#7119 kdc_proxy: kinit admin fails with "Cannot contact any KDC for realm 'IPA.TEST' while getting initial credentials"
Closed: fixed 3 years ago Opened 3 years ago by mreznik.

When trying to use kdc_proxy kinit admin fails with "Cannot contact any KDC for realm 'IPA.TEST' while getting initial credentials".

Steps to reproduce:

  1. install ipa master
  2. install ipa client
  3. configure kdc proxy on the client
  4. block port 88 on the client
  5. kinit admin on the client

kinit fails with:

[root@client ~]# KRB5_TRACE=/dev/stdout kinit admin
[33798] 1503556862.97965: Getting initial credentials for admin@IPA.TEST
[33798] 1503556862.100364: Sending request (225 bytes) to IPA.TEST
[33798] 1503556862.100511: Resolving hostname master.ipa.test
[33798] 1503556862.122192: TLS certificate error at 1 (O=IPA.TEST, CN=Certificate Authority): 19 (self signed certificate in certificate chain)
[33798] 1503556862.122430: TLS error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
[33798] 1503556862.122556: HTTPS error sending to https 2620:52:0:0:21a:4aff:fe23:129a:443
[33798] 1503556862.123560: Terminating TCP connection to https 2620:52:0:0:21a:4aff:fe23:129a:443
[33798] 1503556862.140403: TLS certificate error at 1 (O=IPA.TEST, CN=Certificate Authority): 19 (self signed certificate in certificate chain)
[33798] 1503556862.140619: TLS error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
[33798] 1503556862.140744: HTTPS error sending to https 10.0.0.147:443
[33798] 1503556862.141667: Terminating TCP connection to https 10.0.0.147:443
kinit: Cannot contact any KDC for realm 'IPA.TEST' while getting initial credentials

It looks like the client has neither the IPA CA root installed in its global trust store nor does it have http_anchors = FILE:/etc/ipa/ca.crt in /etc/krb5.conf. By default the ipa-client-install command adds the its CA file to /etc/ca-trust/source/ipa.p11-kit and runs update-ca-trust or update-ca-certificates.

What's your platform and IPA version?

Was about to add sorry for the delay. It is Fedora 25.

[root@master ~]# ipa ping
-----------------------------------------------------------------------
IPA server version 4.5.90.dev201708230722+git928374c. API version 2.229
-----------------------------------------------------------------------

You meant /etc/pki/ca-trust/source? Yes it is there. I also tried to add the anchor to krb5.conf before and it helped for the first time but later it was not working.

It's a bug in FreeIPA. In your test case, the file /etc/pki/ca-trust/source/ipa.p11-kit contains

[p11-kit-object-v1]
class: x-certificate-extension
...
object-id: 2.5.29.37
value: "0%18%06%03U%1D%25%01%01%FF%04%0E0%0C%06%0A%2B%06%01%04%01%99w%06%0A%10"

The OID is Extended Key Usage and the value is an empty EKU, https://lapo.it/asn1js/#30180603551D250101FF040E300C060A2B060104019977060A10 . Because the EKU field only contains 1.3.6.1.4.1.3319.6.10.16, p11-kit does not consider the IPA CA cert as a valid trust anchor for server auth. As a consequence, the CA cert is never added to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem and kinit cannot validate the trust chain.

A correct ipa.p11-kit contains

[p11-kit-object-v1]
class: x-certificate-extension
...
object-id: 2.5.29.37
value: "04%06%03U%1D%25%01%01%FF%04%2A0%28%06%08%2B%06%01%05%05%07%03%01%06%08%2B%06%01%05%05%07%03%02%06%08%2B%06%01%05%05%07%03%03%06%08%2B%06%01%05%05%07%03%04"

with EKU server auth, client auth, code signing and s/mime: https://lapo.it/asn1js/#30340603551D250101FF042A302806082B0601050507030106082B0601050507030206082B0601050507030306082B06010505070304

Metadata Update from @pvoborni:
- Issue assigned to stlaz
- Issue set to the milestone: FreeIPA 4.6.1

3 years ago

Just to add a link here, this is potentially a blocking issue for Fedora 27: https://bugzilla.redhat.com/show_bug.cgi?id=1491053

I guess this is related to b5732ef , which changed this code a whole lot...

Metadata Update from @stlaz:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1491053

3 years ago

master:

  • e537686 Don't write p11-kit EKU extension object if no EKU

ipa-4-6:

  • 7da5187 Don't write p11-kit EKU extension object if no EKU

Metadata Update from @tkrizek:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Unfortunately, there still seem to be problems here - while OpenSSL now seems happy, Firefox still is not. More details in https://bugzilla.redhat.com/show_bug.cgi?id=1491053#c30 and onwards.

Login to comment on this ticket.

Metadata