Host principals don't show up during kadmin enumeration.
kadmin.local getprincs
[root@ipa ~]# kadmin.local getprincs ldap/ipa.example.test@EXAMPLE.TEST dogtag/ipa.example.test@EXAMPLE.TEST HTTP/ipa.example.test@EXAMPLE.TEST [root@ipa ~]# kadmin.local getprinc host/$(hostname -f) Principal: host/ipa.example.test@EXAMPLE.TEST Expiration date: [never] Last password change: Wed Dec 16 19:51:04 UTC 2020 Password expiration date: [never] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Wed Dec 16 19:51:04 UTC 2020 (root/admin@EXAMPLE.TEST) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 6 Key: vno 2, aes256-cts-hmac-sha1-96 Key: vno 2, aes128-cts-hmac-sha1-96 Key: vno 2, aes128-cts-hmac-sha256-128 Key: vno 2, aes256-cts-hmac-sha384-192 Key: vno 2, camellia128-cts-cmac Key: vno 2, camellia256-cts-cmac MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none] [root@ipa ~]#
All principals should be listed during getprincs - including those for host/.
getprincs
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server freeipa-server-4.9.0-0.5.rc3.fc34.x86_64 freeipa-client-4.9.0-0.5.rc3.fc34.x86_64 package ipa-server is not installed package ipa-client is not installed 389-ds-base-2.0.1-1.fc34.x86_64 pki-ca-10.10.0-2.fc34.noarch krb5-server-1.18.3-4.fc34.x86_64
In a two-second analyis it looks like the host entry (which holds the host principal) lacks the ipakrbprincipal objectclass
This adds the current server to the list for me:
$ ipa host-mod --addattr objectclass=ipakrbprincipal ipa.example.test --setattr ipaKrbPrincipalAlias=host/ipa.example.test@EXAMPLE.TEST
# kadmin.local getprincs ldap/ipa.example.test@EXAMPLE.TEST host/ipa.example.test@EXAMPLE.TEST dogtag/ipa.example.test@EXAMPLE.TEST HTTP/ipa.example.test@EXAMPLE.TEST DNS/ipa.example.test@EXAMPLE.TEST ipa-dnskeysyncd/ipa.example.test@EXAMPLE.TEST nfs/ipa.example.test@EXAMPLE.TEST
So I think we'd need an upgrade script to fix all hosts, which could be expensive and potentially take a long time which would increase the chance of a user hitting ^C during the rpm process.
May be a better way would be to fix KDB driver's LDAP filter in getprincs command so that it would pick up hosts? They are seen to KDC or otherwise they wouldn't be to authenticate.
I did investigation and I think it is due to the particular issue with krbprincipalname:caseignoreia5match:=%x2a search term. It looks like if we enforce caseignoreia5match with *, 389-ds get confused and does not handle * search properly. Previously we had * unescaped and that was a broken LDAP filter.
krbprincipalname:caseignoreia5match:=%x2a
caseignoreia5match
*
If I'd remove :caseignoreia5match: part from the filter and leave just *, I get all 14 principals that exist on the default installation. So an easy fix would be to detect that a requested principal name is * alone and handle that differently.
:caseignoreia5match:
I submitted https://github.com/freeipa/freeipa/pull/5351
Metadata Update from @abbra: - Issue assigned to abbra
master:
ipa-4-8:
ipa-4-9:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.