Upstream mailing list discussion thread: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/FLZYF6YKRRU5DIJ6RCYLJKI6Y2MGRE4B/
If evidence ticket is issued by IPA KDC running krb5 1.20+, IPA KDC running krb5 1.18.2 or earlier will fail the request with a KRB5KDC_ERR_BADOPTION error ("KDC can't fulfill requested option"):
KRB5KDC_ERR_BADOPTION
Sep 07 09:24:40 ipa5.ipa.example.com krb5kdc[239017](info): TGS_REQ : handle_authdata (-1765328371) Sep 07 09:24:40 ipa5.ipa.example.com krb5kdc[239017](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 192.168.88.5: HANDLE_AUTHDATA: authtime 1694078668, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM for ldap/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM, KDC can't fulfill requested option Sep 07 09:24:40 ipa5.ipa.example.com krb5kdc[239017](info): ... CONSTRAINED-DELEGATION s4u-client=host/xoanon.ipa.example.com(a)IPA.EXAMPLE.COM Sep 07 09:24:40 ipa5.ipa.example.com krb5kdc[239017](info): closing down fd 12
@yrro thank you a lot of digging this up.
If evidence ticket is issued by IPA KDC running krb5 1.21, IPA KDC running krb5 1.20 or earlier will fail the request
My setup has the ticket being issued by 1.20.1-9.el9_2 and with the constrained delegation request happening on 1.18.2-25.el8_8.
Thanks, I have updated the description. You are right, we just worked too much on new PAC signing code in 1.21.
@jrische investigation proved helpful. krb5 1.20 removed AD-SIGNTICKET support. This was MIT and Heimdal-specific implementation of S4U2Proxy handling for non-PAC environments. It was removed from Heimdal in 2021 too.
Compatibility with older MIT code was not considered during removal and this is why there is no a fix to MIT krb5 < 1.20 to adjust the checks.
In MIT krb5 < 1.20 we have this: https://github.com/krb5/krb5/blob/krb5-1.18.2-final/src/kdc/kdc_authdata.c#L506-L507
I think what we need to do is to add a special check to older MIT krb5 code to check if PAC exists in the evidence ticket in case AD-SIGNTICKET is missing. If it exists, then the failure to fetch AD-SIGNTICKET should be ignored.
AD-SIGNTICKET was originally added to MIT krb5 in 1.8 beta 1: https://krbdev.mit.narkive.com/nOK9IGNN/krb5-1-8-beta1-is-available
A workaround until we fix it in MIT krb5: make sure your S4U2Self/S4U2Proxy app uses the same KDC all the time. This is what enforced on IPA KDC, which is why we didn't notice this problem earlier.
I opened a pull request for krb5 1.18: https://github.com/krb5/krb5/pull/1317
Metadata Update from @jrische: - Issue assigned to jrische
Resolving this issue will require fixes for both krb5 and IPA.
IPA upstream fix (will require a backport to 4.9): https://github.com/freeipa/freeipa/pull/7020
The upstream krb5-1.18 branch is no longer maintained. A fix will be provided in the CentOS/RHEL release: https://gitlab.com/redhat/centos-stream/rpms/krb5/-/merge_requests/41
Metadata Update from @jrische: - Custom field reviewer adjusted to abbra
ipa-4-9:
Metadata Update from @jrische: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @abbra: - Custom field changelog adjusted to Downstream only: coordinate fixes to MIT Kerberos 1.18 and FreeIPA 4.9 to allow interoperability with MIT Kerberos 1.20 or later which removed AD-SIGNTICKET support. MS-PAC information is required for S4U Kerberos extension to operate but older MIT Kerberos version expect AD-SIGNTICKET buffer as well. With this change tickets issued by FreeIPA using AD-SIGNTICKET-free code are accepted by older FreeIPA KDCs for S4U extensions as long as they contain MS-PAC buffers.
Log in to comment on this ticket.