Issue #2458: s4u2proxy doesn't work with multiple allowed targets - freeipa

freeipa

#2458 s4u2proxy doesn't work with multiple allowed targets

Closed: Fixed None Opened 12 years ago by abbra.

When there are more than one allowed target in the delegation setup, IPA kdb driver doesn't allow to get it:

Feb 28 15:42:02 m17.ipa.local krb5kdc4757: AS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: NEEDED_PREAUTH: host/m17.ipa.local@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL, Additional pre-authentication required
Feb 28 15:42:02 m17.ipa.local krb5kdc4757: AS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: ISSUE: authtime 1330436522, etypes {rep=18 tkt=18 ses=18}, host/m17.ipa.local@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL
Feb 28 15:42:02 m17.ipa.local krb5kdc4757: TGS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: ISSUE: authtime 1330436522, etypes {rep=18 tkt=18 ses=18}, host/m17.ipa.local@IPA.LOCAL for ldap/m17.ipa.local@IPA.LOCAL
Feb 28 15:42:03 m17.ipa.local krb5kdc4757: AS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: NEEDED_PREAUTH: DNS/m17.ipa.local@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL, Additional pre-authentication required
Feb 28 15:42:03 m17.ipa.local krb5kdc4757: AS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: ISSUE: authtime 1330436523, etypes {rep=18 tkt=18 ses=18}, DNS/m17.ipa.local@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL
Feb 28 15:42:03 m17.ipa.local krb5kdc4757: TGS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: ISSUE: authtime 1330436523, etypes {rep=18 tkt=18 ses=18}, DNS/m17.ipa.local@IPA.LOCAL for ldap/m17.ipa.local@IPA.LOCAL
Feb 28 15:48:12 m17.ipa.local krb5kdc4757: AS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: NEEDED_PREAUTH: admin@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL, Additional pre-authentication required
Feb 28 15:48:15 m17.ipa.local krb5kdc4757: AS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: ISSUE: authtime 1330436895, etypes {rep=18 tkt=18 ses=18}, admin@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL
Feb 28 15:48:16 m17.ipa.local krb5kdc4757: TGS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: ISSUE: authtime 1330436895, etypes {rep=18 tkt=18 ses=18}, admin@IPA.LOCAL for ldap/m17.ipa.local@IPA.LOCAL
Feb 28 15:49:33 m17.ipa.local krb5kdc4757: TGS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: ISSUE: authtime 1330436895, etypes {rep=18 tkt=18 ses=18}, admin@IPA.LOCAL for HTTP/m17.ipa.local@IPA.LOCAL
Feb 28 15:49:33 m17.ipa.local krb5kdc4757: AS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: NEEDED_PREAUTH: HTTP/m17.ipa.local@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL, Additional pre-authentication required
Feb 28 15:49:33 m17.ipa.local krb5kdc4757: AS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: ISSUE: authtime 1330436973, etypes {rep=18 tkt=18 ses=18}, HTTP/m17.ipa.local@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL
Feb 28 15:49:34 m17.ipa.local krb5kdc4757: TGS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: NOT_ALLOWED_TO_DELEGATE: authtime 0, HTTP/m17.ipa.local@IPA.LOCAL for ldap/m17.ipa.local@IPA.LOCAL, No such file or directory
Feb 28 15:49:34 m17.ipa.local krb5kdc4757: TGS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: NOT_ALLOWED_TO_DELEGATE: authtime 0, HTTP/m17.ipa.local@IPA.LOCAL for ldap/m17.ipa.local@IPA.LOCAL, No such file or directory
Feb 28 16:00:03 m17.ipa.local krb5kdc4757: AS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: NEEDED_PREAUTH: host/m17.ipa.local@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL, Additional pre-authentication required
Feb 28 16:00:03 m17.ipa.local krb5kdc4757: AS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: ISSUE: authtime 1330437603, etypes {rep=18 tkt=18 ses=18}, host/m17.ipa.local@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL
Feb 28 16:00:03 m17.ipa.local krb5kdc4757: TGS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: ISSUE: authtime 1330437603, etypes {rep=18 tkt=18 ses=18}, host/m17.ipa.local@IPA.LOCAL for HTTP/m17.ipa.local@IPA.LOCAL
Feb 28 16:00:03 m17.ipa.local krb5kdc4757: TGS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: NOT_ALLOWED_TO_DELEGATE: authtime 0, HTTP/m17.ipa.local@IPA.LOCAL for ldap/m17.ipa.local@IPA.LOCAL, No such file or directory
Feb 28 16:00:03 m17.ipa.local krb5kdc4757: TGS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: NOT_ALLOWED_TO_DELEGATE: authtime 0, HTTP/m17.ipa.local@IPA.LOCAL for ldap/m17.ipa.local@IPA.LOCAL, No such file or directory
Feb 28 16:01:51 m17.ipa.local krb5kdc4757: AS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: CLIENT_NOT_FOUND: root@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL, Client not found in Kerberos database
Feb 28 16:01:51 m17.ipa.local krb5kdc4757: AS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: NEEDED_PREAUTH: host/m17.ipa.local@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL, Additional pre-authentication required
Feb 28 16:01:51 m17.ipa.local krb5kdc4757: AS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: ISSUE: authtime 1330437711, etypes {rep=18 tkt=18 ses=18}, host/m17.ipa.local@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL
Feb 28 16:01:51 m17.ipa.local krb5kdc4757: TGS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: ISSUE: authtime 1330437711, etypes {rep=18 tkt=18 ses=18}, host/m17.ipa.local@IPA.LOCAL for ldap/m17.ipa.local@IPA.LOCAL
Feb 28 16:02:11 m17.ipa.local krb5kdc4757: AS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: CLIENT_NOT_FOUND: root@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL, Client not found in Kerberos database
Feb 28 16:02:21 m17.ipa.local krb5kdc4757: AS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: CLIENT_NOT_FOUND: root@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL, Client not found in Kerberos database
Feb 28 16:10:50 m17.ipa.local krb5kdc4757: AS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: CLIENT_NOT_FOUND: root@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL, Client not found in Kerberos database
Feb 28 16:13:56 m17.ipa.local krb5kdc4757: AS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: NEEDED_PREAUTH: admin@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL, Additional pre-authentication required
Feb 28 16:13:58 m17.ipa.local krb5kdc4757: AS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: ISSUE: authtime 1330438438, etypes {rep=18 tkt=18 ses=18}, admin@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL
Feb 28 16:14:05 m17.ipa.local krb5kdc4757: TGS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: ISSUE: authtime 1330438438, etypes {rep=18 tkt=18 ses=18}, admin@IPA.LOCAL for HTTP/m17.ipa.local@IPA.LOCAL
Feb 28 16:14:05 m17.ipa.local krb5kdc4757: TGS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: NOT_ALLOWED_TO_DELEGATE: authtime 0, HTTP/m17.ipa.local@IPA.LOCAL for ldap/m17.ipa.local@IPA.LOCAL, No such file or directory
Feb 28 16:14:05 m17.ipa.local krb5kdc4757: TGS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: NOT_ALLOWED_TO_DELEGATE: authtime 0, HTTP/m17.ipa.local@IPA.LOCAL for ldap/m17.ipa.local@IPA.LOCAL, No such file or directory
Feb 28 16:14:29 m17.ipa.local krb5kdc4757: AS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: CLIENT_NOT_FOUND: root@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL, Client not found in Kerberos database

