Authentication indicators currently should not be enforced against internal IPA services because not all users of those services can produce Kerberos tickets with required authentication indicators. Enforcing the indicators will lead to a broken FreeIPA deployment for such services. Thus, we should add a logic that prevents such broken setup.
host/..., ldap/.., HTTP/.., and 'cifs/..` principals on IPA masters should not allow setting any authentication indicators as of the moment.
host/...
ldap/..
HTTP/..
In Active Directory infrastructure all services running on the machine are aliases of the machine account (represented with host/... service principal). It means they all have the same Kerberos keys. In FreeIPA there is no strong aliasing between the services running on a host; host/... and cifs/... keys can be different. However, host/... service principal on any IPA system running Samba plays important role for DCE RPC calls authenticated with the help of Kerberos because DCE RPC clients will use host/... key to encrypt a request and DCE RPC server will have to use own host/.. keys to decrypt that request. It means DCE RPC clients will attempt to obtain a service ticket to host/.. on a target DCE RPC server automatically. Assigning an authentication indicator to it will prevent this operation, rendering SMB (and DCE RPC) services impossible to use.
cifs/...
host/..
This means that for IPA clients which have Samba services enabled (have cifs/... service principal), there should also be not possible to assign authentication indicator to host/... and cifs/.. principals on the hosts.
cifs/..
We need to figure out if using hardened authentication indicator could be permitted.
hardened
https://github.com/freeipa/freeipa/pull/5617
Metadata Update from @antorres: - Issue assigned to antorres
master:
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1979625
Issue linked to Bugzilla: Bug 1979625
Issue linked to Bugzilla: Bug 1979629
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1979625, https://bugzilla.redhat.com/show_bug.cgi?id=1979629 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1979625)
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
An exception is raised if an authentication indicator is included when a host is added because the Kerberos principal can't be determined. See BZ for stack trace.
Metadata Update from @rcritten: - Issue status updated to: Open (was: Closed)
https://github.com/freeipa/freeipa/pull/5889
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.