I've modified a user to require hardened information and they can't log in any more.
No password prompt, error message: kinit: Pre-authentication failed: Invalid argument while getting initial credentials
Password prompt followed by successful authentication
On RHEL 8:
ipa-server-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64 ipa-client-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64 389-ds-base-1.4.3.23-10.module+el8.5.0+12398+47000435.x86_64 pki-ca-10.11.2-2.module+el8.5.0+12735+8eb38ccc.noarch krb5-server-1.18.2-14.el8.x86_64
Also seen on CentOS Stream 9:
ipa-server-4.9.6-9.el9.x86_64 ipa-client-4.9.6-9.el9.x86_64 389-ds-base-2.0.11-3.el9.x86_64 pki-ca-11.0.1-3.el9.noarch krb5-server-1.19.1-12.el9.x86_64
krb5 trace from kinit command: [admin@ipa-test0 ~]$ KRB5_TRACE=/dev/stderr KRB5CCNAME=MEMORY: kinit htest [3910683] 1639666477.833986: Getting initial credentials for htest@IPATEST.QQ [3910683] 1639666477.833988: Sending unauthenticated request [3910683] 1639666477.833989: Sending request (167 bytes) to IPATEST.QQ [3910683] 1639666477.833990: Initiating TCP connection to stream 192.168.0.7:88 [3910683] 1639666477.833991: Sending TCP request to stream 192.168.0.7:88 [3910683] 1639666477.833992: Received answer (234 bytes) from stream 192.168.0.7:88 [3910683] 1639666477.833993: Terminating TCP connection to stream 192.168.0.7:88 [3910683] 1639666477.833994: Response was from primary KDC [3910683] 1639666477.833995: Received error from KDC: -1765328359/Additional pre-authentication required [3910683] 1639666477.833998: Preauthenticating using KDC method data [3910683] 1639666477.833999: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-PKINIT-KX (147), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133) [3910683] 1639666477.834000: Received cookie: MIT [3910683] 1639666477.834001: PKINIT client has no configured identity; giving up [3910683] 1639666477.834002: Preauth module pkinit (147) (info) returned: 0/Success [3910683] 1639666477.834003: PKINIT client received freshness token from KDC [3910683] 1639666477.834004: Preauth module pkinit (150) (info) returned: 0/Success [3910683] 1639666477.834005: PKINIT client has no configured identity; giving up [3910683] 1639666477.834006: Preauth module pkinit (16) (real) returned: 22/Invalid argument kinit: Pre-authentication failed: Invalid argument while getting initial credentials
When trying to SSH in as the user:
==> /var/log/sssd/sssd_kcm.log <== (2021-12-16 15:08:00): [kcm] [server_setup] (0x1f7c0): Starting with debug level = 0x0070
==> /var/log/sssd/krb5_child.log <== (2021-12-16 15:08:00): [krb5_child[3910870]] [get_and_save_tgt] (0x0020): 1724: [-1765328174][Pre-authentication failed: Invalid argument] *** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2021-12-16 15:08:00): [krb5_child[3910870]] [main] (0x0400): krb5_child started. * (2021-12-16 15:08:00): [krb5_child[3910870]] [unpack_buffer] (0x1000): total buffer size: [107] * (2021-12-16 15:08:00): [krb5_child[3910870]] [unpack_buffer] (0x0100): cmd [241 (auth)] uid [1829800021] gid [1829800021] validate [true] enterprise principal [false] offline [false] UPN [htest@IPATEST.QQ] * (2021-12-16 15:08:00): [krb5_child[3910870]] [unpack_buffer] (0x0100): ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab] * (2021-12-16 15:08:00): [krb5_child[3910870]] [switch_creds] (0x0200): Switch user to [1829800021][1829800021]. * (2021-12-16 15:08:00): [krb5_child[3910870]] [switch_creds] (0x0200): Switch user to [0][0]. * (2021-12-16 15:08:00): [krb5_child[3910870]] [k5c_check_old_ccache] (0x4000): Ccache_file is [KCM:] and is not active and TGT is valid. * (2021-12-16 15:08:00): [krb5_child[3910870]] [k5c_precreate_ccache] (0x4000): Recreating ccache * (2021-12-16 15:08:00): [krb5_child[3910870]] [k5c_setup_fast] (0x0100): Fast principal is set to [host/ipa-test0.example.qq@IPATEST.QQ] * (2021-12-16 15:08:00): [krb5_child[3910870]] [find_principal_in_keytab] (0x4000): Trying to