[Freeipa-users] PKINIT support in FreeIPA 4.2.0
Sumit Bose
sbose at redhat.com
Wed Feb 10 08:43:17 UTC 2016
On Wed, Feb 10, 2016 at 12:07:45PM +1100, Nik Lam wrote:
> On Wed, Feb 10, 2016 at 3:04 AM, Sumit Bose <sbose at redhat.com> wrote:
>
> > On Wed, Feb 10, 2016 at 02:08:55AM +1100, Nik Lam wrote:
> > > On Mon, Feb 8, 2016 at 11:53 PM, Sumit Bose <sbose at redhat.com> wrote:
> > >
> > > > On Thu, Feb 04, 2016 at 07:25:29PM +1100, Nik Lam wrote:
> > > > > On Wed, Feb 3, 2016 at 8:08 PM, Sumit Bose <sbose at redhat.com> wrote:
> > > > >
> > > > > > On Wed, Feb 03, 2016 at 10:29:49AM +1100, Nik Lam wrote:
> > > > > > > Hello,
> > > > > > >
> > > > > > > I installed ipa-server on Centos 7.1 and later did and upgrade
> > of the
> > > > > > whole
> > > > > > > system to Centos 7.2.
> > > > > > >
> > > > > > > I think the FreeIPA version changed from 4.1.0 to 4.2.0 between
> > these
> > > > > > > Centos/RHEL minor releases.
> > > > > > >
> > > > > > > We'd now like to try integrating with a 2FA provider via a radius
> > > > proxy
> > > > > > and
> > > > > > > want to use anonymous PKINIT to secure the initial communications
> > > > between
> > > > > > > the client and the KDC.
> > > > > > >
> > > > > > > We've tried following the MIT Kerberos PKINIT configuration
> > > > documentation
> > > > > > >
> > > > > > > http://web.mit.edu/kerberos/krb5-1.14/doc/admin/pkinit.html
> > > > > > >
> > > > > > > generating our own certs manually with openssl but haven't had
> > any
> > > > luck.
> > > > > > > We're seeing this in the kdc log:
> > > > > > >
> > > > > > > preauth pkinit failed to initialize: No realms configured
> > > > correctly
> > > > > > for
> > > > > > > pkinit support
> > > > > >
> > > > > > Which changes did you apply to krb5.conf? Did you use the IPA CA to
> > > > sign
> > > > > > the certificate or some other CA?
> > > > > >
> > > > > > >
> > > > > > > I've noticed there are many new pkinit-related options that have
> > been
> > > > > > added
> > > > > > > to the ipa-server-install script in 4.2.0, so it looks like
> > PKINIT is
> > > > > > > available in this version of FreeIPA. Is that the case?
> > > > > >
> > > > > > Which options are you referring to?
> > > > > >
> > > > > > bye,
> > > > > > Sumit
> > > > > >
> > > > > > >
> > > > > > > And if it is, what is the recommended way to enable it given
> > that it
> > > > > > seems
> > > > > > > to have been disabled in the original install that I did? Or
> > would it
> > > > > > just
> > > > > > > be easier to start from scratch with a 4.2.0 ipa-server-install?
> > > > (It's a
> > > > > > > test instance that doesn't have too much in it - it will take a
> > > > several
> > > > > > > hours to rebuild from scratch.)
> > > > > > >
> > > > > > > Regards,
> > > > > > >
> > > > > > > Nik
> > > > > >
> > > > > >
> > > > > >
> > > > > Thanks Sumit.
> > > > >
> > > > > It sounds like PKINIT is available but clearly I'm doing it wrong.
> > > > >
> > > > > > Which changes did you apply to krb5.conf? Did you use the IPA CA
> > to
> > > > sign
> > > > > the certificate or some other CA?
> > > > >
> > > > > Actually, I modified the kdc.conf file - placed the kdc.pem,
> > kdckey.pem
> > > > and
> > > > > cacert.pem files in /var/kerberos/krb5kdc/ that I generated via
> > openssl
> > > > > commands in the MIT Kerberos documentation. The only change to
> > kdc.conf
> > > > > file was to append the location of the kdckey.pem file to
> > > > pkinit_identity.
> > > > >
> > > > > pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
> > > > > pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
> > > > >
> > > > > became
> > > > >
> > > > > pkinit_identity =
> > > > > FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem
> > > > > pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
> > > > >
> > > > > Should I have been modifying krb5.conf instead? It aslo sounds like I
> > > > need
> > > >
> > > > no, kdc.conf is the right place, I actually meant kdc.conf but
> > > > accidentially types krb5.conf.
> > > >
> > > > > to use a certificate signed by the IPAs CA - is this something that
> > > > should
> > > > > be generated using ipa-getcert? Or do I just find the IPA CA's
> > private
> > > > key
> > > > > and use openssl following the MIT Kerberos documentation?
> > > > >
> > > > > > Which options are you referring to?
> > > > >
> > > > > When I looked at the --help text for 4.1.0 and 4.2.0 versions of
> > > > > ipa-server-install, I noticed that 4.2.0 has these in the
> > "certificate
> > > > > system options":
> > > > >
> > > > > --no-pkinit disables pkinit setup steps
> > > > >
> > > > > --pkinit-cert-file=FILE
> > > > > File containing the Kerberos KDC SSL
> > certificate
> > > > and
> > > > > private key
> > > > >
> > > > > --pkinit-pin=PIN The password to unlock the Kerberos KDC
> > private
> > > > key
> > > > >
> > > > > --pkinit-cert-name=NAME
> > > > > Name of the Kerberos KDC SSL certificate to
> > > > install
> > > > >
> > > > >
> > > > > Seeing that first one, I was a little hopeful that pkinit is enabled
> > by
> > > > > default in 4.2.0 but on a fresh install I just tried, I'm still
> > seeing
> > > > the
> > > >
> > > > no, unfortunately pkinit is currently disabled by default
> > > >
> > > > > following in krb5kdc.log when IPA is started up, so clearly it isn't.
