#6906 ipa-client-install fails when HTTPS KDC proxy is used (defined in URI record)
Opened 2 years ago by mbasti. Modified 2 years ago

When a URI record is specified for KDC proxy

_kerberos.example.com. IN URI 0 100 "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"

and FreeIPA server autodiscovery is used then FreeIPA client fails to install

ipa-client-install (with autodiscovery) failed on kinit, see KRB5_TRACE bellow, it refuses IPA self signed certificate

....
Realm: IPA.TEST
DNS Domain: ipa.test
IPA Server: master.ipa.test
BaseDN: dc=ipa,dc=test

Continue to configure the system with these values? [no]: y
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin@IPA.TEST:
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=IPA.TEST
    Issuer:      CN=Certificate Authority,O=IPA.TEST
    Valid From:  2017-04-27 11:02:28
    Valid Until: 2037-04-27 11:02:28

Enrolled in IPA realm IPA.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.TEST
trying https://master.ipa.test/ipa/json
Forwarding 'schema' to json server 'https://master.ipa.test/ipa/json'
Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'IPA.TEST'
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

[root@client1 ~]# KRB5_TRACE=/dev/stderr kinit admin
[25690] 1493293387.746616: Getting initial credentials for admin@IPA.TEST
[25690] 1493293387.750307: Sending request (164 bytes) to IPA.TEST
[25690] 1493293387.751468: Resolving hostname master.ipa.test
[25690] 1493293387.765261: TLS certificate error at 1 (O=IPA.TEST, CN=Certificate Authority): 19 (self signed certificate in certificate chain)
[25690] 1493293387.765680: TLS error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
[25690] 1493293387.765807: HTTPS error sending to https 192.168.138.101:443
[25690] 1493293387.766873: Terminating TCP connection to https 192.168.138.101:443
kinit: Cannot contact any KDC for realm 'IPA.TEST' while getting initial credentials 

Christian's investigation:

Actually it is not a self-sigend EE certificate. The validation message
is bogus because FreeIPA TLS configuration is slightly buggy. We send
the trust anchor (root CA) although a server should not include its
trust anchor in its ServerHello message. OpenSSL detects an untrusted
root CA in the ServerHello peer chain and emits the message.

If I read the 600 lines (!) function ipaclient.install.client._install
correctly, then ipa-client-install first attempts to negotiate a TGT and
then installs the trust anchor in the global trust store. It should be
enough to reverse the order and inject the trust anchor first. 

But it needs deeper inspection of ipa-client-install


URI discovery works for me when I specify all record types with same priority (TCP, UDP, MSKKDCP)

Reference: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery

stop sssd

SSSD overrides DNS discovery

$ systemctl stop sssd

Add URI KKDCP record

$ ipa dnsrecord-add dom-058-099.ipa.example. _kerberos --uri-priority=100 --uri-weight=1 --uri-target="krb5srv:M:kkdcp:https://vm-058-099.ipa.example/KdcProxy"
$ KRB5_TRACE=/dev/stderr kinit admin  
[61732] 1493366616.418944: Getting initial credentials for admin@DOM-058-099.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
[61732] 1493366616.422709: Sending request (233 bytes) to DOM-058-099.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
[61732] 1493366616.424726: Resolving hostname vm-058-099.abc.idm.lab.eng.brq.redhat.com
[61732] 1493366616.491667: TLS certificate name matched "vm-058-099.abc.idm.lab.eng.brq.redhat.com"
[61732] 1493366616.495565: Sending HTTPS request to https 2620:52:0:224e:21a:4aff:fe23:15c4:443
[61732] 1493366616.519568: Received answer (392 bytes) from https 2620:52:0:224e:21a:4aff:fe23:15c4:443
[61732] 1493366616.519593: Terminating TCP connection to https 2620:52:0:224e:21a:4aff:fe23:15c4:443
[61732] 1493366616.520879: Response was from master KDC

Add TCP and UDP URIs with same priority

$ ipa dnsrecord-add dom-058-099.abc.idm.lab.eng.brq.redhat.com. _kerberos --uri-priority=100 --uri-weight=1 --uri-target="krb5srv:M:tcp:vm-058-099.abc.idm.lab.eng.brq.redhat.com:88"
$ ipa dnsrecord-add dom-058-099.abc.idm.lab.eng.brq.redhat.com. _kerberos --uri-priority=100 --uri-weight=1 --uri-target="krb5srv:M:udp:vm-058-099.abc.idm.lab.eng.brq.redhat.com:88"
$ KRB5_TRACE=/dev/stderr kinit admin                                                                                      [61742] 1493366657.524839: Getting initial credentials for admin@DOM-058-099.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
[61742] 1493366657.528389: Sending request (233 bytes) to DOM-058-099.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
[61742] 1493366657.529668: Resolving hostname vm-058-099.abc.idm.lab.eng.brq.redhat.com
[61742] 1493366657.531195: Initiating TCP connection to stream 2620:52:0:224e:21a:4aff:fe23:15c4:88
[61742] 1493366657.531360: Sending TCP request to stream 2620:52:0:224e:21a:4aff:fe23:15c4:88
[61742] 1493366657.534447: Received answer (392 bytes) from stream 2620:52:0:224e:21a:4aff:fe23:15c4:88
[61742] 1493366657.534465: Terminating TCP connection to stream 2620:52:0:224e:21a:4aff:fe23:15c4:88
[61742] 1493366657.534524: Response was from master KDC

It works because it is connecting to port 88 directly, not via 443. So enrollment with only HTTPS proxy will still not work, I'd expect that main motivation for adding URI records is to allow clients to enroll only via 443.

It works because I added all variants and MIT KRB5 prefers UDP/TCP over KKDCP. That means we can safely add the URI records now and deal with client enrolment over KKDCP another time.

Here is what we should do in order to support KKDCP while keeping TCP/UDP the default. Clients that are able to connect to port 88 will just use standard Kerberos. Only clients behind a firewall will fall back to KKDCP.

for HOSTNAME in KDC:
    _kerberos URI 100 0 "krb5srv:M:udp:$HOSTNAME
    _kerberos URI 100 0 "krb5srv:M:tcp:$HOSTNAME
    _kerberos URI 200 0 "krb5srv:M:kkdcp:https://$HOSTNAME/KdcProxy
    _kpasswd URI 100 0 "krb5srv:M:udp:$HOSTNAME
    _kpasswd URI 100 0 "krb5srv:M:tcp:$HOSTNAME
    _kpasswd URI 200 0 "krb5srv:M:kkdcp:https://$HOSTNAME/KdcProxy
    _kerberos-adm URI 100 0 "krb5srv:M:udp:$HOSTNAME
    _kerberos-adm URI 100 0 "krb5srv:M:tcp:$HOSTNAME

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.7

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

2 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Login to comment on this ticket.

Metadata