Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 915799

Summary: Add delegation info to MS-PAC
Product: Red Hat Enterprise Linux 7 Reporter: Ann Marie Rubin <arubin>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED CURRENTRELEASE QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: dpal, mgregg, mkosek, nsoman, pviktori, spoore, ssorce
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.3.2-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 12:51:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ann Marie Rubin 2013-02-26 14:40:07 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3442

Given we support s4u2proxy and might want to use it to let the framework access a trusted domain, it is appropriate to add delegation info to the MS-PAC as that data is how AD keeps track of delegations and can apply (restrictive) policy if needed.

Comment 1 Namita Soman 2013-02-28 20:31:36 UTC
Please add steps to verify

Comment 2 Petr Viktorin (pviktori) 2013-09-13 16:05:12 UTC
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/5157fd450fb33a7a3b68525a255d2976dbb0840a

Comment 3 Petr Viktorin (pviktori) 2013-09-16 07:55:57 UTC
Also pushed upstream to ipa-3-3: https://fedorahosted.org/freeipa/changeset/7de103739172e4d3690d71fb686addc4edae027e

Comment 4 Martin Kosek 2013-09-17 13:57:15 UTC
As agreed, this will be added to RHEL-7.0 and verified as *sanity only*. This is mostly internal change.

Comment 6 Michael Gregg 2014-01-31 00:02:05 UTC
Please add steps to verify ticket.

Comment 7 Martin Kosek 2014-01-31 07:50:10 UTC
Please see Comment 4, as agreed previously, this bug is to be verified as sanity only.

Comment 8 Scott Poore 2014-02-04 00:10:40 UTC
Martin,  

What do we primarily need to check for a sanity only test here?  

Is having a Trust in place and kinit as AD user enough to exercise the code in question?

Thanks,
Scott

Comment 9 Martin Kosek 2014-02-04 07:09:45 UTC
I think the code is exercised when PAC is generated, for example when AD user is logging in with SSH via GSSAPI.

Adding Simo to CC to confirm.

Comment 10 Simo Sorce 2014-02-11 13:26:14 UTC
Unfortunately I forgot the details but as far as I remember you are right.

We could unpac the MS-PAC and inspect a specific buffer for the content if you want to be extrasure, but that would be quite some work.

Comment 11 Scott Poore 2014-02-11 14:11:08 UTC
How can I unpac the MS-PAC?  Do I need a packet capture of ssh w/ gssapi to do that?

Comment 12 Scott Poore 2014-02-21 03:20:49 UTC
Alexander helped me with viewing the PAC with smbclient.  Unfortunately, this method is not yet capable of displaying the delegation information.  I've done quite a few test runs and everything seems to be working fine from different tests.   So, I'm marking this one verified Sanity Only.

This is a method using samba to show PAC.

kinit -kt /etc/httpd/conf/ipa.keytab HTTP/$HOSTNAME@$REALM
smbcontrol smbd debug 100
smbclient -k -L `hostname`
smbcontrol smbd debug 1
less /var/log/samba/log.$(hostname -i)

Verified.  Sanity Only.

Version ::

ipa-server-3.3.3-18.el7.x86_64

Results ::

[root@rhel7-4 samba]# > /var/log/samba/log.$(hostname -i)

[root@rhel7-4 samba]# kinit -kt /etc/httpd/conf/ipa.keytab HTTP/$HOSTNAME@$REALM

[root@rhel7-4 samba]# smbcontrol smbd debug 100

[root@rhel7-4 samba]# smbclient -k -L `hostname`
lp_load_ex: changing to config backend registry
session setup failed: NT_STATUS_ACCESS_DENIED