> > > > >
> > > > > (Error): preauth pkinit failed to initialize: No realms configured
> > > > > correctly for pkinit support
> > > >
> > > > I get the same error when I put the certificate and the key into
> > > > separate files. Can you try to put both into one and use this for the
> > > > pkinit_identity option?
> > > >
> > > > HTH
> > > >
> > > > bye,
> > > > Sumit
> > > >
> > >
> > >
> > > Thanks Sumit, it did!
> > >
> > > I concatenated the cert and the key into a single file and the error has
> > > indeed gone away from krb5kdc.log
> > >
> > > The odd thing is that I can't reproduce the error by splitting into two
> > > separate files and restarting ipa.service again.
> > >
> > > Ignoring that mystery, how do I go about setting up the
> > WELLKNOWN/ANONYMOUS
> > > principal?
> > >
> > > I'm pretty sure it's needed for anonymous pkinit:
> > >
> > > $ kinit
> > > kinit: Generic preauthentication failure while getting initial
> > credentials
> > > $
> > >
> > > $ kinit -n
> > > kinit: Client 'WELLKNOWN/ANONYMOUS at EXAMPLE.COM' not found in Kerberos
> > > database while getting initial credentials
> > > $
> > >
> > > Using kadmin per the MIT documentation doesn't seem to work
> > (authenticated
> > > as an IPA admin)
> > >
> > > # kadmin -q 'addprinc -randkey WELLKNOWN/ANONYMOUS'
> > > Authenticating as principal admin/admin at EXAMPLE.COM with password.
> > > kadmin: Client not found in Kerberos database while initializing kadmin
> > > interface
> > > #
> > >
> > > # kadmin -q 'addprinc -randkey WELLKNOWN/ANONYMOUS' -p admin
> > > Authenticating as principal admin with password.
> > > Password for admin at EXAMPLE.COM:
> > > WARNING: no policy specified for WELLKNOWN/ANONYMOUS at EXAMPLE.COM;
> > > defaulting to no policy
> > > add_principal: Operation requires ``add'' privilege while creating
> > > "WELLKNOWN/ANONYMOUS at EXAMPLE.COM".
> > > #
> >
> > Please try
> >
> > kadmin.local -x ipa-setup-override-restrictions
> >
> > bye,
> > Sumit
> >
> >
> Thanks Sumit.
>
> That seems to have worked to get the principal created.
>
> # kadmin.local -x ipa-setup-override-restrictions
> Authenticating as principal admin/admin at EXAMPLE.COM with password.
> kadmin.local: addprinc -randkey WELLKNOWN/ANONYMOUS
> WARNING: no policy specified for WELLKNOWN/ANONYMOUS at EXAMPLE.COM;
> defaulting to no policy
> Principal "WELLKNOWN/ANONYMOUS at EXAMPLE.COM" created.
> kadmin.local: quit
> #
>
> I'm no longer seeing the error from the client about 'WELLKNOWN/
> ANONYMOUS at EXAMPLE.COM' not found in Kerberos database.
>
> However, I'm being prompted for a password for the anonymous principal.
>
> $ kinit -n
> Password for WELLKNOWN/ANONYMOUS at EXAMPLE.COM:
> kinit: Password incorrect while getting initial credentials
> $
>
> That doesn't sound right to me - and indeed it doesn't provide an armor
> cache that I can use for authenticating my client user.
Can you run
KRB5_TRACE=/dev/stdout kinit -n
this will show the list of preauthentication methods offered to the
client and I would suspect that pkinit is not among of them.
My guess is that there is something wrong with the certificate or the
configuration, e.g. did you try to set pkinit_kdc_hostname to the
hostname matching the one in the KDC certificate? Maybe
pkinit_eku_checking = none might help as well?.
To analyse this further the most easy way is an instrumented build of
the pkinit module with debugging enabled. If you can tell me the exact
version of your krb5-pkinit package I can prepare a build for you.
HTH
bye,
Sumit
>
> Here's what's in the krb5kdc.log from that attempt to use kinit -n
>
> Feb 10 00:55:46 ipa00-756701.example.com krb5kdc[4869](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 10.93.187.13: NEEDED_PREAUTH: WELLKNOWN/
> ANONYMOUS at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional
> pre-authentication required
> Feb 10 00:55:46 ipa00-756701.example.com krb5kdc[4869](info): closing down
> fd 12
> Feb 10 00:55:47 ipa00-756701.example.com krb5kdc[4869](info): preauth
> (encrypted_timestamp) verify failure: Decrypt integrity check failed
> Feb 10 00:55:47 ipa00-756701.example.com krb5kdc[4869](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 10.93.187.13: PREAUTH_FAILED: WELLKNOWN/
> ANONYMOUS at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Decrypt integrity
> check failed
> Feb 10 00:55:47 ipa00-756701.example.com krb5kdc[4869](info): closing down
> fd 12
>
> Regards,
>
> Nik
More information about the Freeipa-users
mailing list