[Freeipa-users] How to enable anonymous pkinit on FreeIPA 4.3.1 on Ubuntu ?

Diogenes S. Jesus splash at gmail.com
Mon Nov 28 23:11:34 UTC 2016 

I've got one freeipa instance for testing purposes and I'm trying to
enable anonymous pkinit support on it[1], as Simon mentioned being
possible :) [2]

For debug purposes, I have done:

/etc/kdc.conf
---------------
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
 restrict_anonymous_to_tgt = true

[realms]
 REALM.EU = {
  master_key_type = aes256-cts
  max_life = 7d
  max_renewable_life = 14d
  acl_file = /etc/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  default_principal_flags = +preauth
  admin_keytab = /etc/krb5kdc/kadm5.keytab
   pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
   pkinit_eku_checking = none
 }

The user krb5.conf file:
[realms]
REALM.EU = {
master_kdc = kdc.realm.eu
admin_server = kdc.realm.eu
pkinit_anchors = /usr/local/share/ca-certificates/root-ca.crt
}


Openssl is able to verify the certificate:
root at ipa01:~# openssl verify -verbose -CAfile
/usr/local/share/ca-certificates/root-ca.crt /var/lib/krb5kdc/kdc.pem
/var/lib/krb5kdc/kdc.pem: OK

The KDC certificate was created based on MIT Kerberos guidelines[3]

The anonymous user (created manually first with "-rankey"), resulting
in the following user-side messages:
root at ubuntu:~# KRB5_TRACE=/dev/stdout kinit -n
[11573] 1480374327.337803: Getting initial credentials for
WELLKNOWN/ANONYMOUS at REALM.EU
[11573] 1480374327.340203: Sending request (178 bytes) to REALM.EU
[11573] 1480374327.443449: Retrying AS request with master KDC
[11573] 1480374327.443939: Getting initial credentials for
WELLKNOWN/ANONYMOUS at REALM.EU
[11573] 1480374327.444784: Sending request (178 bytes) to REALM.EU (master)
[11573] 1480374327.445357: Resolving hostname kdc.bdc1.hu.sec.in.realm.eu
[11573] 1480374327.471043: Sending initial UDP request to dgram 10.235.2.25:88
[11573] 1480374328.472199: Resolving hostname kdc.bdc1.hu.sec.in.realm.eu
[11573] 1480374328.498175: Sending initial UDP request to dgram 10.235.2.25:750
[11573] 1480374329.500579: Initiating TCP connection to stream 10.235.2.25:88
[11573] 1480374329.527259: Sending TCP request to stream 10.235.2.25:88
[11573] 1480374329.557528: Received answer (459 bytes) from stream
10.235.2.25:88
[11573] 1480374329.558323: Received error from KDC:
-1765328359/Additional pre-authentication required
[11573] 1480374329.558767: Processing preauth types: 16, 15, 14, 136,
19, 147, 2, 133
[11573] 1480374329.558976: Selected etype info: etype aes256-cts, salt
"REALM.EUWELLKNOWNANONYMOUS", params ""
[11573] 1480374329.559480: Received cookie: MIT
[11573] 1480374329.559532: Preauth module pkinit (147) (info)
returned: 0/Success
[11573] 1480374329.559627: PKINIT client has no configured identity; giving up
[11573] 1480374329.559651: Preauth module pkinit (16) (real) returned:
22/Invalid argument
[11573] 1480374329.559669: PKINIT client has no configured identity; giving up
[11573] 1480374329.559680: Preauth module pkinit (14) (real) returned:
22/Invalid argument
[11573] 1480374329.559696: PKINIT client has no configured identity; giving up
[11573] 1480374329.559707: Preauth module pkinit (14) (real) returned:
22/Invalid argument
Password for WELLKNOWN/ANONYMOUS at REALM.EU:


Then removed the anonymous user keys:
root at ipa01:~# kadmin.local -x ipa-setup-override-restrictions -q
'purgekeys -all WELLKNOWN/ANONYMOUS'

On the client side:

root at ubuntu:~# KRB5_TRACE=/dev/stdout kinit -n
[10593] 1480350802.381306: Getting initial credentials for
WELLKNOWN/ANONYMOUS at REALM.EU
[10593] 1480350802.384075: Sending request (178 bytes) to REALM.EU
[10593] 1480350802.433623: Retrying AS request with master KDC
[10593] 1480350802.434688: Getting initial credentials for
WELLKNOWN/ANONYMOUS at REALM.EU
[10593] 1480350802.435476: Sending request (178 bytes) to REALM.EU (master)
[10593] 1480350802.436191: Resolving hostname kdc.domain.eu
[10593] 1480350802.462072: Sending initial UDP request to dgram 10.235.2.25:88
[10593] 1480350803.465087: Resolving hostname kdc.domain.eu
[10593] 1480350803.489656: Sending initial UDP request to dgram 10.235.2.25:750
[10593] 1480350804.491058: Initiating TCP connection to stream 10.235.2.25:88
[10593] 1480350804.515736: Sending TCP request to stream 10.235.2.25:88
[10593] 1480350804.547579: Received answer (269 bytes) from stream
10.235.2.25:88
[10593] 1480350804.547663: Received error from KDC:
-1765328359/Additional pre-authentication required
[10593] 1480350804.547708: Processing preauth types: 16, 15, 14, 136, 147, 133
[10593] 1480350804.547713: Received cookie: MIT
[10593] 1480350804.547744: Preauth module pkinit (147) (info)
returned: 0/Success
[10593] 1480350804.547758: PKINIT client has no configured identity; giving up
[10593] 1480350804.547765: Preauth module pkinit (16) (real) returned:
22/Invalid argument
[10593] 1480350804.547776: PKINIT client has no configured identity; giving up
[10593] 1480350804.547782: Preauth module pkinit (14) (real) returned:
22/Invalid argument
[10593] 1480350804.547793: PKINIT client has no configured identity; giving up
[10593] 1480350804.547798: Preauth module pkinit (14) (real) returned:
22/Invalid argument
kinit: Invalid argument while getting initial credentials
root at ubuntu:~#

I've also done:

root at ipa01:~# kadmin.local -x ipa-setup-override-restrictions -q
'modprinc -requires_preauth WELLKNOWN/ANONYMOUS'

, but the user-side messages are the same.


I've checked the KDC fqdn matches the CN in kdc.pem.

I've tried creating the anonymous user without a key (-nokey) but
FreeIPA clearly has issues with that:

kadmin.local:  add_principal +requires_preauth -nokey WELLKNOWN/ANONYMOUS
WARNING: no policy specified for WELLKNOWN/ANONYMOUS at PAN-NET.EU;
defaulting to no policy
add_principal: Server error while creating "WELLKNOWN/ANONYMOUS at PAN-NET.EU".
kadmin.local:

I've also tried all the above when the user's krb5.conf "realm"
section was set with the following options
pkinit_eku_checking = kpServerAuth
pkinit_kdc_hostname = kdc.realm.eu

, but that didn't help either.

Any thoughts would be appreciated.

Thanks in advance

[1] https://fedorahosted.org/freeipa/ticket/5678
[2] https://github.com/freeipa/freeipa/pull/62#issuecomment-261950279
[3] https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html
-- 

--------

Diogenes S. de Jesus

More information about the Freeipa-users mailing list