[root@rhel7-4 samba]# smbcontrol smbd debug 1

[root@rhel7-4 samba]# less /var/log/samba/log.192.168.122.74

[2014/02/20 20:55:08.884203,  3, pid=27080, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
  Found account name from PAC: rhel7-4.example.com []
[2014/02/20 20:55:08.884266, 10, pid=27080, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:388(kerberos_decode_pac)
  Successfully validated Kerberos PAC
      pac_data: struct PAC_DATA
          num_buffers              : 0x00000004 (4)
          version                  : 0x00000000 (0)
          buffers: ARRAY(4)
              buffers: struct PAC_BUFFER
                  type                     : PAC_TYPE_LOGON_INFO (1)
                  _ndr_size                : 0x000001b8 (440)
                  info                     : *
                      info                     : union PAC_INFO(case 1)
                      logon_info: struct PAC_LOGON_INFO_CTR
                          info                     : *
                              info: struct PAC_LOGON_INFO
                                  info3: struct netr_SamInfo3
                                      base: struct netr_SamBaseInfo
                                          logon_time               : NTTIME(0)
                                          logoff_time              : Wed Dec 31 06:00:00 PM 1969 CST
                                          kickoff_time             : Wed Dec 31 06:00:00 PM 1969 CST
                                          last_password_change     : Thu Feb 20 07:24:55 PM 2014 CST
                                          allow_password_change    : NTTIME(0)
                                          force_password_change    : Wed Dec 31 06:00:00 PM 1969 CST
                                          account_name: struct lsa_String
                                              length                   : 0x0026 (38)
                                              size                     : 0x0026 (38)
                                              string                   : *
                                                  string                   : 'rhel7-4.example.com'
                                          full_name: struct lsa_String
                                              length                   : 0x0000 (0)
                                              size                     : 0x0000 (0)
                                              string                   : *
                                                  string                   : ''
                                          logon_script: struct lsa_String
                                              length                   : 0x0000 (0)
                                              size                     : 0x0000 (0)
                                              string                   : *
                                                  string                   : ''
                                          profile_path: struct lsa_String
                                              length                   : 0x0000 (0)
                                              size                     : 0x0000 (0)
                                              string                   : *
                                                  string                   : ''
                                          home_directory: struct lsa_String
                                              length                   : 0x0000 (0)
                                              size                     : 0x0000 (0)
                                              string                   : *
                                                  string                   : ''
                                          home_drive: struct lsa_String
                                              length                   : 0x0000 (0)
                                              size                     : 0x0000 (0)
                                              string                   : *
                                                  string                   : ''
                                          logon_count              : 0x0000 (0)
                                          bad_password_count       : 0x0000 (0)
                                          rid                      : 0x00000204 (516)
                                          primary_gid              : 0x00000203 (515)
                                          groups: struct samr_RidWithAttributeArray
                                              count                    : 0x00000000 (0)
                                              rids                     : *
                                                  rids: ARRAY(0)
                                          user_flags               : 0x00000000 (0)
                                                 0: NETLOGON_GUEST           
                                                 0: NETLOGON_NOENCRYPTION    
                                                 0: NETLOGON_CACHED_ACCOUNT  
                                                 0: NETLOGON_USED_LM_PASSWORD
                                                 0: NETLOGON_EXTRA_SIDS      
                                                 0: NETLOGON_SUBAUTH_SESSION_KEY
                                                 0: NETLOGON_SERVER_TRUST_ACCOUNT
                                                 0: NETLOGON_NTLMV2_ENABLED  
                                                 0: NETLOGON_RESOURCE_GROUPS 
                                                 0: NETLOGON_PROFILE_PATH_RETURNED
                                                 0: NETLOGON_GRACE_LOGON     
                                          key: struct netr_UserSessionKey
                                              key                      : 00000000000000000000000000000000
                                          logon_server: struct lsa_StringLarge
                                              length                   : 0x000e (14)
                                              size                     : 0x0010 (16)
                                              string                   : *
                                                  string                   : 'RHEL7-4'
                                          logon_domain: struct lsa_StringLarge
                                              length                   : 0x000e (14)
                                              size                     : 0x0010 (16)
                                              string                   : *
                                                  string                   : 'EXAMPLE'
                                          domain_sid               : *
                                              domain_sid               : S-1-5-21-2793801488-362198099-2096703284
                                          LMSessKey: struct netr_LMSessionKey
                                              key                      : 0000000000000000
                                          acct_flags               : 0x00000010 (16)
                                                 0: ACB_DISABLED             
                                                 0: ACB_HOMDIRREQ            
                                                 0: ACB_PWNOTREQ             
                                                 0: ACB_TEMPDUP              
                                                 1: ACB_NORMAL               
                                                 0: ACB_MNS                  
                                                 0: ACB_DOMTRUST             
                                                 0: ACB_WSTRUST              
                                                 0: ACB_SVRTRUST             
                                                 0: ACB_PWNOEXP              
                                                 0: ACB_AUTOLOCK             
                                                 0: ACB_ENC_TXT_PWD_ALLOWED  
                                                 0: ACB_SMARTCARD_REQUIRED   
                                                 0: ACB_TRUSTED_FOR_DELEGATION
                                                 0: ACB_NOT_DELEGATED        
                                                 0: ACB_USE_DES_KEY_ONLY     
                                                 0: ACB_DONT_REQUIRE_PREAUTH 
                                                 0: ACB_PW_EXPIRED           
                                                 0: ACB_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
                                                 0: ACB_NO_AUTH_DATA_REQD    
                                                 0: ACB_PARTIAL_SECRETS_ACCOUNT
                                                 0: ACB_USE_AES_KEYS         
                                          sub_auth_status          : 0x00000000 (0)
                                          last_successful_logon    : NTTIME(0)
                                          last_failed_logon        : NTTIME(0)
                                          failed_logon_count       : 0x00000000 (0)
                                          reserved                 : 0x00000000 (0)
                                      sidcount                 : 0x00000000 (0)
                                      sids                     : NULL
                                  res_group_dom_sid        : NULL
                                  res_groups: struct samr_RidWithAttributeArray
                                      count                    : 0x00000000 (0)
                                      rids                     : NULL
                  _pad                     : 0x00000000 (0)
              buffers: struct PAC_BUFFER
                  type                     : PAC_TYPE_LOGON_NAME (10)
                  _ndr_size                : 0x0000003a (58)
                  info                     : *
                      info                     : union PAC_INFO(case 10)
                      logon_name: struct PAC_LOGON_NAME
                          logon_time               : Thu Feb 20 08:55:08 PM 2014 CST
                          size                     : 0x0030 (48)
                          account_name             : 'HTTP/rhel7-4.example.com'
                  _pad                     : 0x00000000 (0)
              buffers: struct PAC_BUFFER
                  type                     : PAC_TYPE_SRV_CHECKSUM (6)
                  _ndr_size                : 0x00000010 (16)
                  info                     : *
                      info                     : union PAC_INFO(case 6)
                      srv_cksum: struct PAC_SIGNATURE_DATA
                          type                     : 0x00000010 (16)
                          signature                : DATA_BLOB length=12
  [0000] 1B 49 20 02 26 91 79 70   86 AA CA 0B              .I .&.yp ....
                  _pad                     : 0x00000000 (0)
              buffers: struct PAC_BUFFER
                  type                     : PAC_TYPE_KDC_CHECKSUM (7)
                  _ndr_size                : 0x00000010 (16)
                  info                     : *
                      info                     : union PAC_INFO(case 7)
                      kdc_cksum: struct PAC_SIGNATURE_DATA
                          type                     : 0x00000010 (16)
                          signature                : DATA_BLOB length=12
  [0000] DF 78 2A 0D 68 17 44 2B   DE A3 FC 5C              .x*.h.D+ ...\
                  _pad                     : 0x00000000 (0)
  
