[Freeipa-users] S4U2Self not working for multiple allowed targets

Marc Boorshtein marc.boorshtein at tremolosecurity.com
Mon Mar 14 16:41:58 UTC 2016 

All,

I am trying to setup delegation from OpenUnison to both the IPAWeb
application and to Cockpit.  I'm using a single reverse proxy for both
and the same SPN and keytab for both.  The integration with ipaweb
went perfectly using these instructions I built:
https://github.com/TremoloSecurity/Unison-LastMile-Kerberos.

Trying to integrate cockpit is giving me a very odd error from freeipa
when I try to get my s4u2self ticket: unknown encryption.  I'm running
RH IDM on RHEL 7.2 on Azure.  Here's my delegation tree in LDAP:

# s4u2proxy, etc, azure.cloud
dn: cn=s4u2proxy,cn=etc,dc=azure,dc=cloud
objectClass: nsContainer
objectClass: top
cn: s4u2proxy

# ipa-http-delegation, s4u2proxy, etc, azure.cloud
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=azure,dc=cloud
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top
cn: ipa-http-delegation
memberPrincipal: HTTP/ipa.azure.cloud at AZURE.CLOUD
ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=azure,
 dc=cloud
ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=azure,
 dc=cloud

# ipa-ldap-delegation-targets, s4u2proxy, etc, azure.cloud
dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=azure,dc=cloud
objectClass: groupOfPrincipals
objectClass: top
cn: ipa-ldap-delegation-targets
memberPrincipal: ldap/ipa.azure.cloud at AZURE.CLOUD

# ipa-cifs-delegation-targets, s4u2proxy, etc, azure.cloud
dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=azure,dc=cloud
objectClass: groupOfPrincipals
objectClass: top
cn: ipa-cifs-delegation-targets

# app-http-delegation-targets, s4u2proxy, etc, azure.cloud
dn: cn=app-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=azure,dc=cloud
objectClass: groupOfPrincipals
objectClass: top
cn: app-http-delegation-targets
memberPrincipal: HTTP/ipa.azure.cloud at AZURE.CLOUD

# unison-http-delegation, s4u2proxy, etc, azure.cloud
dn: cn=unison-http-delegation,cn=s4u2proxy,cn=etc,dc=azure,dc=cloud
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top
cn: unison-http-delegation
memberPrincipal: HTTP/openunison.azure.cloud at AZURE.CLOUD
ipaAllowedTarget: cn=app-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=azure,
 dc=cloud
ipaAllowedTarget: cn=ipaclient-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=
 azure,dc=cloud

# ipaclient-http-delegation-targets, s4u2proxy, etc, azure.cloud
dn: cn=ipaclient-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=azure,dc=cloud
objectClass: groupOfPrincipals
objectClass: top
cn: ipaclient-http-delegation-targets
memberPrincipal: HTTP/ipaclient-rhel72.azure.cloud at AZURE.CLOUD

