Learn more about these different git repos.
Other Git URLs
krb5 has recently grown a feature to tunnel Kerberos requests over HTTPS [1]. The KDC proxy package [2] provides an implementation of the MS-KKDCP protocol. The proxy support is configured in /etc/krb5.conf like this:
[realms] FREEIPA.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt http_anchors = FILE:/etc/ipa/ca.crt kdc = https://ipasrv.freeipa.local/KdcProxy kpasswd_server = https://ipasrv.freeipa.local/KdcProxy }
However feature does not work with sssd_krb5_locator_plugin from sssd-krb5-1.12.4 when krb5_use_kdcinfo is enabled for the domain. The locator plugin overwrites the settings from krb5.conf and kinit still use Kerberos transport over 88/TCP. This setting is enabled by default.
Alexander Bokovoy has suggested to check for http_anchors in order to detect KDC proxy.
# env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit admin [7315] 1431433477.481824: Getting initial credentials for admin@FREEIPA.LOCAL [7315] 1431433477.481944: Sending request (169 bytes) to FREEIPA.LOCAL [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [192.168.122.95] in [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL]. [sssd_krb5_locator] sssd_realm[FREEIPA.LOCAL] requested realm[FREEIPA.LOCAL] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[192.168.122.95:88] family[2] socktype[2] [sssd_krb5_locator] [192.168.122.95] used [sssd_krb5_locator] sssd_realm[FREEIPA.LOCAL] requested realm[FREEIPA.LOCAL] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[192.168.122.95:88] family[2] socktype[1] [sssd_krb5_locator] [192.168.122.95] used [sssd_krb5_locator] sssd_krb5_locator_close called [7315] 1431433477.482438: Initiating TCP connection to stream 192.168.122.95:88 [7315] 1431433477.482624: Sending TCP request to stream 192.168.122.95:88 [7315] 1431433477.484229: Received answer (344 bytes) from stream 192.168.122.95:88 [7315] 1431433477.484234: Terminating TCP connection to stream 192.168.122.95:88 [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [192.168.122.95] in [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL]. [sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kpasswdinfo.FREEIPA.LOCAL][2][No such file or directory]. [sssd_krb5_locator] reading kpasswd address failed, using kdc address. [sssd_krb5_locator] sssd_realm[FREEIPA.LOCAL] requested realm[FREEIPA.LOCAL] family[0] socktype[1] locate_service[2] [sssd_krb5_locator] addr[192.168.122.95:88] family[2] socktype[1] [sssd_krb5_locator] [192.168.122.95] used [sssd_krb5_locator] sssd_krb5_locator_close called [7315] 1431433477.484292: Response was from master KDC [7315] 1431433477.484327: Received error from KDC: -1765328359/Additional pre-authentication required [7315] 1431433477.484355: Processing preauth types: 136, 19, 2, 133 [7315] 1431433477.484363: Selected etype info: etype aes256-cts, salt "=J 5DD|(71ZR,GNW", params "" [7315] 1431433477.484365: Received cookie: MIT
# env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit admin [7330] 1431433557.257480: Getting initial credentials for admin@FREEIPA.LOCAL [7330] 1431433557.257681: Sending request (169 bytes) to FREEIPA.LOCAL [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL][2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [7330] 1431433557.257829: Resolving hostname ipasrv.freeipa.local [7330] 1431433557.262156: TLS certificate name matched "ipasrv.freeipa.local" [7330] 1431433557.264513: Sending HTTPS request to https 192.168.122.95:443 [7330] 1431433557.269857: Received answer (344 bytes) from https 192.168.122.95:443 [7330] 1431433557.269867: Terminating TCP connection to https 192.168.122.95:443 [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL][2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [7330] 1431433557.270003: Response was not from master KDC [7330] 1431433557.270026: Received error from KDC: -1765328359/Additional pre-authentication required [7330] 1431433557.270061: Processing preauth types: 136, 19, 2, 133 [7330] 1431433557.270069: Selected etype info: etype aes256-cts, salt "=J 5DD|(71ZR,GNW", params "" [7330] 1431433557.270072: Received cookie: MIT
[1] http://web.mit.edu/kerberos/krb5-current/doc/admin/https.html [2] https://www.freeipa.org/page/V4/KDC_Proxy
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.13 beta
Required for downstream, but not for Beta
milestone: SSSD 1.13 beta => SSSD 1.13 sensitive: => 0
Moving up, required for downstream.
milestone: SSSD 1.13.2 => SSSD 1.13.1
Actually, I think you should check just 'kdc' uri and if it starts with https://, consider KDC proxy is in use.
A check for https:// is fine. In theory the proxy protocol also works over plain HTTP. But MIT krb5 refuses to use plain HTTP.
owner: somebody => sbose status: new => assigned
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1249015
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=1249015 1249015]
patch: 0 => 1
resolution: => fixed status: assigned => closed
Metadata Update from @cheimes: - Issue assigned to sbose - Issue set to the milestone: SSSD 1.13.1
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3693
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.