#9471 Pre-authentication with trusted domain object over IPA to IPA trust fails due to wrong canonical name choice
Closed: fixed a year ago by frenaud. Opened a year ago by abbra.

Figure out why SPAKE use fails for IPA-IPA trust case:

[root@master2 ~]# klist -eCKkt /var/lib/sss/keytabs/ipa1.test.keytab 
Keytab name: FILE:/var/lib/sss/keytabs/ipa1.test.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 10/23/2023 09:34:13 IPA2$@IPA1.TEST (aes256-cts-hmac-sha1-96)  (0x4bb33a82106851897e7c3d3992a778522842c0bde8fa19de12317730c5703343)
   1 10/23/2023 09:34:13 IPA2$@IPA1.TEST (aes128-cts-hmac-sha1-96)  (0x2e633c126ed5b99dab96383ef11f505d)
   1 10/23/2023 09:34:13 IPA2$@IPA1.TEST (DEPRECATED:arcfour-hmac)  (0x5a12f8ad5f04da894bc88a12ac300367)
[root@master2 ~]# KRB5_TRACE=/dev/stderr kinit -c temp.cc -kt /var/lib/sss/keytabs/ipa1.test.keytab 'IPA2$@IPA1.TEST'
[17312] 1698055268.988796: Getting initial credentials for IPA2$@IPA1.TEST
[17312] 1698055268.988797: Found entries for IPA2$@IPA1.TEST in keytab: aes256-cts, aes128-cts, rc4-hmac
[17312] 1698055268.988799: Sending unauthenticated request
[17312] 1698055268.988800: Sending request (171 bytes) to IPA1.TEST
[17312] 1698055268.988801: Initiating TCP connection to stream 10.0.197.119:88
[17312] 1698055268.988802: Sending TCP request to stream 10.0.197.119:88
[17312] 1698055268.988803: Received answer (518 bytes) from stream 10.0.197.119:88
[17312] 1698055268.988804: Terminating TCP connection to stream 10.0.197.119:88
[17312] 1698055268.988805: Response was from primary KDC
[17312] 1698055268.988806: Received error from KDC: -1765328359/Additional pre-authentication required
[17312] 1698055268.988809: Preauthenticating using KDC method data
[17312] 1698055268.988810: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-SPAKE (151), PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133)
[17312] 1698055268.988811: Selected etype info: etype aes256-cts, salt "IPA1.TESTIPA2$", params ""
[17312] 1698055268.988812: Received cookie: MIT1\x00\x00\x00\x01\xb4\xe5\xae\xbbH\xe8\xd6\xf9\xc3\x9aK\x01\x03a\xb6F;|i\xa0\xe6\xbc\xf0B\xd7\x05I\x1d\x13\x07\xd7\x0f\x11\xf1\x995e\xdd\xd3c\xbf{G\x19`\xca\x8axP\x96\xed\xdf\x0f\x8c,_\xeeYV\x89\xb9\x06r\xc3Z\xe5\xb8J\xb7Hh\x18L\xd1F\xbc\xae\xb6\x08\x7f\xc2\xb9\xa8SE\xa7n\xb2T\xfbcz\x01\xcd,\x17)\x0f\xbcrH\xda\xa1\xcf\xb3h{f\x95!\x1cw\xe9\xac\xfc%S\xae\x8an*\xf9;\xfe\xab\x99\xdd\xc9z\xa9\x9ed\xe5\xfa\xaf8\xb7\x9eL\xa8Q0
[17312] 1698055268.988813: PKINIT client has no configured identity; giving up
[17312] 1698055268.988814: Preauth module pkinit (147) (info) returned: 0/Success
[17312] 1698055268.988815: PKINIT client received freshness token from KDC
[17312] 1698055268.988816: Preauth module pkinit (150) (info) returned: 0/Success
[17312] 1698055268.988817: Preauth module pkinit (16) (real) returned: -1765328174/No pkinit_anchors supplied
[17312] 1698055268.988818: SPAKE challenge received with group 1, pubkey 4D7EA366DF82C6F86CB164E6613F97A7C8ABEC99743E355E6AC93D9DD28C3CB5
[17312] 1698055268.988819: Retrieving IPA2$@IPA1.TEST from FILE:/var/lib/sss/keytabs/ipa1.test.keytab (vno 0, enctype aes256-cts) with result: 0/Success
[17312] 1698055268.988820: SPAKE key generated with pubkey A69519BA4192B0DCB92E643B8424BE3AF144BDDCBB4DF1577416A1FA22AEAA8E
[17312] 1698055268.988821: SPAKE algorithm result: 9532C41AB57975F897DC50D5CB37CC348E20FB057201EE010C0D6C55CAE81DBF
[17312] 1698055268.988822: SPAKE final transcript hash: F57082240C38DB3ED18AA9CE2FAB733567FEDFA5CFDEAAE1985FFCBF66590211
[17312] 1698055268.988823: Sending SPAKE response
[17312] 1698055268.988824: Preauth module spake (151) (real) returned: 0/Success
[17312] 1698055268.988825: Produced preauth for next request: PA-FX-COOKIE (133), PA-SPAKE (151)
[17312] 1698055268.988826: Sending request (442 bytes) to IPA1.TEST
[17312] 1698055268.988827: Initiating TCP connection to stream 10.0.197.119:88
[17312] 1698055269.000138: Sending TCP request to stream 10.0.197.119:88
[17312] 1698055269.000139: Received answer (518 bytes) from stream 10.0.197.119:88
[17312] 1698055269.000140: Terminating TCP connection to stream 10.0.197.119:88
[17312] 1698055269.000141: Response was from primary KDC
[17312] 1698055269.000142: Received error from KDC: -1765328360/Preauthentication failed
kinit: Preauthentication failed while getting initial credentials

