#9465 IPA stops working if HTTP/... service principal was created before FreeIPA 4.4.0 and never modified
Closed: fixed a year ago by frenaud. Opened a year ago by abbra.

Since commit 3e20a96 (FreeIPA 4.9.0, ~2020) (issue https://pagure.io/freeipa/issue/8319) we allow issuing tickets with MS-PAC to Kerberos services. This, in turn, requires presence of krbCanonicalName attribute to force canonicalization.

Services created before commit e6ff83e (FreeIPA 4.4.0, ~2016) had no normalization to set krbCanonicalName; services created after that version was upgraded to do have krbCanonicalName.

This bug only affects 'old' services: if they miss krbCanonicalName, a TGT cannot be issued for them. If this service is HTTP/... on IPA master, then users cannot connect to IPA services using IPA API (including provisioning on new hosts).

This will be seen as

# ipa ping
ipa: ERROR: No valid Negotiate header in server response

Kerberos KDC log will tell:

Oct 13 14:38:10 master.ipa.test krb5kdc[2743](info): AS_REQ : handle_authdata (2)
Oct 13 14:38:10 master.ipa.test krb5kdc[2743](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 192.168.7.1: HANDLE_AUTHDATA: HTTP/master.ipa.test@IPA.TEST for krbtgt/IPA.TEST@IPA.TEST, No such file or directory

The No such file or directory comes from else part below from the code of ipadb_fill_info3()

    if (is_host) {
        ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "fqdn", &strres);
        if (ret) {
            /* fqdn is mandatory for hosts */
            return ret;
        }
    } else if (is_service) {
        ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
                                     "krbCanonicalName", &strres);
        if (ret) {
            /* krbCanonicalName is mandatory for services */
            return ret;
        }

A workaround is to add krbCanonicalName to the service. A list of services and the presence of krbCanonicalName can be found with the following search:

# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket  '(&(objectClass=ipaservice)(krbprincipalname=*)(krbprincipalkey=*))' krbprincipalname krbcanonicalname

Once services without canonical name are identified, they can be updated with ipa-ldap-updater:

# cat canonical.update
dn: krbprincipalname=HTTP/master.ipa.test@IPA.TEST,cn=services,cn=accounts,dc=ipa,dc=test
add: krbcanonicalname:HTTP/master.ipa.test@IPA.TEST

dn: krbprincipalname=ldap/master.ipa.test@IPA.TEST,cn=services,cn=accounts,dc=ipa,dc=test
add: krbcanonicalname: ldap/master.ipa.test@IPA.TEST
# ipa-ldap-updater canonical.update

A permanent fix could be to modify ipadb_fill_info3() to accept krbPrincipalName if krbCanonicalName is missing but only if krbPrincipalName has a single value.

Metadata Update from @abbra:
- Issue assigned to abbra

a year ago

master:

  • ed977a6 kdb: PAC generator: do not fail if canonical principal is missing

ipa-4-9:

  • dcb9d6e kdb: PAC generator: do not fail if canonical principal is missing

ipa-4-10:

  • 196d631 kdb: PAC generator: do not fail if canonical principal is missing

ipa-4-11:

  • d09acb5 kdb: PAC generator: do not fail if canonical principal is missing

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago
a year ago

Log in to comment on this ticket.

Metadata