Here's the log output from OpenUnison when I try to access ipaweb (success):
Found ticket for HTTP/openunison.azure.cloud at AZURE.CLOUD to go to
krbtgt/AZURE.CLOUD at AZURE.CLOUD expiring on Tue Mar 15 16:05:19 UTC
2016
Found ticket for HTTP/openunison.azure.cloud at AZURE.CLOUD to go to
krbtgt/AZURE.CLOUD at AZURE.CLOUD expiring on Tue Mar 15 16:05:19 UTC
2016
>>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=ipa.azure.cloud. UDP:88, timeout=30000, number of retries =3, #bytes=794
>>> KDCCommunication: kdc=ipa.azure.cloud. UDP:88, timeout=30000,Attempt =1, #bytes=794
>>> KrbKdcReq send: #bytes read=670
>>> KdcAccessibility: remove ipa.azure.cloud.:88
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=ipa.azure.cloud. UDP:88, timeout=30000, number of retries =3, #bytes=1059
>>> KDCCommunication: kdc=ipa.azure.cloud. UDP:88, timeout=30000,Attempt =1, #bytes=1059
>>> KrbKdcReq send: #bytes read=722
>>> KdcAccessibility: remove ipa.azure.cloud.:88
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Subject is readOnly;Kerberos Service ticket not stored
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 1032726940
Created InitSecContextToken:
0000: 01 00 6E 82 02 8A 30 82   02 86 A0 03 02 01 05 A1  ..n...0.........
0010: 03 02 01 0E A2 07 03 05   00 20 00 00 00 A3 82 01  ......... ......
0020: 9C 61 82 01 98 30 82 01   94 A0 03 02 01 05 A1 0D  .a...0..........
0030: 1B 0B 41 5A 55 52 45 2E   43 4C 4F 55 44 A2 22 30  ..AZURE.CLOUD."0
0040: 20 A0 03 02 01 00 A1 19   30 17 1B 04 48 54 54 50   .......0...HTTP
0050: 1B 0F 69 70 61 2E 61 7A   75 72 65 2E 63 6C 6F 75  ..ipa.azure.clou
0060: 64 A3 82 01 58 30 82 01   54 A0 03 02 01 12 A1 03  d...X0..T.......
0070: 02 01 02 A2 82 01 46 04   82 01 42 21 AC 61 34 33  ......F...B!.a43
0080: 0B A4 1B F2 03 3C 93 43   B8 33 7A 11 66 6D BF 14  .....<.C.3z.fm..
0090: 17 10 5E 3F 58 DA AE 02   FC F0 6A 32 F2 E1 49 56  ..^?X.....j2..IV
00A0: F8 AD 8F D6 B0 9A 76 92   C2 35 CF 26 10 40 68 E6  ......v..5.&. at h.
00B0: 00 38 D6 A8 A0 52 D9 F8   E6 10 D5 41 B1 E3 1E 95  .8...R.....A....
00C0: FF EC CD B3 6D 0B 2E 72   38 8C 7E 0B 53 FE 37 3B  ....m..r8...S.7;
00D0: 1F 06 2E 9B 0E 7B CC 38   9A F1 83 C7 1A 6C 0B 9A  .......8.....l..
00E0: 41 A6 E0 4C A8 64 75 70   D8 B6 2F 91 31 9D 34 21  A..L.dup../.1.4!
00F0: D4 64 01 F7 9B 39 E3 73   18 80 94 EC E2 4A 13 B1  .d...9.s.....J..
0100: C1 72 F4 C3 F6 A5 53 70   C0 FF E0 30 34 2D 4E 6D  .r....Sp...04-Nm
0110: 07 42 F3 08 E9 91 6C C0   76 4B 1C B0 BF 79 E7 03  .B....l.vK...y..
0120: 24 5E 4D 7E A3 0E 3F FF   AF 09 FA 81 68 1D C8 B2  $^M...?.....h...
0130: DB 51 B9 86 4C 95 CC 75   CD 8C C8 2C 6D 35 90 3B  .Q..L..u...,m5.;
0140: 26 9D B3 A2 DB 88 04 6F   7D 1F 6A 48 D3 8F F7 D2  &......o..jH....
0150: A9 37 29 6D 50 3B AB 2A   FE 76 EF 05 11 B2 4B 59  .7)mP;.*.v....KY
0160: 2E 75 35 E2 93 BB 59 8C   AD E6 F3 FE A5 70 0F 73  .u5...Y......p.s
0170: A5 18 B5 D9 48 34 9A 1D   BD 33 76 D9 04 E6 CF 6D  ....H4...3v....m
0180: D1 6C 17 B6 4F 2B 36 C9   FE 67 50 B7 2F E8 39 9B  .l..O+6..gP./.9.
0190: BA EC 49 55 AE FD 2C CB   D3 60 FC D4 33 E5 E4 B1  ..IU..,..`..3...
01A0: 23 DF 10 50 48 45 B9 75   F3 AC ED ED B3 FD 9E C6  #..PHE.u........
01B0: 04 60 07 15 A3 6A 7C 8B   69 EC BD 5D 08 A4 81 D0  .`...j..i..]....
01C0: 30 81 CD A0 03 02 01 12   A2 81 C5 04 81 C2 B3 AE  0...............
01D0: D4 E9 30 E9 68 F9 37 37   11 76 A9 05 A2 65 26 41  ..0.h.77.v...e&A
01E0: 9D EF CF 4B 0B 83 1D 99   C3 E5 50 3A B3 5D 2A 09  ...K......P:.]*.
01F0: C8 9C 46 F9 0C 4D E4 F0   10 3F D4 2F 17 36 7A 72  ..F..M...?./.6zr
0200: 25 B6 37 FE 6F ED D1 1E   22 B7 79 97 6C 1D A0 BF  %.7.o...".y.l...
0210: 09 02 43 E9 F3 EE 82 F8   8B 6D B3 AE BB 1C 7B C7  ..C......m......
0220: 50 02 B9 34 49 04 87 BA   31 4F 23 A7 C0 75 68 46  P..4I...1O#..uhF
0230: AF 5A F9 CA 86 B0 F5 DA   D0 1B D0 B0 FB E7 2C A7  .Z............,.
0240: 0A 7F DE 27 C3 C4 B1 DB   42 76 83 42 37 81 22 B6  ...'....Bv.B7.".
0250: 28 61 23 E4 DF 69 18 0E   B7 2C 60 D1 E2 31 96 05  (a#..i...,`..1..
0260: B7 ED 16 F3 60 F2 9F 6E   16 AD 55 28 10 6C 41 55  ....`..n..U(.lAU
0270: 9E 3A 97 CD 0D 99 7A AF   29 96 04 ED EA 7D 1B F8  .:....z.).......
0280: 30 D6 42 6A 9B F6 01 02   80 30 76 8A AD 80 E3 3D  0.Bj.....0v....=