This is preventing SSSD from one IPA realm to look up users from another IPA realm as it cannot successfully authenticate using TDO object.

On the IPA1.TEST KDC side:

Oct 23 10:01:08 master1.ipa1.test krb5kdc[17498](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.0.197.151: NEEDED_PREAUTH: IPA2$@IPA1.TEST for krbtgt/IPA1.TEST@IPA1.TEST, Additional pre-authentication required
Oct 23 10:01:08 master1.ipa1.test krb5kdc[17498](info): closing down fd 11
Oct 23 10:01:08 master1.ipa1.test krb5kdc[17497](info): preauth (spake) verify failure: Preauthentication failed
Oct 23 10:01:08 master1.ipa1.test krb5kdc[17497](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.0.197.151: PREAUTH_FAILED: IPA2$@IPA1.TEST for krbtgt/IPA1.TEST@IPA1.TEST, Preauthentication failed
Oct 23 10:01:08 master1.ipa1.test krb5kdc[17497](info): closing down fd 11

My current understanding is that resulting AES keys are different on both sides, thus leading to the failure. At least, this is what can be seen from inspecting the keytabs.

The TDO LDAP entry is created by ipa-sam module and then updated via ipa_pwd_extop extended operation to get a new keytab:

# IPA2$@IPA1.TEST, ipa2.test, ad, trusts, ipa1.test
dn: krbPrincipalName=IPA2$@IPA1.TEST,cn=ipa2.test,cn=ad,cn=trusts,dc=ipa1,dc=test
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
objectClass: top
krbCanonicalName: IPA2$@IPA1.TEST
krbPrincipalName: IPA2$@IPA1.TEST
krbPrincipalName: krbtgt/IPA2@IPA1.TEST
creatorsName: krbprincipalname=cifs/master1.ipa1.test@ipa1.test,cn=services,cn=accounts,dc=ipa1,dc=test
modifiersName: cn=ipa_pwd_extop,cn=plugins,cn=config
createTimestamp: 20231024071200Z
modifyTimestamp: 20231024071200Z
nsUniqueId: 9779a505-723c11ee-ab09f2dc-150c4c97
parentid: 578
entryid: 582
entryUUID: e8bc316a-5665-4957-a183-e19ae86b38ff
entryusn: 2163
krbPrincipalKey:: MIIBWKADAgEBoQMCAQGiAwIBAaMDAgEBpIIBQDCCATwwcqAZMBegAwIBAKEQ
 BA5JUEExLlRFU1RJUEEyJKFVMFOgAwIBEqFMBEogAMtHbtw3MMo4tYG/6NNj72zhO3GMp7NKscVbr
 +vGHFSihLau8nf9RLI1y/uxjO+OfWxiDfLOUIV9bsn1U8r9zLG0IBCS0Se45TBioBkwF6ADAgEAoR
 AEDklQQTEuVEVTVElQQTIkoUUwQ6ADAgERoTwEOhAAz8rhFcAqQCJyzHV34YmizwPmxCrKieLliA6
 8T3Cnb2XLidd7R4QWHKazrHyiwv+khjNIw7S9guswYqAZMBegAwIBAKEQBA5JUEExLlRFU1RJUEEy JKFFMEOgAwIBF6E8BDoQADmY+lrIaMB4QeueP7UjqKKahMapham6u683g+dwi1V4qhLMzXx5fVomOI9ouplfN2ed5D4oTZF
krbLastPwdChange: 20231024071200Z
krbExtraData:: AAJAbjdlSVBBMiRASVBBMS5URVNUAA==
dsEntryDN: krbPrincipalName=IPA2$@IPA1.TEST,cn=ipa2.test,cn=ad,cn=trusts,dc=ipa1,dc=test
entrydn: krbprincipalname=ipa2$@ipa1.test,cn=ipa2.test,cn=ad,cn=trusts,dc=ipa1,dc=test

