssd[be[example.com]]] [sdap_id_op_connect_done] (0x4000): notify connected to op #1
(Wed May 30 14:15:01 2012) [sssd[be[example.com]]] [sdap_get_users_next_base] (0x0400): Searching for users with base [dc=example,dc=com]
(Wed May 30 14:15:01 2012) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=blah)(objectclass=posixAccount)

}}}


#############################################################################
WITH "krb5_canonicalize = false"
sssd.conf
# cat /etc/sssd/sssd.conf 
[domain/example.com]
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
id_provider = ldap
auth_provider = krb5
ldap_uri = ldap://goldbug.lab.eng.pnq.redhat.com
ldap_search_base = dc=example,dc=com
cache_credentials = true
enumerate = False
debug_level = 9
krb5_server = goldbug.lab.eng.pnq.redhat.com
krb5_realm = EXAMPLE.COM
krb5_canonicalize = false
krb5_validate = true
ldap_sasl_mech = GSSAPI
krb5_keytab = /etc/krb5.keytab

[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = example.com
[nss]

[pam]

[sudo]

[autofs]


# getent -s sss passwd shanks

sssd domain log

{{{

(Wed May 30 14:23:42 2012) [sssd[be[example.com]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT...
(Wed May 30 14:23:42 2012) [sssd[be[example.com]]] [create_tgt_req_send_buffer] (0x1000): buffer size: 27
(Wed May 30 14:23:42 2012) [sssd[be[example.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [8072]
(Wed May 30 14:23:42 2012) [sssd[be[example.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [8072]
(Wed May 30 14:23:42 2012) [sssd[be[example.com]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child
(Wed May 30 14:23:42 2012) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x155a870], connected[1], ops[(nil)], ldap[0x155aad0]
(Wed May 30 14:23:42 2012) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Wed May 30 14:23:42 2012) [sssd[be[example.com]]] [write_pipe_handler] (0x0400): All data has been sent!
(Wed May 30 14:23:43 2012) [sssd[be[example.com]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Wed May 30 14:23:43 2012) [sssd[be[example.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_EXAMPLE.COM], expired on [1338488623]
(Wed May 30 14:23:43 2012) [sssd[be[example.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: (null)
(Wed May 30 14:23:45 2012) [sssd[be[example.com]]] [child_sig_handler] (0x1000): Waiting for child [8072].
(Wed May 30 14:23:45 2012) [sssd[be[example.com]]] [child_sig_handler] (0x0100): child [8072] finished successfully.
(Wed May 30 14:23:45 2012) [sssd[be[example.com]]] [sss_child_handler] (0x2000): waitpid failed [10]: No child processes
(Wed May 30 14:23:45 2012) [sssd[be[example.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'goldbug.lab.eng.pnq.redhat.com' as 'working'
(Wed May 30 14:23:45 2012) [sssd[be[example.com]]] [set_server_common_status] (0x0100): Marking server 'goldbug.lab.eng.pnq.redhat.com' as 'working'
(Wed May 30 14:23:45 2012) [sssd[be[example.com]]] [sdap_id_op_connect_done] (0x4000): notify connected to op #1
(Wed May 30 14:23:45 2012) [sssd[be[example.com]]] [sdap_get_users_next_base] (0x0400): Searching for users with base [dc=example,dc=com]
(Wed May 30 14:23:45 2012) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=shanks)(objectclass=posixAccount))][dc=example,dc=com].

}}}

Both true and false are working, it would have been expected that with "false", the lookup would not have been successful.  But because of the fix for https://bugzilla.redhat.com/show_bug.cgi?id=785881 ... they are now both successfu.

Marking bug VERFIED

version ::

sssd-1.8.0-32.el6.x86_64

Comment 9 errata-xmlrpc 2012-06-20 11:54:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0747.html

Note You need to log in before you can comment on or make changes to this bug.