[Freeipa-users] Cross-Realm authentification

Alexander Bokovoy abokovoy at redhat.com
Fri Dec 5 20:26:55 UTC 2014 

On Fri, 05 Dec 2014, Petr Spacek wrote:
>On 5.12.2014 15:21, Andreas Ladanyi wrote:
>> Am 05.12.2014 um 14:04 schrieb Alexander Bokovoy:
>>>
>>>>>>
>>>>> Ok, i see one difference: i didnt use the "-requires_preauth" flag. Why
>>>>> did you use them ?
>>>> Because this is recommended by MIT documentation. The link between
>>>> realms has to be protected well, including preauth and good passwords
>>>> for the cross-realm principals.
>>>>
>>>>
>>>>> Is it possible or a good idea to add my trust domain, which isnt a AD
>>>>> domain, manualy to IPA 3.3 ?
>>>> Well, you can hack of course, that's up to you. I haven't checked that
>>>> myself and cannot give you definitive answer on this path, though.
>> At this time i havent an idea off the steps in detail how to do that.
>>>>
>>>>>>
>>>>>>
>>>>>> We may reconsider this check and instead of KRB5KRB_AP_ERR_ILL_CR_TKT
>>>>>> return KRB5_PLUGIN_NO_HANDLE to allow fallback to krb5.conf-defined
>>>>>> capaths but I remember we had some issues with krb5 versions prior to
>>>>>> 1.12 where capaths from krb5.conf were blocking work of the DAL
>>>>>> driver.
>>>>> I use MIT Kerberos 1.6 from OpenCSW on Solaris and FreeIPA 3.3.5. So
>>>>> this shouldnt be a problem ?!
>> Sorry i made a little typing mistake. The foreign realm ist MIT Kerberos
>> 1.9.2 and not 1.6
>>>> 1.6 does not support cross-realm communication as support for RFC6806
>>>> was added only in 1.7. So I don't think your setup would have any chance
>>>> to work at all.
>>> Hm.. on the other hand, 1.6 documentation talks about it:
>>> http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Cross_002drealm-Authentication
>>>
>>> So may be their changelogs aren't as complete as they should be. :)
>>>
>>> With the link above you can also see with disabling preauth on the
>>> cross-realm krbtgt records is recommended.
>>>
>>> But I think most of your issues were because of the 88 port not being
>>> available and no other means to traverse firewall were configured.
>> I will look particular for that.
>>
>> There is no firewall between the two KDCs.
>>
>>> That
>>> is, aside from the fact that IPA will reject cross-realm tickets because
>>> of how we programmed DAL driver as I explained above.
>>
>>
>> I dont know in detail what DAL is doing.
>>
>> OK, it sounds like with IPA my setup wont be very easy :-)
>
>I guess that Alexander or Simo could point you to the line in the source code
>you have to change (or send you one-line patch?) but you will have to
>recompile the driver from source.
>
>Do you want to try this way?
Attached please find a patch that solves the issue of cross-realm trust
for me:
[root at ipa-05-m ~]# kinit admin
Password for admin at IPA5.TEST: 
[root at ipa-05-m ~]# KRB5_TRACE=/dev/stderr kvno -S host master.f21.test
[16101] 1417810641.441614: Convert service host (service with host as instance) on host master.f21.test to principal
[16101] 1417810641.449424: Remote host after forward canonicalization: master.f21.test
[16101] 1417810641.449501: Remote host after reverse DNS processing: master.f21.test
[16101] 1417810641.449549: Get host realm for master.f21.test
[16101] 1417810641.449593: Use local host master.f21.test to get host realm
[16101] 1417810641.449630: Look up master.f21.test in the domain_realm map
[16101] 1417810641.449655: Look up .f21.test in the domain_realm map
[16101] 1417810641.449677: Temporary realm is F21.TEST
[16101] 1417810641.449697: Got realm F21.TEST for host master.f21.test
[16101] 1417810641.449724: Got service principal host/master.f21.test at F21.TEST
[16101] 1417810641.449750: Getting credentials admin at IPA5.TEST -> host/master.f21.test at F21.TEST using ccache KEYRING:persistent:0:0
[16101] 1417810641.449888: Retrieving admin at IPA5.TEST -> host/master.f21.test at F21.TEST from KEYRING:persistent:0:0 with result: -1765328243/Matching credential not found
