[Freeipa-users] Cross-Realm authentification
Alexander Bokovoy
abokovoy at redhat.com
Thu Dec 4 11:07:02 UTC 2014
On Thu, 04 Dec 2014, Andreas Ladanyi wrote:
>Am 03.12.2014 um 14:53 schrieb Alexander Bokovoy:
>> On Wed, 03 Dec 2014, Andreas Ladanyi wrote:
>>> Hi,
>>>
>>> iam trying to setup a cross-realm relationship.
>>>
>>> Generated krbtgt cross-realm principals on both KDCs with the same
>>> password and kvno:
>>>
>>> krbtgt/REALM_B (MIT Kerberos)@REALM_A (FreeIPA 3.3.5)
>>> krbtgt/REALM_A at REALM_B
>>>
>>> getprinc on REALM_A KDC for principal krbtgt/REALM_B at REALM_A:
>>>
>>> Number of keys: 4
>>> Key: vno 1, aes256-cts-hmac-sha1-96, Version 5
>>> Key: vno 1, aes128-cts-hmac-sha1-96, Version 5
>>> Key: vno 1, des3-cbc-sha1, Version 5
>>> Key: vno 1, arcfour-hmac, Version 5
>>> MKey: vno 1
>>>
>>> getprinc on REALM_A KDC for principal krbtgt/REALM_A at REALM_B:
>>>
>>> Number of keys: 4
>>> Key: vno 1, aes256-cts-hmac-sha1-96, Version 5
>>> Key: vno 1, aes128-cts-hmac-sha1-96, Version 5
>>> Key: vno 1, des3-cbc-sha1, Version 5
>>> Key: vno 1, arcfour-hmac, Version 5
>>> MKey: vno 1
>>>
>>> getprinc on REALM_B KDC for principal krbtgt/REALM_B at REALM_A:
>>>
>>> Number of keys: 6
>>> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
>>> Key: vno 1, DES cbc mode with CRC-32, no salt
>>> Key: vno 1, DES cbc mode with RSA-MD5, Version 4
>>> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
>>> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
>>> Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
>>> MKey: vno 1
>>>
>>> getprinc on REALM_B KDC for principal krbtgt/REALM_A at REALM_B:
>>>
>>> Number of keys: 6
>>> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
>>> Key: vno 1, DES cbc mode with CRC-32, no salt
>>> Key: vno 1, DES cbc mode with RSA-MD5, Version 4
>>> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
>>> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
>>> Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
>>> MKey: vno 1
>>>
>>>
>>> I set up the [capaths] section in the krb5.conf client config:
>>>
>>> [capaths]
>>> REALM_A = {
>>> REALM_B = .
>>> }
>>> REALM_B = {
>>> REALM_A = .
>>> }
>> You need this section on both realm's KDCs.
>>
>>
>
>I have done this now on all (2) KDCs without a restart of kerberos
>service. The error message is the same like in my first mail.
I'm also getting errors but they are different to yours. Here is what I
did:
(on master.f21.test, realm F21.TEST):
[root at master ~]# kadmin.local -x ipa-setup-override-restrictions -r F21.TEST
Authenticating as principal root/admin at F21.TEST with password.
kadmin.local: addprinc -requires_preauth krbtgt/IPA5.TEST
WARNING: no policy specified for krbtgt/IPA5.TEST at F21.TEST; defaulting to no policy
Enter password for principal "krbtgt/IPA5.TEST at F21.TEST":
Re-enter password for principal "krbtgt/IPA5.TEST at F21.TEST":
Principal "krbtgt/IPA5.TEST at F21.TEST" created.
kadmin.local: addprinc -requires_preauth krbtgt/F21.TEST at IPA5.TEST
WARNING: no policy specified for krbtgt/F21.TEST at IPA5.TEST; defaulting to no policy
Enter password for principal "krbtgt/F21.TEST at IPA5.TEST":
Re-enter password for principal "krbtgt/F21.TEST at IPA5.TEST":
Principal "krbtgt/F21.TEST at IPA5.TEST" created.
kadmin.local: q
added following to the /etc/krb5.conf:
[libdefaults]
dns_lookup_realm = true
[domain_realms]
.ipa5.test = IPA5.TEST
ipa5.test = IPA5.TEST
[capaths]
F21.TEST = {
IPA5.TEST = .
