[Freeipa-users] Cross-Realm authentification
Andreas Ladanyi
andreas.ladanyi at kit.edu
Fri Dec 5 12:26:35 UTC 2014
> I'm also getting errors but they are different to yours. Here is what I
> did:
>
> (on master.f21.test, realm F21.TEST):
> [root at master ~]# kadmin.local -x ipa-setup-override-restrictions -r
> F21.TEST
> Authenticating as principal root/admin at F21.TEST with password.
> kadmin.local: addprinc -requires_preauth krbtgt/IPA5.TEST
> WARNING: no policy specified for krbtgt/IPA5.TEST at F21.TEST; defaulting
> to no policy
> Enter password for principal "krbtgt/IPA5.TEST at F21.TEST": Re-enter
> password for principal "krbtgt/IPA5.TEST at F21.TEST": Principal
> "krbtgt/IPA5.TEST at F21.TEST" created.
> kadmin.local: addprinc -requires_preauth krbtgt/F21.TEST at IPA5.TEST
> WARNING: no policy specified for krbtgt/F21.TEST at IPA5.TEST; defaulting
> to no policy
> Enter password for principal "krbtgt/F21.TEST at IPA5.TEST": Re-enter
> password for principal "krbtgt/F21.TEST at IPA5.TEST": Principal
> "krbtgt/F21.TEST at IPA5.TEST" created.
> kadmin.local: q
>
> added following to the /etc/krb5.conf:
> [libdefaults]
> dns_lookup_realm = true
>
> [domain_realms]
> .ipa5.test = IPA5.TEST
> ipa5.test = IPA5.TEST
Why only one domain and one realm if you have two REALMs ?
On this position i have another question:
I have 2 REALMs and one DNS domain.
.domainname_X = REALM A
domainname_X = REALM A
.domainname_X = REALM B
domainname_X = REALM B
Could this work clear ?
On my first "kvno -S host hostname_in_foreign_domain" i saw that the
temporary realm wasnt choosen correct. So i had to delete one REALM
entry in the domain_realm section to get kvno -S chooses the correct (
foreign ) temporary realm.
>
> [capaths]
> F21.TEST = { IPA5.TEST = . }
> IPA5.TEST = { F21.TEST = . }
>
>
>
> (on ipa-05-m.ipa5.test, realm IPA5.TEST):
> [root at ipa-05-m ~]# kadmin.local -x ipa-setup-override-restrictions -r
> IPA5.TEST
> Authenticating as principal admin/admin at IPA5.TEST with password.
> kadmin.local: addprinc -requires_preauth krbtgt/F21.TEST
> WARNING: no policy specified for krbtgt/F21.TEST at IPA5.TEST; defaulting
> to no policy
> Enter password for principal "krbtgt/F21.TEST at IPA5.TEST": Re-enter
> password for principal "krbtgt/F21.TEST at IPA5.TEST": Principal
> "krbtgt/F21.TEST at IPA5.TEST" created.
> kadmin.local: addprinc -requires_preauth krbtgt/IPA5.TEST at F21.TEST
> WARNING: no policy specified for krbtgt/IPA5.TEST at F21.TEST; defaulting
> to no policy
> Enter password for principal "krbtgt/IPA5.TEST at F21.TEST": Re-enter
> password for principal "krbtgt/IPA5.TEST at F21.TEST": Principal
> "krbtgt/IPA5.TEST at F21.TEST" created.
> kadmin.local: q
>
Ok, i see one difference: i didnt use the "-requires_preauth" flag. Why
did you use them ?
> and similar changes to /etc/krb5.conf.
>
> Then I tried to get a ticket to host/master.f21.test at F21.TEST while
> being an admin at IPA5.TEST:
I tried out this on the IPA box to connect to the non IPA box (foreign
realm).
