Bug 915799
| Summary: | Add delegation info to MS-PAC | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ann Marie Rubin <arubin> |
| Component: | ipa | Assignee: | Martin Kosek <mkosek> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | dpal, mgregg, mkosek, nsoman, pviktori, spoore, ssorce |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-3.3.2-1.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 12:51:26 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Ann Marie Rubin
2013-02-26 14:40:07 UTC
Please add steps to verify Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/5157fd450fb33a7a3b68525a255d2976dbb0840a Also pushed upstream to ipa-3-3: https://fedorahosted.org/freeipa/changeset/7de103739172e4d3690d71fb686addc4edae027e As agreed, this will be added to RHEL-7.0 and verified as *sanity only*. This is mostly internal change. Please add steps to verify ticket. Please see Comment 4, as agreed previously, this bug is to be verified as sanity only. Martin, What do we primarily need to check for a sanity only test here? Is having a Trust in place and kinit as AD user enough to exercise the code in question? Thanks, Scott I think the code is exercised when PAC is generated, for example when AD user is logging in with SSH via GSSAPI. Adding Simo to CC to confirm. Unfortunately I forgot the details but as far as I remember you are right. We could unpac the MS-PAC and inspect a specific buffer for the content if you want to be extrasure, but that would be quite some work. How can I unpac the MS-PAC? Do I need a packet capture of ssh w/ gssapi to do that? Alexander helped me with viewing the PAC with smbclient. Unfortunately, this method is not yet capable of displaying the delegation information. I've done quite a few test runs and everything seems to be working fine from different tests. So, I'm marking this one verified Sanity Only.
This is a method using samba to show PAC.
kinit -kt /etc/httpd/conf/ipa.keytab HTTP/$HOSTNAME@$REALM
smbcontrol smbd debug 100
smbclient -k -L `hostname`
smbcontrol smbd debug 1
less /var/log/samba/log.$(hostname -i)
Verified. Sanity Only.
Version ::
ipa-server-3.3.3-18.el7.x86_64
Results ::
[root@rhel7-4 samba]# > /var/log/samba/log.$(hostname -i)
[root@rhel7-4 samba]# kinit -kt /etc/httpd/conf/ipa.keytab HTTP/$HOSTNAME@$REALM
[root@rhel7-4 samba]# smbcontrol smbd debug 100
[root@rhel7-4 samba]# smbclient -k -L `hostname`
lp_load_ex: changing to config backend registry
session setup failed: NT_STATUS_ACCESS_DENIED
[root@rhel7-4 samba]# smbcontrol smbd debug 1
[root@rhel7-4 samba]# less /var/log/samba/log.192.168.122.74
[2014/02/20 20:55:08.884203, 3, pid=27080, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
Found account name from PAC: rhel7-4.example.com []
[2014/02/20 20:55:08.884266, 10, pid=27080, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:388(kerberos_decode_pac)
Successfully validated Kerberos PAC
pac_data: struct PAC_DATA
num_buffers : 0x00000004 (4)
version : 0x00000000 (0)
buffers: ARRAY(4)
buffers: struct PAC_BUFFER
type : PAC_TYPE_LOGON_INFO (1)
_ndr_size : 0x000001b8 (440)
info : *
info : union PAC_INFO(case 1)
logon_info: struct PAC_LOGON_INFO_CTR
info : *
info: struct PAC_LOGON_INFO
info3: struct netr_SamInfo3
base: struct netr_SamBaseInfo
logon_time : NTTIME(0)
logoff_time : Wed Dec 31 06:00:00 PM 1969 CST
kickoff_time : Wed Dec 31 06:00:00 PM 1969 CST
last_password_change : Thu Feb 20 07:24:55 PM 2014 CST
allow_password_change : NTTIME(0)
force_password_change : Wed Dec 31 06:00:00 PM 1969 CST
account_name: struct lsa_String
length : 0x0026 (38)
size : 0x0026 (38)
string : *
string : 'rhel7-4.example.com'
full_name: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : ''
logon_script: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : ''
profile_path: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : ''
home_directory: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : ''
home_drive: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : ''
logon_count : 0x0000 (0)
bad_password_count : 0x0000 (0)
rid : 0x00000204 (516)
primary_gid : 0x00000203 (515)
groups: struct samr_RidWithAttributeArray
count : 0x00000000 (0)
