#8206 Add checks to prevent assigning authentication indicators to internal IPA services
Closed: fixed 2 months ago by rcritten. Opened 2 years ago by abbra.

Authentication indicators currently should not be enforced against internal IPA services because not all users of those services can produce Kerberos tickets with required authentication indicators. Enforcing the indicators will lead to a broken FreeIPA deployment for such services. Thus, we should add a logic that prevents such broken setup.

host/..., ldap/.., HTTP/.., and 'cifs/..` principals on IPA masters should not allow setting any authentication indicators as of the moment.

In Active Directory infrastructure all services running on the machine are aliases of the machine account (represented with host/... service principal). It means they all have the same Kerberos keys. In FreeIPA there is no strong aliasing between the services running on a host; host/... and cifs/... keys can be different. However, host/... service principal on any IPA system running Samba plays important role for DCE RPC calls authenticated with the help of Kerberos because DCE RPC clients will use host/... key to encrypt a request and DCE RPC server will have to use own host/.. keys to decrypt that request. It means DCE RPC clients will attempt to obtain a service ticket to host/.. on a target DCE RPC server automatically. Assigning an authentication indicator to it will prevent this operation, rendering SMB (and DCE RPC) services impossible to use.

This means that for IPA clients which have Samba services enabled (have cifs/... service principal), there should also be not possible to assign authentication indicator to host/... and cifs/.. principals on the hosts.

We need to figure out if using hardened authentication indicator could be permitted.


Metadata Update from @antorres:
- Issue assigned to antorres

6 months ago

master:

  • 0bdbf11 Add checks to prevent adding auth indicators to internal IPA services
  • da72a57 ipatests: ensure auth indicators can't be added to internal IPA services

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1979625

2 months ago

ipa-4-9:

  • a5d2857 Add checks to prevent adding auth indicators to internal IPA services
  • 28484c3 ipatests: ensure auth indicators can't be added to internal IPA services

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 months ago

An exception is raised if an authentication indicator is included when a host is added because the Kerberos principal can't be determined. See BZ for stack trace.

Metadata Update from @rcritten:
- Issue status updated to: Open (was: Closed)

2 months ago

master:

  • bd0d437 Fall back to krbprincipalname when validating host auth indicators

ipa-4-9:

  • 8ad535b Fall back to krbprincipalname when validating host auth indicators

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 months ago

Login to comment on this ticket.

Metadata