>
> [root at ipa-05-m ~]# kinit admin
> Password for admin at IPA5.TEST: [root at ipa-05-m ~]#
> KRB5_TRACE=/dev/stderr kvno -S host master.f21.test
> [22351] 1417689782.154516: Convert service host (service with host as
> instance) on host master.f21.test to principal
> [22351] 1417689782.158724: Remote host after forward canonicalization:
> master.f21.test
> [22351] 1417689782.158814: Remote host after reverse DNS processing:
> master.f21.test
> [22351] 1417689782.158849: Get host realm for master.f21.test
> [22351] 1417689782.158899: Use local host master.f21.test to get host
> realm
> [22351] 1417689782.158946: Look up master.f21.test in the domain_realm
> map
> [22351] 1417689782.158999: Look up .f21.test in the domain_realm map
> [22351] 1417689782.159023: Temporary realm is F21.TEST
> [22351] 1417689782.159044: Got realm F21.TEST for host master.f21.test
> [22351] 1417689782.159071: Got service principal
> host/master.f21.test at F21.TEST
> [22351] 1417689782.159098: Getting credentials admin at IPA5.TEST ->
> host/master.f21.test at F21.TEST using ccache KEYRING:persistent:0:0
> [22351] 1417689782.159237: Retrieving admin at IPA5.TEST ->
> host/master.f21.test at F21.TEST from KEYRING:persistent:0:0 with result:
> -1765328243/Matching credential not found
> [22351] 1417689782.159297: Retrieving admin at IPA5.TEST ->
> krbtgt/F21.TEST at IPA5.TEST from KEYRING:persistent:0:0 with result:
> -1765328243/Matching credential not found
> [22351] 1417689782.159411: Retrieving admin at IPA5.TEST ->
> krbtgt/IPA5.TEST at IPA5.TEST from KEYRING:persistent:0:0 with result:
> 0/Success
> [22351] 1417689782.159453: Starting with TGT for client realm:
> admin at IPA5.TEST -> krbtgt/IPA5.TEST at IPA5.TEST
> [22351] 1417689782.159502: Retrieving admin at IPA5.TEST ->
> krbtgt/F21.TEST at IPA5.TEST from KEYRING:persistent:0:0 with result:
> -1765328243/Matching credential not found
> [22351] 1417689782.159530: Requesting TGT krbtgt/F21.TEST at IPA5.TEST
> using TGT krbtgt/IPA5.TEST at IPA5.TEST
> [22351] 1417689782.159576: Generated subkey for TGS request:
> aes256-cts/54E6
> [22351] 1417689782.159628: etypes requested in TGS request:
> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts,
> camellia256-cts
> [22351] 1417689782.159726: Encoding request body and padata into FAST
> request
> [22351] 1417689782.159784: Sending request (890 bytes) to IPA5.TEST
> [22351] 1417689782.159909: Sending initial UDP request to dgram
> 192.168.5.109:88
> [22351] 1417689782.161823: Received answer from dgram 192.168.5.109:88
> [22351] 1417689782.161925: Response was from master KDC
> [22351] 1417689782.162011: Decoding FAST response
> [22351] 1417689782.162084: FAST reply key: aes256-cts/EBCE
> [22351] 1417689782.162127: TGS reply is for admin at IPA5.TEST ->
> krbtgt/F21.TEST at IPA5.TEST with session key aes256-cts/822B
> [22351] 1417689782.162159: TGS request result: 0/Success
> [22351] 1417689782.162185: Removing admin at IPA5.TEST ->
> krbtgt/F21.TEST at IPA5.TEST from KEYRING:persistent:0:0
> [22351] 1417689782.162207: Storing admin at IPA5.TEST ->
> krbtgt/F21.TEST at IPA5.TEST in KEYRING:persistent:0:0
> [22351] 1417689782.162268: Received TGT for service realm:
> krbtgt/F21.TEST at IPA5.TEST
> [22351] 1417689782.162296: Requesting tickets for
> host/master.f21.test at F21.TEST, referrals on
> [22351] 1417689782.162322: Generated subkey for TGS request:
> aes256-cts/61A2
> [22351] 1417689782.162359: etypes requested in TGS request:
> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts,
> camellia256-cts
> [22351] 1417689782.162413: Encoding request body and padata into FAST
> request
> [22351] 1417689782.162460: Sending request (855 bytes) to F21.TEST
> [22351] 1417689782.162493: Resolving hostname master.f21.test
> [22351] 1417689782.163213: Sending initial UDP request to dgram
> 192.168.5.169:88
> [22351] 1417689782.165439: Received answer from dgram 192.168.5.169:88
> [22351] 1417689782.165516: Response was from master KDC
In my case:
[31580] 1417773156.446922: TGS request result: -1765328324/KDC returned
error string: PROCESS_TGS
There is no Decoding FAST response.
