#4844 Principal canonicalization does not work for principals in IPA realm
Closed: Fixed None Opened 9 years ago by abbra.

Principal canonicalization does not work for own realm:

$ KRB5_TRACE=/dev/stderr kinit -C admin@f21.test
[31948] 1421403750.682046: Getting initial credentials for admin@f21.test
[31948] 1421403750.683696: Sending request (157 bytes) to f21.test
[31948] 1421403750.684576: Resolving hostname master.f21.test.
[31948] 1421403750.685294: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.686131: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.686295: Response was from master KDC
[31948] 1421403750.686349: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.686386: Following referral to realm f21.test
[31948] 1421403750.686435: Sending request (157 bytes) to f21.test
[31948] 1421403750.686691: Resolving hostname master.f21.test.
[31948] 1421403750.686929: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.687412: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.687564: Response was from master KDC
[31948] 1421403750.687616: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.687658: Following referral to realm f21.test
[31948] 1421403750.687697: Sending request (157 bytes) to f21.test
[31948] 1421403750.687941: Resolving hostname master.f21.test.
[31948] 1421403750.688136: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.688519: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.688687: Response was from master KDC
[31948] 1421403750.688721: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.688740: Following referral to realm f21.test
[31948] 1421403750.688771: Sending request (157 bytes) to f21.test
[31948] 1421403750.689003: Resolving hostname master.f21.test.
[31948] 1421403750.689176: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.689526: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.689700: Response was from master KDC
[31948] 1421403750.689751: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.689786: Following referral to realm f21.test
[31948] 1421403750.689832: Sending request (157 bytes) to f21.test
[31948] 1421403750.690092: Resolving hostname master.f21.test.
[31948] 1421403750.690280: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.690669: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.690830: Response was from master KDC
[31948] 1421403750.690891: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.690954: Following referral to realm f21.test
[31948] 1421403750.691017: Sending request (157 bytes) to f21.test
[31948] 1421403750.691246: Resolving hostname master.f21.test.
[31948] 1421403750.691420: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.691790: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.691932: Response was from master KDC
[31948] 1421403750.691986: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.692008: Following referral to realm f21.test
[31948] 1421403750.692048: Sending request (157 bytes) to f21.test
[31948] 1421403750.692246: Resolving hostname master.f21.test.
[31948] 1421403750.692414: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.692792: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.692933: Response was from master KDC
[31948] 1421403750.692989: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.693049: Following referral to realm f21.test
[31948] 1421403750.693119: Sending request (157 bytes) to f21.test
[31948] 1421403750.693335: Resolving hostname master.f21.test.
[31948] 1421403750.693524: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.693922: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.694118: Response was from master KDC
[31948] 1421403750.694153: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.694172: Following referral to realm f21.test
[31948] 1421403750.694202: Sending request (157 bytes) to f21.test
[31948] 1421403750.694399: Resolving hostname master.f21.test.
[31948] 1421403750.694567: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.694934: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.695095: Response was from master KDC
[31948] 1421403750.695138: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.695157: Following referral to realm f21.test
[31948] 1421403750.695188: Sending request (157 bytes) to f21.test
[31948] 1421403750.695385: Resolving hostname master.f21.test.
[31948] 1421403750.695553: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.695899: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.696055: Response was from master KDC
[31948] 1421403750.696115: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.696134: Following referral to realm f21.test
[31948] 1421403750.696164: Sending request (157 bytes) to f21.test
[31948] 1421403750.696393: Resolving hostname master.f21.test.
[31948] 1421403750.696563: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.696908: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.697047: Response was from master KDC
[31948] 1421403750.697101: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.697126: Following referral to realm f21.test
[31948] 1421403750.697157: Sending request (157 bytes) to f21.test
[31948] 1421403750.697363: Resolving hostname master.f21.test.
[31948] 1421403750.697544: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.697919: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.698080: Response was from master KDC
[31948] 1421403750.698178: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.698246: Following referral to realm f21.test
[31948] 1421403750.698287: Sending request (157 bytes) to f21.test
[31948] 1421403750.698484: Resolving hostname master.f21.test.
[31948] 1421403750.698673: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.699017: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.699194: Response was from master KDC
[31948] 1421403750.699255: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.699290: Following referral to realm f21.test
[31948] 1421403750.699336: Sending request (157 bytes) to f21.test
[31948] 1421403750.699562: Resolving hostname master.f21.test.
[31948] 1421403750.699781: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.700106: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.700270: Response was from master KDC
[31948] 1421403750.700304: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.700323: Following referral to realm f21.test
[31948] 1421403750.700353: Sending request (157 bytes) to f21.test
[31948] 1421403750.700554: Resolving hostname master.f21.test.
[31948] 1421403750.700747: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.701075: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.701234: Response was from master KDC
[31948] 1421403750.701268: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.701298: Following referral to realm f21.test
[31948] 1421403750.701328: Sending request (157 bytes) to f21.test
[31948] 1421403750.701523: Resolving hostname master.f21.test.
[31948] 1421403750.701767: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.702095: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.702266: Response was from master KDC
[31948] 1421403750.702300: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.702319: Following referral to realm f21.test
kinit: Looping detected inside krb5_get_in_tkt while getting initial credentials

Simo volunteered for the initial research. Moving to 4.1.3 and marking as critical until we know more.

Talked with MIT and we concluded this is a bug in recent kinit:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8060

I sent a patch, pull request is here:
https://github.com/krb5/krb5/pull/243

We should probably open a bugzilla against krb5 and backport anywhere we landed 1.12.2/1.13

Thanks. Do I understood it correctly that there is still a bug in our KDC driver that it does not support canonicalization? Or the krb5 patch will fix that?

We still have a problem with canonicalization in the KDB, but the patch at least fixes looping.

For 7.1 we should get only the krb5 fixes.
The IPA fixes need to be deferred to the next release as they'll require some well thought decisions on how to handle canonicalization at the LDAP level.

4.1.4 was released, moving to new milestone

According to sbose, the looping was fixed some time ago. Rest was implemented in Kerberos aliases tickets. #3864 #3961 #5413 #4421

Metadata Update from @abbra:
- Issue assigned to sbose
- Issue set to the milestone: FreeIPA 4.4

7 years ago

Login to comment on this ticket.

Metadata