When a URI record is specified for KDC proxy
_kerberos.example.com. IN URI 0 100 "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"
and FreeIPA server autodiscovery is used then FreeIPA client fails to install
ipa-client-install (with autodiscovery) failed on kinit, see KRB5_TRACE bellow, it refuses IPA self signed certificate .... Realm: IPA.TEST DNS Domain: ipa.test IPA Server: master.ipa.test BaseDN: dc=ipa,dc=test Continue to configure the system with these values? [no]: y Skipping synchronizing time with NTP server. User authorized to enroll computers: admin Password for admin@IPA.TEST: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.TEST Issuer: CN=Certificate Authority,O=IPA.TEST Valid From: 2017-04-27 11:02:28 Valid Until: 2037-04-27 11:02:28 Enrolled in IPA realm IPA.TEST Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm IPA.TEST trying https://master.ipa.test/ipa/json Forwarding 'schema' to json server 'https://master.ipa.test/ipa/json' Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'IPA.TEST' The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information [root@client1 ~]# KRB5_TRACE=/dev/stderr kinit admin [25690] 1493293387.746616: Getting initial credentials for admin@IPA.TEST [25690] 1493293387.750307: Sending request (164 bytes) to IPA.TEST [25690] 1493293387.751468: Resolving hostname master.ipa.test [25690] 1493293387.765261: TLS certificate error at 1 (O=IPA.TEST, CN=Certificate Authority): 19 (self signed certificate in certificate chain) [25690] 1493293387.765680: TLS error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed [25690] 1493293387.765807: HTTPS error sending to https 192.168.138.101:443 [25690] 1493293387.766873: Terminating TCP connection to https 192.168.138.101:443 kinit: Cannot contact any KDC for realm 'IPA.TEST' while getting initial credentials
Christian's investigation:
Actually it is not a self-sigend EE certificate. The validation message is bogus because FreeIPA TLS configuration is slightly buggy. We send the trust anchor (root CA) although a server should not include its trust anchor in its ServerHello message. OpenSSL detects an untrusted root CA in the ServerHello peer chain and emits the message. If I read the 600 lines (!) function ipaclient.install.client._install correctly, then ipa-client-install first attempts to negotiate a TGT and then installs the trust anchor in the global trust store. It should be enough to reverse the order and inject the trust anchor first.
But it needs deeper inspection of ipa-client-install
URI discovery works for me when I specify all record types with same priority (TCP, UDP, MSKKDCP)
Reference: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery
SSSD overrides DNS discovery
$ systemctl stop sssd
$ ipa dnsrecord-add dom-058-099.ipa.example. _kerberos --uri-priority=100 --uri-weight=1 --uri-target="krb5srv:M:kkdcp:https://vm-058-099.ipa.example/KdcProxy" $ KRB5_TRACE=/dev/stderr kinit admin [61732] 1493366616.418944: Getting initial credentials for admin@DOM-058-099.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [61732] 1493366616.422709: Sending request (233 bytes) to DOM-058-099.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [61732] 1493366616.424726: Resolving hostname vm-058-099.abc.idm.lab.eng.brq.redhat.com [61732] 1493366616.491667: TLS certificate name matched "vm-058-099.abc.idm.lab.eng.brq.redhat.com" [61732] 1493366616.495565: Sending HTTPS request to https 2620:52:0:224e:21a:4aff:fe23:15c4:443 [61732] 1493366616.519568: Received answer (392 bytes) from https 2620:52:0:224e:21a:4aff:fe23:15c4:443 [61732] 1493366616.519593: Terminating TCP connection to https 2620:52:0:224e:21a:4aff:fe23:15c4:443 [61732] 1493366616.520879: Response was from master KDC
$ ipa dnsrecord-add dom-058-099.abc.idm.lab.eng.brq.redhat.com. _kerberos --uri-priority=100 --uri-weight=1 --uri-target="krb5srv:M:tcp:vm-058-099.abc.idm.lab.eng.brq.redhat.com:88" $ ipa dnsrecord-add dom-058-099.abc.idm.lab.eng.brq.redhat.com. _kerberos --uri-priority=100 --uri-weight=1 --uri-target="krb5srv:M:udp:vm-058-099.abc.idm.lab.eng.brq.redhat.com:88" $ KRB5_TRACE=/dev/stderr kinit admin [61742] 1493366657.524839: Getting initial credentials for admin@DOM-058-099.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [61742] 1493366657.528389: Sending request (233 bytes) to DOM-058-099.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [61742] 1493366657.529668: Resolving hostname vm-058-099.abc.idm.lab.eng.brq.redhat.com [61742] 1493366657.531195: Initiating TCP connection to stream 2620:52:0:224e:21a:4aff:fe23:15c4:88 [61742] 1493366657.531360: Sending TCP request to stream 2620:52:0:224e:21a:4aff:fe23:15c4:88 [61742] 1493366657.534447: Received answer (392 bytes) from stream 2620:52:0:224e:21a:4aff:fe23:15c4:88 [61742] 1493366657.534465: Terminating TCP connection to stream 2620:52:0:224e:21a:4aff:fe23:15c4:88 [61742] 1493366657.534524: Response was from master KDC
It works because it is connecting to port 88 directly, not via 443. So enrollment with only HTTPS proxy will still not work, I'd expect that main motivation for adding URI records is to allow clients to enroll only via 443.
It works because I added all variants and MIT KRB5 prefers UDP/TCP over KKDCP. That means we can safely add the URI records now and deal with client enrolment over KKDCP another time.
Here is what we should do in order to support KKDCP while keeping TCP/UDP the default. Clients that are able to connect to port 88 will just use standard Kerberos. Only clients behind a firewall will fall back to KKDCP.
for HOSTNAME in KDC: _kerberos URI 100 0 "krb5srv:M:udp:$HOSTNAME _kerberos URI 100 0 "krb5srv:M:tcp:$HOSTNAME _kerberos URI 200 0 "krb5srv:M:kkdcp:https://$HOSTNAME/KdcProxy _kpasswd URI 100 0 "krb5srv:M:udp:$HOSTNAME _kpasswd URI 100 0 "krb5srv:M:tcp:$HOSTNAME _kpasswd URI 200 0 "krb5srv:M:kkdcp:https://$HOSTNAME/KdcProxy _kerberos-adm URI 100 0 "krb5srv:M:udp:$HOSTNAME _kerberos-adm URI 100 0 "krb5srv:M:tcp:$HOSTNAME
LGTM
Metadata Update from @pvoborni: - Issue set to the milestone: FreeIPA 4.7
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
Login to comment on this ticket.