}
IPA5.TEST = {
F21.TEST = .
}
(on ipa-05-m.ipa5.test, realm IPA5.TEST):
[root at ipa-05-m ~]# kadmin.local -x ipa-setup-override-restrictions -r IPA5.TEST
Authenticating as principal admin/admin at IPA5.TEST with password.
kadmin.local: addprinc -requires_preauth krbtgt/F21.TEST
WARNING: no policy specified for krbtgt/F21.TEST at IPA5.TEST; defaulting to no policy
Enter password for principal "krbtgt/F21.TEST at IPA5.TEST":
Re-enter password for principal "krbtgt/F21.TEST at IPA5.TEST":
Principal "krbtgt/F21.TEST at IPA5.TEST" created.
kadmin.local: addprinc -requires_preauth krbtgt/IPA5.TEST at F21.TEST
WARNING: no policy specified for krbtgt/IPA5.TEST at F21.TEST; defaulting to no policy
Enter password for principal "krbtgt/IPA5.TEST at F21.TEST":
Re-enter password for principal "krbtgt/IPA5.TEST at F21.TEST":
Principal "krbtgt/IPA5.TEST at F21.TEST" created.
kadmin.local: q
and similar changes to /etc/krb5.conf.
Then I tried to get a ticket to host/master.f21.test at F21.TEST while
being an admin at IPA5.TEST:
[root at ipa-05-m ~]# kinit admin
Password for admin at IPA5.TEST:
[root at ipa-05-m ~]# KRB5_TRACE=/dev/stderr kvno -S host master.f21.test
[22351] 1417689782.154516: Convert service host (service with host as instance) on host master.f21.test to principal
[22351] 1417689782.158724: Remote host after forward canonicalization: master.f21.test
[22351] 1417689782.158814: Remote host after reverse DNS processing: master.f21.test
[22351] 1417689782.158849: Get host realm for master.f21.test
[22351] 1417689782.158899: Use local host master.f21.test to get host realm
[22351] 1417689782.158946: Look up master.f21.test in the domain_realm map
[22351] 1417689782.158999: Look up .f21.test in the domain_realm map
[22351] 1417689782.159023: Temporary realm is F21.TEST
[22351] 1417689782.159044: Got realm F21.TEST for host master.f21.test
[22351] 1417689782.159071: Got service principal host/master.f21.test at F21.TEST
[22351] 1417689782.159098: Getting credentials admin at IPA5.TEST -> host/master.f21.test at F21.TEST using ccache KEYRING:persistent:0:0
[22351] 1417689782.159237: Retrieving admin at IPA5.TEST -> host/master.f21.test at F21.TEST from KEYRING:persistent:0:0 with result: -1765328243/Matching credential not found
[22351] 1417689782.159297: Retrieving admin at IPA5.TEST -> krbtgt/F21.TEST at IPA5.TEST from KEYRING:persistent:0:0 with result: -1765328243/Matching credential not found
[22351] 1417689782.159411: Retrieving admin at IPA5.TEST -> krbtgt/IPA5.TEST at IPA5.TEST from KEYRING:persistent:0:0 with result: 0/Success
[22351] 1417689782.159453: Starting with TGT for client realm: admin at IPA5.TEST -> krbtgt/IPA5.TEST at IPA5.TEST
[22351] 1417689782.159502: Retrieving admin at IPA5.TEST -> krbtgt/F21.TEST at IPA5.TEST from KEYRING:persistent:0:0 with result: -1765328243/Matching credential not found
[22351] 1417689782.159530: Requesting TGT krbtgt/F21.TEST at IPA5.TEST using TGT krbtgt/IPA5.TEST at IPA5.TEST
[22351] 1417689782.159576: Generated subkey for TGS request: aes256-cts/54E6
[22351] 1417689782.159628: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[22351] 1417689782.159726: Encoding request body and padata into FAST request
[22351] 1417689782.159784: Sending request (890 bytes) to IPA5.TEST
[22351] 1417689782.159909: Sending initial UDP request to dgram 192.168.5.109:88
[22351] 1417689782.161823: Received answer from dgram 192.168.5.109:88
[22351] 1417689782.161925: Response was from master KDC
[22351] 1417689782.162011: Decoding FAST response
[22351] 1417689782.162084: FAST reply key: aes256-cts/EBCE