and here are the log entries from kerberos:

Mar 14 16:36:45 ipa krb5kdc[11351](info): TGS_REQ (6 etypes {18 17 16
23 25 26}) 10.1.0.4: ISSUE: authtime 1457971519, etypes {rep=18 tkt=18
ses=18}, HTTP/ipa.azure.cloud at AZURE.CLOUD for
ldap/ipa.azure.cloud at AZURE.CLOUD

Mar 14 16:36:45 ipa krb5kdc[11351](info): ... CONSTRAINED-DELEGATION
s4u-client=mmosley at AZURE.CLOUD

Mar 14 16:36:45 ipa krb5kdc[11351](info): closing down fd 12


Now, here's the request when trying to access cockpit:
>>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=ipa.azure.cloud. UDP:88, timeout=30000, number of retries =3, #bytes=794
>>> KDCCommunication: kdc=ipa.azure.cloud. UDP:88, timeout=30000,Attempt =1, #bytes=794
>>> KrbKdcReq send: #bytes read=670
>>> KdcAccessibility: remove ipa.azure.cloud.:88
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=ipa.azure.cloud. UDP:88, timeout=30000, number of retries =3, #bytes=1072
>>> KDCCommunication: kdc=ipa.azure.cloud. UDP:88, timeout=30000,Attempt =1, #bytes=1072
>>> KrbKdcReq send: #bytes read=211
>>> KdcAccessibility: remove ipa.azure.cloud.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
cTime is Mon Dec 16 18:12:24 UTC 2013 1387217544000
sTime is Mon Mar 14 16:37:55 UTC 2016 1457973475000
suSec is 144678
error code is 14
error Message is KDC has no support for encryption type
cname is HTTP/openunison.azure.cloud at AZURE.CLOUD
sname is HTTP/ipaclient-rhel72.azure.cloud at AZURE.CLOUD
msgType is 30

and here's whats in the kerberos logs:
14 16:37:55 ipa krb5kdc[11351](info): TGS_REQ (4 etypes {18 17 16 23})
10.1.0.6: ISSUE: authtime 1457971519, etypes {rep=18 tkt=18 ses=18},
HTTP/openunison.azure.cloud at AZURE.CLOUD for
HTTP/openunison.azure.cloud at AZURE.CLOUD
Mar 14 16:37:55 ipa krb5kdc[11351](info): ... PROTOCOL-TRANSITION
s4u-client=mmosley at AZURE.CLOUD
Mar 14 16:37:55 ipa krb5kdc[11351](info): TGS_REQ (4 etypes {18 17 16
23}) 10.1.0.6: BAD_ENCRYPTION_TYPE: authtime 0,
HTTP/openunison.azure.cloud at AZURE.CLOUD for
HTTP/ipaclient-rhel72.azure.cloud at AZURE.CLOUD, KDC has no support for
encryption type
Mar 14 16:37:55 ipa krb5kdc[11351](info): ... CONSTRAINED-DELEGATION
s4u-client=<unknown>

Any thoughts?  Nothing really stands out to me.

Thanks




Marc Boorshtein
CTO Tremolo Security
marc.boorshtein at tremolosecurity.com
Twitter - @mlbiam / @tremolosecurity

More information about the Freeipa-users mailing list