When trying to use kdc_proxy kinit admin fails with "Cannot contact any KDC for realm 'IPA.TEST' while getting initial credentials".
Steps to reproduce:
kinit fails with:
[root@client ~]# KRB5_TRACE=/dev/stdout kinit admin [33798] 1503556862.97965: Getting initial credentials for admin@IPA.TEST [33798] 1503556862.100364: Sending request (225 bytes) to IPA.TEST [33798] 1503556862.100511: Resolving hostname master.ipa.test [33798] 1503556862.122192: TLS certificate error at 1 (O=IPA.TEST, CN=Certificate Authority): 19 (self signed certificate in certificate chain) [33798] 1503556862.122430: TLS error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed [33798] 1503556862.122556: HTTPS error sending to https 2620:52:0:0:21a:4aff:fe23:129a:443 [33798] 1503556862.123560: Terminating TCP connection to https 2620:52:0:0:21a:4aff:fe23:129a:443 [33798] 1503556862.140403: TLS certificate error at 1 (O=IPA.TEST, CN=Certificate Authority): 19 (self signed certificate in certificate chain) [33798] 1503556862.140619: TLS error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed [33798] 1503556862.140744: HTTPS error sending to https 10.0.0.147:443 [33798] 1503556862.141667: Terminating TCP connection to https 10.0.0.147:443 kinit: Cannot contact any KDC for realm 'IPA.TEST' while getting initial credentials
It looks like the client has neither the IPA CA root installed in its global trust store nor does it have http_anchors = FILE:/etc/ipa/ca.crt in /etc/krb5.conf. By default the ipa-client-install command adds the its CA file to /etc/ca-trust/source/ipa.p11-kit and runs update-ca-trust or update-ca-certificates.
http_anchors = FILE:/etc/ipa/ca.crt
/etc/krb5.conf
ipa-client-install
/etc/ca-trust/source/ipa.p11-kit
update-ca-trust
update-ca-certificates
What's your platform and IPA version?
Was about to add sorry for the delay. It is Fedora 25.
[root@master ~]# ipa ping ----------------------------------------------------------------------- IPA server version 4.5.90.dev201708230722+git928374c. API version 2.229 -----------------------------------------------------------------------
You meant /etc/pki/ca-trust/source? Yes it is there. I also tried to add the anchor to krb5.conf before and it helped for the first time but later it was not working.
It's a bug in FreeIPA. In your test case, the file /etc/pki/ca-trust/source/ipa.p11-kit contains
/etc/pki/ca-trust/source/ipa.p11-kit
[p11-kit-object-v1] class: x-certificate-extension ... object-id: 2.5.29.37 value: "0%18%06%03U%1D%25%01%01%FF%04%0E0%0C%06%0A%2B%06%01%04%01%99w%06%0A%10"
The OID is Extended Key Usage and the value is an empty EKU, https://lapo.it/asn1js/#30180603551D250101FF040E300C060A2B060104019977060A10 . Because the EKU field only contains 1.3.6.1.4.1.3319.6.10.16, p11-kit does not consider the IPA CA cert as a valid trust anchor for server auth. As a consequence, the CA cert is never added to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem and kinit cannot validate the trust chain.
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
A correct ipa.p11-kit contains
ipa.p11-kit
[p11-kit-object-v1] class: x-certificate-extension ... object-id: 2.5.29.37 value: "04%06%03U%1D%25%01%01%FF%04%2A0%28%06%08%2B%06%01%05%05%07%03%01%06%08%2B%06%01%05%05%07%03%02%06%08%2B%06%01%05%05%07%03%03%06%08%2B%06%01%05%05%07%03%04"
with EKU server auth, client auth, code signing and s/mime: https://lapo.it/asn1js/#30340603551D250101FF042A302806082B0601050507030106082B0601050507030206082B0601050507030306082B06010505070304
Metadata Update from @pvoborni: - Issue assigned to stlaz - Issue set to the milestone: FreeIPA 4.6.1
Just to add a link here, this is potentially a blocking issue for Fedora 27: https://bugzilla.redhat.com/show_bug.cgi?id=1491053
I guess this is related to b5732ef , which changed this code a whole lot...
Metadata Update from @stlaz: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1491053
https://github.com/freeipa/freeipa/pull/1090
master:
ipa-4-6:
Metadata Update from @tkrizek: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Unfortunately, there still seem to be problems here - while OpenSSL now seems happy, Firefox still is not. More details in https://bugzilla.redhat.com/show_bug.cgi?id=1491053#c30 and onwards.
Login to comment on this ticket.