[Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization
Martin Basti
mbasti at redhat.com
Thu Jun 23 07:49:31 UTC 2016
On 23.06.2016 09:44, David Kupka wrote:
> On 22/06/16 18:56, Simo Sorce wrote:
>> On Wed, 2016-06-22 at 18:36 +0200, Martin Babinsky wrote:
>>> On 06/22/2016 06:26 PM, Simo Sorce wrote:
>>>> On Wed, 2016-06-22 at 09:46 +0200, Martin Babinsky wrote:
>>>>> On 10/05/2015 03:00 PM, Martin Babinsky wrote:
>>>>>> These patches implement the plumbing required to properly support
>>>>>> canonicalization of Kerberos principals (
>>>>>> https://fedorahosted.org/freeipa/ticket/3864).
>>>>>>
>>>>>> Setting multiple principal aliases on hosts/services is beyond
>>>>>> the scope
>>>>>> of this patchset and should be done after these patches are pushed.
>>>>>>
>>>>>> I will try to send some tests for the patches later this week.
>>>>>>
>>>>>> Please review the hell out of them.
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> Long time no see.
>>>>>
>>>>> I am attaching rebased infrastructure patches which were reviewed and
>>>>> tested by David a year ago :). Now that all related DS bugs were
>>>>> fixed
>>>>> and the patches still work as expected, we may push them so that the
>>>>> plumbing for further work (API for alias handling etc.) is in place.
>>>>>
>>>>
>>>> If the patches were all reviewed and tested I say push them.
>>>>
>>>> Simo.
>>>>
>>>
>>> There is one problem remaining, however, that when a user is kinit'ing
>>> for the first name using his alias and has to change password, the
>>> operation fails:
>>>
>>> """
>>> [root at master1 ~]# kinit -C talias
>>> Password for talias at IPA.TEST:
>>> kinit: KDC reply did not match expectations while getting initial
>>> credentials
>>>
>>> """
>>>
>>> This is the related snippet from KDC log:
>>>
>>> """
>>> Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes
>>> {18 17 16 23 25 26}) 192.168.122.100: CLIENT KEY EXPIRED:
>>> talias at IPA.TEST for krbtgt/IPA.TEST at IPA.TEST, Password has expired
>>> Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): closing down
>>> fd 12
>>> Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes
>>> {18 17 16 23 25 26}) 192.168.122.100: NEEDED_PREAUTH: talias at IPA.TEST
>>> for kadmin/changepw at IPA.TEST, Additional pre-authentication required
>>> Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): closing down
>>> fd 12
>>> Jun 22 16:29:28 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes
>>> {18 17 16 23 25 26}) 192.168.122.100: ISSUE: authtime 1466612968,
>>> etypes
>>> {rep=18 tkt=18 ses=18}, talias at IPA.TEST for kadmin/changepw at IPA.TEST
>>> Jun 22 16:29:28 master1.ipa.test krb5kdc[31003](info): closing down
>>> fd 12
>>>
>>> """
>>>
>>> Here is the same command repeated with captured libkrb5 trace:
>>> https://paste.fedoraproject.org/383358/14666131
>>>
>>> If I use kinit with the canonical principal everything works as
>>> expected, even with '-C' and '-'E' options. Subsequent kinits using
>>> canonicalization work as expected.
>>>
>>> Frankly I have no idea why this happens and I do not know how much this
>>> error blocks us. We may need to investigate this before pizza orders
>>> arrive.
>>
>> I guess the password changing code is making a request without
>> canonicalization flags set for the kpasswd service.
>> As you can see the kpasswd case is special because we are making an AS
>> REQ (not a TGS req) directly for that service, and that request needs to
>> use canonicalization as well, it probably isn't.
>>
>> Simo.
>>
>>
>
> Hello!
>
> I've reviewed and tested the patches a year ago and now with current
> master again. The only issue I've found is the problem Martin is
> describing. User can not kinit with alias after password reset.
> Since this is not regression I believe the patches can be pushed now.
> and the issue can be solved together with the rest of missing
> functionality. ACK!
>
pushed to master:
* e43231456d8de954423582dbee439e330573d04b perform case-insensitive
principal search when canonicalization is requested
* 5f963e1ad18fdf52d0b41e143fd12f236b2a1ce7 mark 'ipaKrbPrincipalAlias'
attribute as deprecated in schema
* 229ab40dd3d21346db8cd6dc65c03285f917271b add case-insensitive matching
rule to krbprincipalname index
* 3f93f805571c1b791f0c378053ae8ecf37126e7f add krbCanonicalName to
attributes watched by MODRDN plugin
* 7ed7a86511ec516c2f785968050f5d0a42978ba5 ipa-kdb: set krbCanonicalName
when creating new principals
* b169a72735fccb170adb5c84ec1bcc10a70e5494 ipa-enrollment: set
krbCanonicalName attribute on enrolled host entry
* 705f66f7490c64de1adc129221b31927616c485d IPA API: set krbcanonicalname
instead of ipakrbprincipalalias on new entities
* 1bba2ed45df83684be1d50ef6e1ddb10f7a7d074 set krbcanonicalname on host
entry during krbinstance configuration
* 06d945a04607dc36e25af78688b4295420489fb9 account for added
krbcanonicalname attribute during xmlrpc tests
More information about the Freeipa-devel
mailing list