[2014/02/20 20:55:08.886442,  3, pid=27080, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
  Kerberos ticket principal name is [HTTP/rhel7-4.example.com]
[2014/02/20 20:55:08.886483, 10, pid=27080, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:83(get_user_from_kerberos_info)
  Domain is [EXAMPLE] (using PAC)

...


[root@rhel7-4 samba]# kinit aduser1.TEST
Password for aduser1.TEST: 
[root@rhel7-4 samba]# smbcontrol smbd debug 100
[root@rhel7-4 samba]# smbclient -k -L `hostname`
lp_load_ex: changing to config backend registry
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.1]

	Sharename       Type      Comment
	---------       ----      -------
	IPC$            IPC       IPC Service (Samba 4.1.1)
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.1]

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
[root@rhel7-4 samba]# smbcontrol smbd debug 1

[root@rhel7-4 samba]# 

-sh-4.2$ kinit aduser1.TEST
Password for aduser1.TEST: 

-sh-4.2$ klist
Ticket cache: KEYRING:persistent:551801125:551801125
Default principal: aduser1.TEST

Valid starting       Expires              Service principal
02/20/2014 21:12:40  02/21/2014 07:12:40  krbtgt/AD2.EXAMPLE.TEST.TEST
	renew until 02/21/2014 21:12:39

-sh-4.2$ ssh -K -l aduser1.TEST $(hostname)

-sh-4.2$ klist
Ticket cache: KEYRING:persistent:551801125:551801125
Default principal: aduser1.TEST

Valid starting       Expires              Service principal
02/20/2014 21:14:37  02/21/2014 07:14:37  krbtgt/AD2.EXAMPLE.TEST.TEST
	renew until 02/21/2014 21:14:36

-sh-4.2$ ssh -K -l aduser1.test $(hostname)
Last login: Thu Feb 20 21:15:00 2014 from rhel7-4.example.com

-sh-4.2$ klist
Ticket cache: KEYRING:persistent:551801125:551801125
Default principal: aduser1.TEST

Valid starting       Expires              Service principal
02/20/2014 21:15:43  02/21/2014 07:14:37  krbtgt/AD2.EXAMPLE.TEST.TEST
	renew until 02/21/2014 21:14:36
-sh-4.2$ logout

Comment 13 Ludek Smid 2014-06-13 12:51:26 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.