[Freeipa-users] How to enable anonymous pkinit on FreeIPA 4.3.1 on Ubuntu ?

Simo Sorce simo at redhat.com
Tue Nov 29 10:04:47 UTC 2016 

On Tue, 2016-11-29 at 00:11 +0100, Diogenes S. Jesus wrote:
> I've got one freeipa instance for testing purposes and I'm trying to
> enable anonymous pkinit support on it[1], as Simon mentioned being
> possible :) [2]
> 
> For debug purposes, I have done:
> 
> /etc/kdc.conf
> ---------------
> [kdcdefaults]
>  kdc_ports = 88
>  kdc_tcp_ports = 88
>  restrict_anonymous_to_tgt = true
> 
> [realms]
>  REALM.EU = {
>   master_key_type = aes256-cts
>   max_life = 7d
>   max_renewable_life = 14d
>   acl_file = /etc/krb5kdc/kadm5.acl
>   dict_file = /usr/share/dict/words
>   default_principal_flags = +preauth
>   admin_keytab = /etc/krb5kdc/kadm5.keytab
>    pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
>    pkinit_eku_checking = none
>  }
> 
> The user krb5.conf file:
> [realms]
> REALM.EU = {
> master_kdc = kdc.realm.eu
> admin_server = kdc.realm.eu
> pkinit_anchors = /usr/local/share/ca-certificates/root-ca.crt
> }
> 
> 
> Openssl is able to verify the certificate:
> root at ipa01:~# openssl verify -verbose -CAfile
> /usr/local/share/ca-certificates/root-ca.crt /var/lib/krb5kdc/kdc.pem
> /var/lib/krb5kdc/kdc.pem: OK
> 
> The KDC certificate was created based on MIT Kerberos guidelines[3]
> 
> The anonymous user (created manually first with "-rankey"), resulting
> in the following user-side messages:
> root at ubuntu:~# KRB5_TRACE=/dev/stdout kinit -n
> [11573] 1480374327.337803: Getting initial credentials for
> WELLKNOWN/ANONYMOUS at REALM.EU
> [11573] 1480374327.340203: Sending request (178 bytes) to REALM.EU
> [11573] 1480374327.443449: Retrying AS request with master KDC
> [11573] 1480374327.443939: Getting initial credentials for
> WELLKNOWN/ANONYMOUS at REALM.EU
> [11573] 1480374327.444784: Sending request (178 bytes) to REALM.EU (master)
> [11573] 1480374327.445357: Resolving hostname kdc.bdc1.hu.sec.in.realm.eu
> [11573] 1480374327.471043: Sending initial UDP request to dgram 10.235.2.25:88
> [11573] 1480374328.472199: Resolving hostname kdc.bdc1.hu.sec.in.realm.eu
> [11573] 1480374328.498175: Sending initial UDP request to dgram 10.235.2.25:750
> [11573] 1480374329.500579: Initiating TCP connection to stream 10.235.2.25:88
> [11573] 1480374329.527259: Sending TCP request to stream 10.235.2.25:88
> [11573] 1480374329.557528: Received answer (459 bytes) from stream
> 10.235.2.25:88
> [11573] 1480374329.558323: Received error from KDC:
> -1765328359/Additional pre-authentication required
> [11573] 1480374329.558767: Processing preauth types: 16, 15, 14, 136,
> 19, 147, 2, 133
> [11573] 1480374329.558976: Selected etype info: etype aes256-cts, salt
> "REALM.EUWELLKNOWNANONYMOUS", params ""
> [11573] 1480374329.559480: Received cookie: MIT
> [11573] 1480374329.559532: Preauth module pkinit (147) (info)
> returned: 0/Success
> [11573] 1480374329.559627: PKINIT client has no configured identity; giving up
> [11573] 1480374329.559651: Preauth module pkinit (16) (real) returned:
> 22/Invalid argument
> [11573] 1480374329.559669: PKINIT client has no configured identity; giving up
> [11573] 1480374329.559680: Preauth module pkinit (14) (real) returned:
> 22/Invalid argument
> [11573] 1480374329.559696: PKINIT client has no configured identity; giving up
> [11573] 1480374329.559707: Preauth module pkinit (14) (real) returned:
> 22/Invalid argument
> Password for WELLKNOWN/ANONYMOUS at REALM.EU:
> 
> 
> Then removed the anonymous user keys:
> root at ipa01:~# kadmin.local -x ipa-setup-override-restrictions -q
> 'purgekeys -all WELLKNOWN/ANONYMOUS'

This is not necessary and won't make any difference.