find principal host/ipa-test0.example.qq@IPATEST.QQ in keytab. * (2021-12-16 15:08:00): [krb5_child[3910870]] [match_principal] (0x1000): Principal matched to the sample (host/ipa-test0.example.qq@IPATEST.QQ). * (2021-12-16 15:08:00): [krb5_child[3910870]] [check_fast_ccache] (0x0200): FAST TGT is still valid. * (2021-12-16 15:08:00): [krb5_child[3910870]] [become_user] (0x0200): Trying to become user [1829800021][1829800021]. * (2021-12-16 15:08:00): [krb5_child[3910870]] [main] (0x2000): Running as [1829800021][1829800021]. * (2021-12-16 15:08:00): [krb5_child[3910870]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested. * (2021-12-16 15:08:00): [krb5_child[3910870]] [set_lifetime_options] (0x0100): No specific lifetime requested. * (2021-12-16 15:08:00): [krb5_child[3910870]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true] * (2021-12-16 15:08:00): [krb5_child[3910870]] [main] (0x0400): Will perform auth * (2021-12-16 15:08:00): [krb5_child[3910870]] [main] (0x0400): Will perform online auth * (2021-12-16 15:08:00): [krb5_child[3910870]] [tgt_req_child] (0x1000): Attempting to get a TGT * (2021-12-16 15:08:00): [krb5_child[3910870]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [IPATEST.QQ] * (2021-12-16 15:08:00): [krb5_child[3910870]] [get_and_save_tgt] (0x0020): 1724: [-1765328174][Pre-authentication failed: Invalid argument] *** BACKTRACE DUMP ENDS HERE *****
(2021-12-16 15:08:00): [krb5_child[3910870]] [map_krb5_error] (0x0020): [1432158222][Failure setting user credentials].
RHEL bug: https://bugzilla.redhat.com/show_bug.cgi?id=2033342
Thoughts:
I think it is due to this handling of 'ua' (user auth) in case 0 below where IPADB_USER_AUTH_HARDENED should have also be considered: https://pagure.io/freeipa/blob/master/f/daemons/ipa-kdb/ipa_kdb_principals.c#_786
ret = ipadb_ldap_attr_to_key_data(lcontext, lentry, "krbPrincipalKey", &res_key_data, &result, &mkvno); switch (ret) { case 0: /* Only set a principal's key if password auth can be used. Otherwise * the KDC would add pre-authentication methods to the NEEDED_PREAUTH * reply for AS-REQs which indicate the password authentication is * available. This might confuse applications like e.g. SSSD which try * to determine suitable authentication methods and corresponding * prompts with the help of MIT Kerberos' responder interface which * acts on the returned pre-authentication methods. A typical example * is enforced OTP authentication where of course keys are available * for the first factor but password authentication should not be * advertised by the KDC. */ if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) { /* This is the same behavior as ENOENT below. */ ipa_krb5_free_key_data(res_key_data, result); break; } entry->key_data = res_key_data; entry->n_key_data = result; if (mkvno) { krb5_int16 kvno16le = htole16((krb5_int16)mkvno); kerr = ipadb_set_tl_data(entry, KRB5_TL_MKVNO, sizeof(kvno16le), (krb5_octet *)&kvno16le); if (kerr) { goto done; } } case ENOENT: break; default: kerr = KRB5_KDB_INTERNAL_ERROR; goto done; }
Metadata Update from @abbra: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2033342
That change was introduced in commit f0d12b7. It is worth to read the commit's message. I think that with addition of IPADB_USER_AUTH_HARDENED, we missed this place.
@sbose what do you think?
That change was introduced in commit f0d12b7. It is worth to read the commit's message. I think that with addition of IPADB_USER_AUTH_HARDENED, we missed this place. @sbose what do you think?
Hi,
yes, IPADB_USER_AUTH_HARDENED should be added here.
bye, Sumit
Metadata Update from @ftrivino: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2033342 https://bugzilla.redhat.com/show_bug.cgi?id=2049104 (was: https://bugzilla.redhat.com/show_bug.cgi?id=2033342) - Issue assigned to jrische
Metadata Update from @ftrivino: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6161
master:
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.