#2652 KDC proxy not working with SSSD krb5_use_kdcinfo enabled
Closed: Fixed None Opened 3 years ago by cheimes.

krb5 has recently grown a feature to tunnel Kerberos requests over HTTPS [1]. The KDC proxy package [2] provides an implementation of the MS-KKDCP protocol. The proxy support is configured in /etc/krb5.conf like this:

[realms]
  FREEIPA.LOCAL = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt
    http_anchors = FILE:/etc/ipa/ca.crt
    kdc = https://ipasrv.freeipa.local/KdcProxy
    kpasswd_server = https://ipasrv.freeipa.local/KdcProxy
  }

However feature does not work with sssd_krb5_locator_plugin from sssd-krb5-1.12.4 when krb5_use_kdcinfo is enabled for the domain. The locator plugin overwrites the settings from krb5.conf and kinit still use Kerberos transport over 88/TCP. This setting is enabled by default.

Alexander Bokovoy has suggested to check for http_anchors in order to detect KDC proxy.

krb5_use_kdcinfo = true

# env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit admin
[7315] 1431433477.481824: Getting initial credentials for admin@FREEIPA.LOCAL
[7315] 1431433477.481944: Sending request (169 bytes) to FREEIPA.LOCAL
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [192.168.122.95] in [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL].
[sssd_krb5_locator] sssd_realm[FREEIPA.LOCAL] requested realm[FREEIPA.LOCAL] family[0] socktype[2] locate_service[1]
[sssd_krb5_locator] addr[192.168.122.95:88] family[2] socktype[2]
[sssd_krb5_locator] [192.168.122.95] used
[sssd_krb5_locator] sssd_realm[FREEIPA.LOCAL] requested realm[FREEIPA.LOCAL] family[0] socktype[1] locate_service[1]
[sssd_krb5_locator] addr[192.168.122.95:88] family[2] socktype[1]
[sssd_krb5_locator] [192.168.122.95] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[7315] 1431433477.482438: Initiating TCP connection to stream 192.168.122.95:88
[7315] 1431433477.482624: Sending TCP request to stream 192.168.122.95:88
[7315] 1431433477.484229: Received answer (344 bytes) from stream 192.168.122.95:88
[7315] 1431433477.484234: Terminating TCP connection to stream 192.168.122.95:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [192.168.122.95] in [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL].
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kpasswdinfo.FREEIPA.LOCAL][2][No such file or directory].
[sssd_krb5_locator] reading kpasswd address failed, using kdc address.
[sssd_krb5_locator] sssd_realm[FREEIPA.LOCAL] requested realm[FREEIPA.LOCAL] family[0] socktype[1] locate_service[2]
[sssd_krb5_locator] addr[192.168.122.95:88] family[2] socktype[1]
[sssd_krb5_locator] [192.168.122.95] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[7315] 1431433477.484292: Response was from master KDC
[7315] 1431433477.484327: Received error from KDC: -1765328359/Additional pre-authentication required
[7315] 1431433477.484355: Processing preauth types: 136, 19, 2, 133
[7315] 1431433477.484363: Selected etype info: etype aes256-cts, salt "=J 5DD|(71ZR,GNW", params ""
[7315] 1431433477.484365: Received cookie: MIT

krb5_use_kdcinfo = false

# env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit admin
[7330] 1431433557.257480: Getting initial credentials for admin@FREEIPA.LOCAL
[7330] 1431433557.257681: Sending request (169 bytes) to FREEIPA.LOCAL
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[7330] 1431433557.257829: Resolving hostname ipasrv.freeipa.local
[7330] 1431433557.262156: TLS certificate name matched "ipasrv.freeipa.local"
[7330] 1431433557.264513: Sending HTTPS request to https 192.168.122.95:443
[7330] 1431433557.269857: Received answer (344 bytes) from https 192.168.122.95:443
[7330] 1431433557.269867: Terminating TCP connection to https 192.168.122.95:443
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.FREEIPA.LOCAL][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[7330] 1431433557.270003: Response was not from master KDC
[7330] 1431433557.270026: Received error from KDC: -1765328359/Additional pre-authentication required
[7330] 1431433557.270061: Processing preauth types: 136, 19, 2, 133
[7330] 1431433557.270069: Selected etype info: etype aes256-cts, salt "=J 5DD|(71ZR,GNW", params ""
[7330] 1431433557.270072: Received cookie: MIT

[1] http://web.mit.edu/kerberos/krb5-current/doc/admin/https.html
[2] https://www.freeipa.org/page/V4/KDC_Proxy


Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13 beta

Required for downstream, but not for Beta

milestone: SSSD 1.13 beta => SSSD 1.13
sensitive: => 0

Moving up, required for downstream.

milestone: SSSD 1.13.2 => SSSD 1.13.1

Actually, I think you should check just 'kdc' uri and if it starts with https://, consider KDC proxy is in use.

A check for https:// is fine. In theory the proxy protocol also works over plain HTTP. But MIT krb5 refuses to use plain HTTP.

Fields changed

owner: somebody => sbose
status: new => assigned

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

Metadata Update from @cheimes:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.13.1

2 years ago

Login to comment on this ticket.

Metadata