rids : *
rids: ARRAY(0)
user_flags : 0x00000000 (0)
0: NETLOGON_GUEST
0: NETLOGON_NOENCRYPTION
0: NETLOGON_CACHED_ACCOUNT
0: NETLOGON_USED_LM_PASSWORD
0: NETLOGON_EXTRA_SIDS
0: NETLOGON_SUBAUTH_SESSION_KEY
0: NETLOGON_SERVER_TRUST_ACCOUNT
0: NETLOGON_NTLMV2_ENABLED
0: NETLOGON_RESOURCE_GROUPS
0: NETLOGON_PROFILE_PATH_RETURNED
0: NETLOGON_GRACE_LOGON
key: struct netr_UserSessionKey
key : 00000000000000000000000000000000
logon_server: struct lsa_StringLarge
length : 0x000e (14)
size : 0x0010 (16)
string : *
string : 'RHEL7-4'
logon_domain: struct lsa_StringLarge
length : 0x000e (14)
size : 0x0010 (16)
string : *
string : 'EXAMPLE'
domain_sid : *
domain_sid : S-1-5-21-2793801488-362198099-2096703284
LMSessKey: struct netr_LMSessionKey
key : 0000000000000000
acct_flags : 0x00000010 (16)
0: ACB_DISABLED
0: ACB_HOMDIRREQ
0: ACB_PWNOTREQ
0: ACB_TEMPDUP
1: ACB_NORMAL
0: ACB_MNS
0: ACB_DOMTRUST
0: ACB_WSTRUST
0: ACB_SVRTRUST
0: ACB_PWNOEXP
0: ACB_AUTOLOCK
0: ACB_ENC_TXT_PWD_ALLOWED
0: ACB_SMARTCARD_REQUIRED
0: ACB_TRUSTED_FOR_DELEGATION
0: ACB_NOT_DELEGATED
0: ACB_USE_DES_KEY_ONLY
0: ACB_DONT_REQUIRE_PREAUTH
0: ACB_PW_EXPIRED
0: ACB_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
0: ACB_NO_AUTH_DATA_REQD
0: ACB_PARTIAL_SECRETS_ACCOUNT
0: ACB_USE_AES_KEYS
sub_auth_status : 0x00000000 (0)
last_successful_logon : NTTIME(0)
last_failed_logon : NTTIME(0)
failed_logon_count : 0x00000000 (0)
reserved : 0x00000000 (0)
sidcount : 0x00000000 (0)
sids : NULL
res_group_dom_sid : NULL
res_groups: struct samr_RidWithAttributeArray
count : 0x00000000 (0)
rids : NULL
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_LOGON_NAME (10)
_ndr_size : 0x0000003a (58)
info : *
info : union PAC_INFO(case 10)
logon_name: struct PAC_LOGON_NAME
logon_time : Thu Feb 20 08:55:08 PM 2014 CST
size : 0x0030 (48)
account_name : 'HTTP/rhel7-4.example.com'
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_SRV_CHECKSUM (6)
_ndr_size : 0x00000010 (16)
info : *
info : union PAC_INFO(case 6)
srv_cksum: struct PAC_SIGNATURE_DATA
type : 0x00000010 (16)
signature : DATA_BLOB length=12
[0000] 1B 49 20 02 26 91 79 70 86 AA CA 0B .I .&.yp ....
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_KDC_CHECKSUM (7)
_ndr_size : 0x00000010 (16)
info : *
info : union PAC_INFO(case 7)
kdc_cksum: struct PAC_SIGNATURE_DATA
type : 0x00000010 (16)
signature : DATA_BLOB length=12
[0000] DF 78 2A 0D 68 17 44 2B DE A3 FC 5C .x*.h.D+ ...\
_pad : 0x00000000 (0)
[2014/02/20 20:55:08.886442, 3, pid=27080, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
Kerberos ticket principal name is [HTTP/rhel7-4.example.com]
[2014/02/20 20:55:08.886483, 10, pid=27080, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:83(get_user_from_kerberos_info)
Domain is [EXAMPLE] (using PAC)
...
[root@rhel7-4 samba]# kinit aduser1.TEST
Password for aduser1.TEST:
[root@rhel7-4 samba]# smbcontrol smbd debug 100
[root@rhel7-4 samba]# smbclient -k -L `hostname`
lp_load_ex: changing to config backend registry
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba 4.1.1)
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@rhel7-4 samba]# smbcontrol smbd debug 1
[root@rhel7-4 samba]#
-sh-4.2$ kinit aduser1.TEST
Password for aduser1.TEST:
-sh-4.2$ klist
Ticket cache: KEYRING:persistent:551801125:551801125
Default principal: aduser1.TEST
Valid starting Expires Service principal
02/20/2014 21:12:40 02/21/2014 07:12:40 krbtgt/AD2.EXAMPLE.TEST.TEST
renew until 02/21/2014 21:12:39
-sh-4.2$ ssh -K -l aduser1.TEST $(hostname)
-sh-4.2$ klist
Ticket cache: KEYRING:persistent:551801125:551801125
Default principal: aduser1.TEST
Valid starting Expires Service principal
02/20/2014 21:14:37 02/21/2014 07:14:37 krbtgt/AD2.EXAMPLE.TEST.TEST
renew until 02/21/2014 21:14:36
-sh-4.2$ ssh -K -l aduser1.test $(hostname)
Last login: Thu Feb 20 21:15:00 2014 from rhel7-4.example.com
-sh-4.2$ klist
Ticket cache: KEYRING:persistent:551801125:551801125
Default principal: aduser1.TEST
Valid starting Expires Service principal
02/20/2014 21:15:43 02/21/2014 07:14:37 krbtgt/AD2.EXAMPLE.TEST.TEST
renew until 02/21/2014 21:14:36
-sh-4.2$ logout
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |