<div dir="ltr"> <div class="gmail_extra"><div class="gmail_quote">On Wed, Feb 10, 2016 at 3:04 AM, Sumit Bose <<a href="mailto:sbose@redhat.com" target="_blank">sbose@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class=""><div class="h5">On Wed, Feb 10, 2016 at 02:08:55AM +1100, Nik Lam wrote: > On Mon, Feb 8, 2016 at 11:53 PM, Sumit Bose <<a href="mailto:sbose@redhat.com">sbose@redhat.com</a>> wrote: > > > On Thu, Feb 04, 2016 at 07:25:29PM +1100, Nik Lam wrote: > > > On Wed, Feb 3, 2016 at 8:08 PM, Sumit Bose <<a href="mailto:sbose@redhat.com">sbose@redhat.com</a>> wrote: > > > > > > > On Wed, Feb 03, 2016 at 10:29:49AM +1100, Nik Lam wrote: > > > > > Hello, > > > > > > > > > > I installed ipa-server on Centos 7.1 and later did and upgrade of the > > > > whole > > > > > system to Centos 7.2. > > > > > > > > > > I think the FreeIPA version changed from 4.1.0 to 4.2.0 between these > > > > > Centos/RHEL minor releases. > > > > > > > > > > We'd now like to try integrating with a 2FA provider via a radius > > proxy > > > > and > > > > > want to use anonymous PKINIT to secure the initial communications > > between > > > > > the client and the KDC. > > > > > > > > > > We've tried following the MIT Kerberos PKINIT configuration > > documentation > > > > > > > > > > <a href="http://web.mit.edu/kerberos/krb5-1.14/doc/admin/pkinit.html" rel="noreferrer" target="_blank">http://web.mit.edu/kerberos/krb5-1.14/doc/admin/pkinit.html</a> > > > > > > > > > > generating our own certs manually with openssl but haven't had any > > luck. > > > > > We're seeing this in the kdc log: > > > > > > > > > > preauth pkinit failed to initialize: No realms configured > > correctly > > > > for > > > > > pkinit support > > > > > > > > Which changes did you apply to krb5.conf? Did you use the IPA CA to > > sign > > > > the certificate or some other CA? > > > > > > > > > > > > > > I've noticed there are many new pkinit-related options that have been > > > > added > > > > > to the ipa-server-install script in 4.2.0, so it looks like PKINIT is > > > > > available in this version of FreeIPA. Is that the case? > > > > > > > > Which options are you referring to? > > > > > > > > bye, > > > > Sumit > > > > > > > > > > > > > > And if it is, what is the recommended way to enable it given that it > > > > seems > > > > > to have been disabled in the original install that I did? Or would it > > > > just > > > > > be easier to start from scratch with a 4.2.0 ipa-server-install? > > (It's a > > > > > test instance that doesn't have too much in it - it will take a > > several > > > > > hours to rebuild from scratch.) > > > > > > > > > > Regards, > > > > > > > > > > Nik > > > > > > > > > > > > > > > Thanks Sumit. > > > > > > It sounds like PKINIT is available but clearly I'm doing it wrong. > > > > > > > Which changes did you apply to krb5.conf? Did you use the IPA CA to > > sign > > > the certificate or some other CA? > > > > > > Actually, I modified the kdc.conf file - placed the kdc.pem, kdckey.pem > > and > > > cacert.pem files in /var/kerberos/krb5kdc/ that I generated via openssl > > > commands in the MIT Kerberos documentation. The only change to kdc.conf > > > file was to append the location of the kdckey.pem file to > > pkinit_identity. > > > > > > pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem > > > pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem > > > > > > became > > > > > > pkinit_identity = > > > FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem > > > pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem > > > > > > Should I have been modifying krb5.conf instead? It aslo sounds like I > > need > > > > no, kdc.conf is the right place, I actually meant kdc.conf but > > accidentially types krb5.conf. > > > > > to use a certificate signed by the IPAs CA - is this something that > > should > > > be generated using ipa-getcert? Or do I just find the IPA CA's private > > key > > > and use openssl following the MIT Kerberos documentation? > > > > > > > Which options are you referring to? > > > > > > When I looked at the --help text for 4.1.0 and 4.2.0 versions of > > > ipa-server-install, I noticed that 4.2.0 has these in the "certificate > > > system options": > > > > > > --no-pkinit disables pkinit setup steps > > > > > > --pkinit-cert-file=FILE > > > File containing the Kerberos KDC SSL certificate > > and > > > private key > > > > > > --pkinit-pin=PIN The password to unlock the Kerberos KDC private > > key > > > > > > --pkinit-cert-name=NAME > > > Name of the Kerberos KDC SSL certificate to > > install > > > > > > > > > Seeing that first one, I was a little hopeful that pkinit is enabled by > > > default in 4.2.0 but on a fresh install I just tried, I'm still seeing > > the > > > > no, unfortunately pkinit is currently disabled by default > > > > > following in krb5kdc.log when IPA is started up, so clearly it isn't. > > > > > > (Error): preauth pkinit failed to initialize: No realms configured > > > correctly for pkinit support > > > > I get the same error when I put the certificate and the key into > > separate files. Can you try to put both into one and use this for the > > pkinit_identity option? > > > > HTH > > > > bye, > > Sumit > > > > > Thanks Sumit, it did! > > I concatenated the cert and the key into a single file and the error has > indeed gone away from krb5kdc.log > > The odd thing is that I can't reproduce the error by splitting into two > separate files and restarting ipa.service again. > > Ignoring that mystery, how do I go about setting up the WELLKNOWN/ANONYMOUS > principal? > > I'm pretty sure it's needed for anonymous pkinit: > > $ kinit > kinit: Generic preauthentication failure while getting initial credentials > $ > > $ kinit -n > kinit: Client 'WELLKNOWN/<a href="mailto:ANONYMOUS@EXAMPLE.COM">ANONYMOUS@EXAMPLE.COM</a>' not found in Kerberos > database while getting initial credentials > $ > > Using kadmin per the MIT documentation doesn't seem to work (authenticated > as an IPA admin) > > # kadmin -q 'addprinc -randkey WELLKNOWN/ANONYMOUS' > Authenticating as principal admin/<a href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a> with password. > kadmin: Client not found in Kerberos database while initializing kadmin > interface > # > > # kadmin -q 'addprinc -randkey WELLKNOWN/ANONYMOUS' -p admin > Authenticating as principal admin with password. > Password for <a href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a>: > WARNING: no policy specified for WELLKNOWN/<a href="mailto:ANONYMOUS@EXAMPLE.COM">ANONYMOUS@EXAMPLE.COM</a>; > defaulting to no policy > add_principal: Operation requires ``add'' privilege while creating > "WELLKNOWN/<a href="mailto:ANONYMOUS@EXAMPLE.COM">ANONYMOUS@EXAMPLE.COM</a>". > # </div></div>Please try kadmin.local -x ipa-setup-override-restrictions bye, Sumit </blockquote><div> Thanks Sumit. That seems to have worked to get the principal created. # kadmin.local -x ipa-setup-override-restrictions Authenticating as principal admin/<a href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a> with password. kadmin.local: addprinc -randkey WELLKNOWN/ANONYMOUS WARNING: no policy specified for WELLKNOWN/<a href="mailto:ANONYMOUS@EXAMPLE.COM">ANONYMOUS@EXAMPLE.COM</a>; defaulting to no policy Principal "WELLKNOWN/<a href="mailto:ANONYMOUS@EXAMPLE.COM">ANONYMOUS@EXAMPLE.COM</a>" created. kadmin.local: quit # I'm no longer seeing the error from the client about 'WELLKNOWN/<a href="mailto:ANONYMOUS@EXAMPLE.COM">ANONYMOUS@EXAMPLE.COM</a>' not found in Kerberos database. However, I'm being prompted for a password for the anonymous principal. $ kinit -n Password for WELLKNOWN/<a href="mailto:ANONYMOUS@EXAMPLE.COM">ANONYMOUS@EXAMPLE.COM</a>: kinit: Password incorrect while getting initial credentials $ That doesn't sound right to me - and indeed it doesn't provide an armor cache that I can use for authenticating my client user. Here's what's in the krb5kdc.log from that attempt to use kinit -n Feb 10 00:55:46 <a href="http://ipa00-756701.example.com">ipa00-756701.example.com</a> krb5kdc[4869](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a href="http://10.93.187.13">10.93.187.13</a>: NEEDED_PREAUTH: WELLKNOWN/<a href="mailto:ANONYMOUS@EXAMPLE.COM">ANONYMOUS@EXAMPLE.COM</a> for krbtgt/<a href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a>, Additional pre-authentication required Feb 10 00:55:46 <a href="http://ipa00-756701.example.com">ipa00-756701.example.com</a> krb5kdc[4869](info): closing down fd 12 Feb 10 00:55:47 <a href="http://ipa00-756701.example.com">ipa00-756701.example.com</a> krb5kdc[4869](info): preauth (encrypted_timestamp) verify failure: Decrypt integrity check failed Feb 10 00:55:47 <a href="http://ipa00-756701.example.com">ipa00-756701.example.com</a> krb5kdc[4869](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a href="http://10.93.187.13">10.93.187.13</a>: PREAUTH_FAILED: WELLKNOWN/<a href="mailto:ANONYMOUS@EXAMPLE.COM">ANONYMOUS@EXAMPLE.COM</a> for krbtgt/<a href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a>, Decrypt integrity check failed Feb 10 00:55:47 <a href="http://ipa00-756701.example.com">ipa00-756701.example.com</a> krb5kdc[4869](info): closing down fd 12 </div><div> Regards, </div><div>Nik </div><div> </div></div> </div></div>