KDC proxy not working with SSSD krb5_use_kdcinfo enabled #3693
Description
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/2652
krb5 has recently grown a feature to tunnel Kerberos requests over HTTPS [1]. The KDC proxy package [2] provides an implementation of the MS-KKDCP protocol. The proxy support is configured in /etc/krb5.conf like this:
[realms]
FREEIPA.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
http_anchors = FILE:/etc/ipa/ca.crt
kdc = https://ipasrv.freeipa.local/KdcProxy
kpasswd_server = https://ipasrv.freeipa.local/KdcProxy
}
However feature does not work with sssd_krb5_locator_plugin from sssd-krb5-1.12.4 when krb5_use_kdcinfo is enabled for the domain. The locator plugin overwrites the settings from krb5.conf and kinit still use Kerberos transport over 88/TCP. This setting is enabled by default.
Alexander Bokovoy has suggested to check for http_anchors in order to detect KDC proxy.
krb5_use_kdcinfo = true
# env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit admin
[7315] 1431433477.481824: Getting initial credentials for admin@FREEIPA.LOCAL
[7315] 1431433477.481944: Sending request (169 bytes) to FREEIPA.LOCAL
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [192.168.122.95] in [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL].
[sssd_krb5_locator] sssd_realm[FREEIPA.LOCAL] requested realm[FREEIPA.LOCAL] family[0] socktype[2] locate_service[1]
[sssd_krb5_locator] addr[192.168.122.95:88] family[2] socktype[2]
[sssd_krb5_locator] [192.168.122.95] used
[sssd_krb5_locator] sssd_realm[FREEIPA.LOCAL] requested realm[FREEIPA.LOCAL] family[0] socktype[1] locate_service[1]
[sssd_krb5_locator] addr[192.168.122.95:88] family[2] socktype[1]
[sssd_krb5_locator] [192.168.122.95] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[7315] 1431433477.482438: Initiating TCP connection to stream 192.168.122.95:88
[7315] 1431433477.482624: Sending TCP request to stream 192.168.122.95:88
[7315] 1431433477.484229: Received answer (344 bytes) from stream 192.168.122.95:88
[7315] 1431433477.484234: Terminating TCP connection to stream 192.168.122.95:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [192.168.122.95] in [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL].
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kpasswdinfo.FREEIPA.LOCAL][2][No such file or directory].
[sssd_krb5_locator] reading kpasswd address failed, using kdc address.
[sssd_krb5_locator] sssd_realm[FREEIPA.LOCAL] requested realm[FREEIPA.LOCAL] family[0] socktype[1] locate_service[2]
[sssd_krb5_locator] addr[192.168.122.95:88] family[2] socktype[1]
[sssd_krb5_locator] [192.168.122.95] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[7315] 1431433477.484292: Response was from master KDC
[7315] 1431433477.484327: Received error from KDC: -1765328359/Additional pre-authentication required
[7315] 1431433477.484355: Processing preauth types: 136, 19, 2, 133
[7315] 1431433477.484363: Selected etype info: etype aes256-cts, salt "=J 5DD|(71ZR,GNW", params ""
[7315] 1431433477.484365: Received cookie: MIT
krb5_use_kdcinfo = false
# env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit admin
[7330] 1431433557.257480: Getting initial credentials for admin@FREEIPA.LOCAL
[7330] 1431433557.257681: Sending request (169 bytes) to FREEIPA.LOCAL
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[7330] 1431433557.257829: Resolving hostname ipasrv.freeipa.local
[7330] 1431433557.262156: TLS certificate name matched "ipasrv.freeipa.local"
[7330] 1431433557.264513: Sending HTTPS request to https 192.168.122.95:443
[7330] 1431433557.269857: Received answer (344 bytes) from https 192.168.122.95:443
[7330] 1431433557.269867: Terminating TCP connection to https 192.168.122.95:443
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[7330] 1431433557.270003: Response was not from master KDC
[7330] 1431433557.270026: Received error from KDC: -1765328359/Additional pre-authentication required
[7330] 1431433557.270061: Processing preauth types: 136, 19, 2, 133
[7330] 1431433557.270069: Selected etype info: etype aes256-cts, salt "=J 5DD|(71ZR,GNW", params ""
[7330] 1431433557.270072: Received cookie: MIT
[1] http://web.mit.edu/kerberos/krb5-current/doc/admin/https.html
[2] https://www.freeipa.org/page/V4/KDC_Proxy
Comments
Comment from jhrozek at 2015-05-14 18:39:10
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.13 beta
Comment from jhrozek at 2015-06-25 15:39:33
Required for downstream, but not for Beta
milestone: SSSD 1.13 beta => SSSD 1.13
sensitive: => 0
Comment from jhrozek at 2015-07-04 16:21:52
Moving up, required for downstream.
milestone: SSSD 1.13.2 => SSSD 1.13.1
Comment from abbra at 2015-07-23 16:50:46
Actually, I think you should check just 'kdc' uri and if it starts with https://, consider KDC proxy is in use.
Comment from cheimes at 2015-07-23 16:59:47
A check for https:// is fine. In theory the proxy protocol also works over plain HTTP. But MIT krb5 refuses to use plain HTTP.
Comment from sbose at 2015-07-31 10:40:53
Fields changed
owner: somebody => sbose
status: new => assigned
Comment from jhrozek at 2015-07-31 12:44:49
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1249015
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=1249015 1249015]
Comment from jhrozek at 2015-08-07 10:30:19
Fields changed
patch: 0 => 1
Comment from jhrozek at 2015-08-07 11:15:43
- master: 05ed6a2
resolution: => fixed
status: assigned => closed
Comment from cheimes at 2017-02-24 14:39:31
Metadata Update from @cheimes:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.13.1