[16101] 1417810641.449946: Retrieving admin at IPA5.TEST -> krbtgt/F21.TEST at IPA5.TEST from KEYRING:persistent:0:0 with result: -1765328243/Matching credential not found
[16101] 1417810641.450065: Retrieving admin at IPA5.TEST -> krbtgt/IPA5.TEST at IPA5.TEST from KEYRING:persistent:0:0 with result: 0/Success
[16101] 1417810641.450095: Starting with TGT for client realm: admin at IPA5.TEST -> krbtgt/IPA5.TEST at IPA5.TEST
[16101] 1417810641.450144: Retrieving admin at IPA5.TEST -> krbtgt/F21.TEST at IPA5.TEST from KEYRING:persistent:0:0 with result: -1765328243/Matching credential not found
[16101] 1417810641.450171: Requesting TGT krbtgt/F21.TEST at IPA5.TEST using TGT krbtgt/IPA5.TEST at IPA5.TEST
[16101] 1417810641.450216: Generated subkey for TGS request: aes256-cts/3A06
[16101] 1417810641.450267: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[16101] 1417810641.450364: Encoding request body and padata into FAST request
[16101] 1417810641.450422: Sending request (890 bytes) to IPA5.TEST
[16101] 1417810641.450559: Sending initial UDP request to dgram 192.168.5.109:88
[16101] 1417810641.452191: Received answer from dgram 192.168.5.109:88
[16101] 1417810641.452241: Response was from master KDC
[16101] 1417810641.452273: Decoding FAST response
[16101] 1417810641.452366: FAST reply key: aes256-cts/ADA3
[16101] 1417810641.452420: TGS reply is for admin at IPA5.TEST -> krbtgt/F21.TEST at IPA5.TEST with session key aes256-cts/2C28
[16101] 1417810641.452453: TGS request result: 0/Success
[16101] 1417810641.452479: Removing admin at IPA5.TEST -> krbtgt/F21.TEST at IPA5.TEST from KEYRING:persistent:0:0
[16101] 1417810641.452509: Storing admin at IPA5.TEST -> krbtgt/F21.TEST at IPA5.TEST in KEYRING:persistent:0:0
[16101] 1417810641.452572: Received TGT for service realm: krbtgt/F21.TEST at IPA5.TEST
[16101] 1417810641.452600: Requesting tickets for host/master.f21.test at F21.TEST, referrals on
[16101] 1417810641.452626: Generated subkey for TGS request: aes256-cts/599E
[16101] 1417810641.452662: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[16101] 1417810641.452707: Encoding request body and padata into FAST request
[16101] 1417810641.452754: Sending request (855 bytes) to F21.TEST
[16101] 1417810641.452805: Resolving hostname master.f21.test
[16101] 1417810641.453031: Sending initial UDP request to dgram 192.168.5.169:88
[16101] 1417810641.456205: Received answer from dgram 192.168.5.169:88
[16101] 1417810641.456285: Response was from master KDC
[16101] 1417810641.456318: Decoding FAST response
[16101] 1417810641.456380: FAST reply key: aes256-cts/E5C4
[16101] 1417810641.456422: TGS reply is for admin at IPA5.TEST -> host/master.f21.test at F21.TEST with session key aes256-cts/5D01
[16101] 1417810641.456456: TGS request result: 0/Success
[16101] 1417810641.456479: Received creds for desired service host/master.f21.test at F21.TEST
[16101] 1417810641.456522: Removing admin at IPA5.TEST -> host/master.f21.test at F21.TEST from KEYRING:persistent:0:0
[16101] 1417810641.456564: Storing admin at IPA5.TEST -> host/master.f21.test at F21.TEST in KEYRING:persistent:0:0
host/master.f21.test at F21.TEST: kvno = 2

[root at ipa-05-m ~]# klist -edf
Ticket cache: KEYRING:persistent:0:0
Default principal: admin at IPA5.TEST

Valid starting       Expires              Service principal
05.12.2014 22:17:10  06.12.2014 22:17:10  host/master.f21.test at F21.TEST
	Flags: FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
05.12.2014 22:17:21  06.12.2014 22:17:14  krbtgt/F21.TEST at IPA5.TEST
	Flags: FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
05.12.2014 22:17:17  06.12.2014 22:17:14  krbtgt/IPA5.TEST at IPA5.TEST
	Flags: FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 

Of course, the fact that Kerberos tickets can get issued doesn't mean
that user can login and gain certain privileges. After all, SSSDs on IPA
hosts will not be able to map these Kerberos principals to anything
locally unless you would explicitly instruct libkrb5 via /etc/krb5.conf
on each IPA host.
-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list