> [22351] 1417689782.165572: Decoding FAST response
> [22351] 1417689782.165643: TGS request result: -1765328372/KDC policy
> rejects request
> [22351] 1417689782.165680: Requesting tickets for
> host/master.f21.test at F21.TEST, referrals off
> [22351] 1417689782.165714: Generated subkey for TGS request:
> aes256-cts/FEA9
> [22351] 1417689782.165751: etypes requested in TGS request:
> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts,
> camellia256-cts
> [22351] 1417689782.165799: Encoding request body and padata into FAST
> request
> [22351] 1417689782.165847: Sending request (855 bytes) to F21.TEST
> [22351] 1417689782.165875: Resolving hostname master.f21.test
> [22351] 1417689782.166084: Sending initial UDP request to dgram
> 192.168.5.169:88
> [22351] 1417689782.167602: Received answer from dgram 192.168.5.169:88
> [22351] 1417689782.167642: Response was from master KDC
In my case at this position:
[31580] 1417773156.449640: TGS request result: -1765328324/KDC returned
error string: PROCESS_TGS
kvno: KDC returned error string: PROCESS_TGS while getting credentials for
I found out that at the non IPA KDC (the foreign KDC) isnt a Port 88
available (closed). The ports 464+749 are available.
On the IPA KDC there are ports 88+464+749
There is no Decoding FAST response.
> [22351] 1417689782.167669: Decoding FAST response
> [22351] 1417689782.167709: TGS request result: -1765328372/KDC policy
> rejects request
> kvno: KDC policy rejects request while getting credentials for
> host/master.f21.test at F21.TEST
> [root at ipa-05-m ~]#
> And /var/log/krb5kdc.log on master.f21.test (KDC for F21.TEST) I can
> see:
> Dec 04 12:41:52 master.f21.test krb5kdc[1131](info): bad realm transit
> path from 'admin at IPA5.TEST' to 'host/master.f21.test at F21.TEST' via ''
> Dec 04 12:41:52 master.f21.test krb5kdc[1131](info): TGS_REQ (6 etypes
> {18 17 16 23 25 26}) 192.168.5.109: BAD_TRANSIT: authtime 1417689777,
> admin at IPA5.TEST for host/master.f21.test at F21.TEST, KDC policy rejects
> request
> Dec 04 12:41:52 master.f21.test krb5kdc[1131](info): bad realm transit
> path from 'admin at IPA5.TEST' to 'host/master.f21.test at F21.TEST' via ''
> Dec 04 12:41:52 master.f21.test krb5kdc[1131](info): TGS_REQ (6 etypes
> {18 17 16 23 25 26}) 192.168.5.109: BAD_TRANSIT: authtime 1417689777,
> admin at IPA5.TEST for host/master.f21.test at F21.TEST, KDC policy rejects
> request
>
> And this is correct for FreeIPA 3.3 or later because we limit trust to
> those domains we defined in cn=ad,cn=trusts,$SUFFIX with filter
> (objectclass=ipaNTTrustedDomain). For the rest we return
> KRB5KRB_AP_ERR_ILL_CR_TKT error code which is visible as 'KDC policy
> rejects request'.
Is it possible or a good idea to add my trust domain, which isnt a AD
domain, manualy to IPA 3.3 ?
>
>
> We may reconsider this check and instead of KRB5KRB_AP_ERR_ILL_CR_TKT
> return KRB5_PLUGIN_NO_HANDLE to allow fallback to krb5.conf-defined
> capaths but I remember we had some issues with krb5 versions prior to
> 1.12 where capaths from krb5.conf were blocking work of the DAL driver.
I use MIT Kerberos 1.6 from OpenCSW on Solaris and FreeIPA 3.3.5. So
this shouldnt be a problem ?!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5306 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141205/73e41b6f/attachment.p7s>
More information about the Freeipa-users
mailing list