Since commit 3e20a96 (FreeIPA 4.9.0, ~2020) (issue https://pagure.io/freeipa/issue/8319) we allow issuing tickets with MS-PAC to Kerberos services. This, in turn, requires presence of krbCanonicalName attribute to force canonicalization.
krbCanonicalName
Services created before commit e6ff83e (FreeIPA 4.4.0, ~2016) had no normalization to set krbCanonicalName; services created after that version was upgraded to do have krbCanonicalName.
This bug only affects 'old' services: if they miss krbCanonicalName, a TGT cannot be issued for them. If this service is HTTP/... on IPA master, then users cannot connect to IPA services using IPA API (including provisioning on new hosts).
HTTP/...
This will be seen as
# ipa ping ipa: ERROR: No valid Negotiate header in server response
Kerberos KDC log will tell:
Oct 13 14:38:10 master.ipa.test krb5kdc[2743](info): AS_REQ : handle_authdata (2) Oct 13 14:38:10 master.ipa.test krb5kdc[2743](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 192.168.7.1: HANDLE_AUTHDATA: HTTP/master.ipa.test@IPA.TEST for krbtgt/IPA.TEST@IPA.TEST, No such file or directory
The No such file or directory comes from else part below from the code of ipadb_fill_info3()
No such file or directory
else
ipadb_fill_info3()
if (is_host) { ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "fqdn", &strres); if (ret) { /* fqdn is mandatory for hosts */ return ret; } } else if (is_service) { ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "krbCanonicalName", &strres); if (ret) { /* krbCanonicalName is mandatory for services */ return ret; }
A workaround is to add krbCanonicalName to the service. A list of services and the presence of krbCanonicalName can be found with the following search:
# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket '(&(objectClass=ipaservice)(krbprincipalname=*)(krbprincipalkey=*))' krbprincipalname krbcanonicalname
Once services without canonical name are identified, they can be updated with ipa-ldap-updater:
ipa-ldap-updater
# cat canonical.update dn: krbprincipalname=HTTP/master.ipa.test@IPA.TEST,cn=services,cn=accounts,dc=ipa,dc=test add: krbcanonicalname:HTTP/master.ipa.test@IPA.TEST dn: krbprincipalname=ldap/master.ipa.test@IPA.TEST,cn=services,cn=accounts,dc=ipa,dc=test add: krbcanonicalname: ldap/master.ipa.test@IPA.TEST # ipa-ldap-updater canonical.update
A permanent fix could be to modify ipadb_fill_info3() to accept krbPrincipalName if krbCanonicalName is missing but only if krbPrincipalName has a single value.
krbPrincipalName
Metadata Update from @abbra: - Issue assigned to abbra
Addressed as part of https://github.com/freeipa/freeipa/pull/7177
master:
ipa-4-9:
ipa-4-10:
ipa-4-11:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-23627, https://issues.redhat.com/browse/RHEL-23630
Log in to comment on this ticket.