[22351] 1417689782.162127: TGS reply is for admin at IPA5.TEST -> krbtgt/F21.TEST at IPA5.TEST with session key aes256-cts/822B
[22351] 1417689782.162159: TGS request result: 0/Success
[22351] 1417689782.162185: Removing admin at IPA5.TEST -> krbtgt/F21.TEST at IPA5.TEST from KEYRING:persistent:0:0
[22351] 1417689782.162207: Storing admin at IPA5.TEST -> krbtgt/F21.TEST at IPA5.TEST in KEYRING:persistent:0:0
[22351] 1417689782.162268: Received TGT for service realm: krbtgt/F21.TEST at IPA5.TEST
[22351] 1417689782.162296: Requesting tickets for host/master.f21.test at F21.TEST, referrals on
[22351] 1417689782.162322: Generated subkey for TGS request: aes256-cts/61A2
[22351] 1417689782.162359: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[22351] 1417689782.162413: Encoding request body and padata into FAST request
[22351] 1417689782.162460: Sending request (855 bytes) to F21.TEST
[22351] 1417689782.162493: Resolving hostname master.f21.test
[22351] 1417689782.163213: Sending initial UDP request to dgram 192.168.5.169:88
[22351] 1417689782.165439: Received answer from dgram 192.168.5.169:88
[22351] 1417689782.165516: Response was from master KDC
[22351] 1417689782.165572: Decoding FAST response
[22351] 1417689782.165643: TGS request result: -1765328372/KDC policy rejects request
[22351] 1417689782.165680: Requesting tickets for host/master.f21.test at F21.TEST, referrals off
[22351] 1417689782.165714: Generated subkey for TGS request: aes256-cts/FEA9
[22351] 1417689782.165751: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[22351] 1417689782.165799: Encoding request body and padata into FAST request
[22351] 1417689782.165847: Sending request (855 bytes) to F21.TEST
[22351] 1417689782.165875: Resolving hostname master.f21.test
[22351] 1417689782.166084: Sending initial UDP request to dgram 192.168.5.169:88
[22351] 1417689782.167602: Received answer from dgram 192.168.5.169:88
[22351] 1417689782.167642: Response was from master KDC
[22351] 1417689782.167669: Decoding FAST response
[22351] 1417689782.167709: TGS request result: -1765328372/KDC policy rejects request
kvno: KDC policy rejects request while getting credentials for host/master.f21.test at F21.TEST
[root at ipa-05-m ~]#
And /var/log/krb5kdc.log on master.f21.test (KDC for F21.TEST) I can
see:
Dec 04 12:41:52 master.f21.test krb5kdc[1131](info): bad realm transit path from 'admin at IPA5.TEST' to 'host/master.f21.test at F21.TEST' via ''
Dec 04 12:41:52 master.f21.test krb5kdc[1131](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.5.109: BAD_TRANSIT: authtime 1417689777, admin at IPA5.TEST for host/master.f21.test at F21.TEST, KDC policy rejects request
Dec 04 12:41:52 master.f21.test krb5kdc[1131](info): bad realm transit path from 'admin at IPA5.TEST' to 'host/master.f21.test at F21.TEST' via ''
Dec 04 12:41:52 master.f21.test krb5kdc[1131](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.5.109: BAD_TRANSIT: authtime 1417689777, admin at IPA5.TEST for host/master.f21.test at F21.TEST, KDC policy rejects request
And this is correct for FreeIPA 3.3 or later because we limit trust to
those domains we defined in cn=ad,cn=trusts,$SUFFIX with filter
(objectclass=ipaNTTrustedDomain). For the rest we return
KRB5KRB_AP_ERR_ILL_CR_TKT error code which is visible as 'KDC policy
rejects request'.
We may reconsider this check and instead of KRB5KRB_AP_ERR_ILL_CR_TKT
return KRB5_PLUGIN_NO_HANDLE to allow fallback to krb5.conf-defined
capaths but I remember we had some issues with krb5 versions prior to
1.12 where capaths from krb5.conf were blocking work of the DAL driver.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list