> On the client side:
> 
> root at ubuntu:~# KRB5_TRACE=/dev/stdout kinit -n
> [10593] 1480350802.381306: Getting initial credentials for
> WELLKNOWN/ANONYMOUS at REALM.EU
> [10593] 1480350802.384075: Sending request (178 bytes) to REALM.EU
> [10593] 1480350802.433623: Retrying AS request with master KDC
> [10593] 1480350802.434688: Getting initial credentials for
> WELLKNOWN/ANONYMOUS at REALM.EU
> [10593] 1480350802.435476: Sending request (178 bytes) to REALM.EU (master)
> [10593] 1480350802.436191: Resolving hostname kdc.domain.eu
> [10593] 1480350802.462072: Sending initial UDP request to dgram 10.235.2.25:88
> [10593] 1480350803.465087: Resolving hostname kdc.domain.eu
> [10593] 1480350803.489656: Sending initial UDP request to dgram 10.235.2.25:750
> [10593] 1480350804.491058: Initiating TCP connection to stream 10.235.2.25:88
> [10593] 1480350804.515736: Sending TCP request to stream 10.235.2.25:88
> [10593] 1480350804.547579: Received answer (269 bytes) from stream
> 10.235.2.25:88
> [10593] 1480350804.547663: Received error from KDC:
> -1765328359/Additional pre-authentication required
> [10593] 1480350804.547708: Processing preauth types: 16, 15, 14, 136, 147, 133
> [10593] 1480350804.547713: Received cookie: MIT
> [10593] 1480350804.547744: Preauth module pkinit (147) (info)
> returned: 0/Success

This means the client correctly selects Pkinit authentication.

> [10593] 1480350804.547758: PKINIT client has no configured identity; giving up

However this says the client has some issues getting a ticket for the
anonymous principal as it is looking for some local cert to use.

Can you please provide the matching KDC logs you find
in /var/log/kerberos/krb5kdc.log ?


> [10593] 1480350804.547765: Preauth module pkinit (16) (real) returned:
> 22/Invalid argument
> [10593] 1480350804.547776: PKINIT client has no configured identity; giving up
> [10593] 1480350804.547782: Preauth module pkinit (14) (real) returned:
> 22/Invalid argument
> [10593] 1480350804.547793: PKINIT client has no configured identity; giving up
> [10593] 1480350804.547798: Preauth module pkinit (14) (real) returned:
> 22/Invalid argument
> kinit: Invalid argument while getting initial credentials
> root at ubuntu:~#
> 
> I've also done:
> 
> root at ipa01:~# kadmin.local -x ipa-setup-override-restrictions -q
> 'modprinc -requires_preauth WELLKNOWN/ANONYMOUS'

This is incorrect, pkinit is a pre-authentication mechanism.

> , but the user-side messages are the same.
> 
> 
> I've checked the KDC fqdn matches the CN in kdc.pem.
> 
> I've tried creating the anonymous user without a key (-nokey) but
> FreeIPA clearly has issues with that:
> 
> kadmin.local:  add_principal +requires_preauth -nokey WELLKNOWN/ANONYMOUS
> WARNING: no policy specified for WELLKNOWN/ANONYMOUS at PAN-NET.EU;
> defaulting to no policy
> add_principal: Server error while creating "WELLKNOWN/ANONYMOUS at PAN-NET.EU".
> kadmin.local:

Whether the principal has keys or not doesn't matter, pkinit
pre-authentication ignores the keys anyway.

> I've also tried all the above when the user's krb5.conf "realm"
> section was set with the following options
> pkinit_eku_checking = kpServerAuth
> pkinit_kdc_hostname = kdc.realm.eu
> 
> , but that didn't help either.
> 
> Any thoughts would be appreciated.

KDC logs may shed some light.

> Thanks in advance
> 
> [1] https://fedorahosted.org/freeipa/ticket/5678
> [2] https://github.com/freeipa/freeipa/pull/62#issuecomment-261950279
> [3] https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html
> -- 
> 
> --------
> 
> Diogenes S. de Jesus
> 


-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list