abbra commented 12 years ago

# extended LDIF
#
# LDAPv3
# base <dc=ipa,dc=local> with scope subtree
# filter: (&(objectClass=ipaKrb5DelegationACL)(memberPrincipal=HTTP/m17.ipa.local@IPA.LOCAL))
# requesting: ALL
#

# ipa-http-delegation, s4u2proxy, etc, ipa.local
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ipa,dc=local
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top
cn: ipa-http-delegation
memberPrincipal: HTTP/m17.ipa.local@IPA.LOCAL
ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ipa,dc
 =local
ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ipa,dc
 =local

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1

# extended LDIF
#
# LDAPv3
# base <cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ipa,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: * 
#

# ipa-cifs-delegation-targets, s4u2proxy, etc, ipa.local
dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ipa,dc=local
objectClass: groupOfPrincipals
objectClass: top
cn: ipa-cifs-delegation-targets
memberPrincipal: cifs/m17.ipa.local@IPA.LOCAL

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1

simo commented 12 years ago

Found the bug, patch on list.

simo commented 12 years ago

Fixed in master: 372d67a
Fixed in ipa-2-2: fd54775

Metadata Update from @abbra:
- Issue assigned to simo
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/02

7 years ago

Metadata

Assignee

simo

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 2.2 Core Effort - 2012/02

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#2458 s4u2proxy doesn't work with multiple allowed targets Closed: Fixed None Opened 12 years ago by abbra.

Metadata

#2458 s4u2proxy doesn't work with multiple allowed targets

Closed: Fixed None Opened 12 years ago by abbra.