This boils down to use of set_cross_realm_pw() in ipa_sam.c via set_krb_princ() from handle_cross_realm_princs(). First one is for the incoming trust, second for the outgoing:

                                /* Second: krbtgt/<OUR FLATNAME>@<REMOTE REALM>
                                 * is only used for SSSD to be able to talk to
                                 * AD DCs but it has to have canonical name set
                                 * to krbtgt/<OUR FLATNAME> and alias it to
                                 * <OUR FLATNAME$> because it is the salt used
                                 * by AD DCs when using this principal,
                                 * otherwise authentication will fail.
                                 *
                                 * *disable* use of this principal on our side as it is
                                 * only used to retrieve trusted domain credentials by
                                 * AD Trust Agents across the IPA topology */
                                failed += !set_krb_princ(ipasam_state, tmp_ctx,
                                                         r_tdo_alias, princ_r_tdo,
                                                         pwd_incoming, trusted_dn,
                                                         (KRB_PRINC_CREATE_DISABLED |
                                                          KRB_PRINC_CREATE_AGENT_PERMISSION));

....
                                /* Second: <REMOTE FLAT NAME>$@<OUR REALM>, enabled by default
                                 * as it is used for a remote DC to authenticate against IPA Samba
                                 *
                                 * A local account for the outbound trust must have
                                 * POSIX and SMB identities associated with our domain but we associate
                                 * them with the trust domain object itself */
                                failed += !set_krb_princ(ipasam_state, tmp_ctx,
                                                         princ_l_tdo, l_tdo_alias,
                                                         pwd_incoming, trusted_dn,
                                                         KRB_PRINC_CREATE_DEFAULT);

In both cases we pass list of enctypes to apply as a part of the KEYTAB_GET_OID request. This, in turn, goes through decode_getkeytab_request() in ipa_pwd_extop.c and enctypes passed by the ipa-sam (as a client) will get fixed up to use KRB5_KDB_SALTTYPE_NORMAL salt. This should be enough -- the same happens with AD and it works there. The salt is correct which can be seen in the krb5 trace:

[17312] 1698055268.988811: Selected etype info: etype aes256-cts, salt "IPA1.TESTIPA2$", params ""

From ipa-sam side we do pass passwords properly to all principals. I instrumented ipa-pwd-extop prior to encoding the keys and everything is consistent there. Next is to investigate retrieval part.

So the issue is only with the key for the remote TDO when retrieved from the local LDAP. If I'd use the same password manually, it works. If I'd use the keytab retrieved remotely, it works too.

This means that we have incorrect salt defined for the principal..

Cross-verified with trust to Windows Server 2022, we should be using a different salt:

(2023-10-25  7:49:09): [ldap_child[32628]] [sss_child_krb5_trace_cb] (0x4000): [32628] 1698220149.366317: Selected etype info: etype aes256-cts, salt "WIN2022-HK9Q.TESTkrbtgtIPA1", params ""

This means the code that chooses the principal name for the salt generation is wrong for that principal. Canonical name should be `krbtgt/<OUR FLAT NAME>@<REMOTE REALM>'.

A fix is to flip alias and tdo name has helped. Now SSSD is able to pull the keytab and use it properly. It has issue resolving users because it does search with AD schema assumptions. This, however, is a separate ticket.

[25/Oct/2023:10:18:18.749025420 +0000] conn=66 fd=254 slot=254 connection from 10.0.197.151 to 10.0.197.119
[25/Oct/2023:10:18:18.749240133 +0000] conn=66 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domaincontrollerfunctionality defaultnamingcontext lastusn highestcommittedusn aci"
[25/Oct/2023:10:18:18.750425145 +0000] conn=66 op=0 RESULT err=0 tag=101 nentries=1 wtime=0.000128310 optime=0.001185193 etime=0.001312852
[25/Oct/2023:10:18:18.772106296 +0000] conn=66 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[25/Oct/2023:10:18:18.774888884 +0000] conn=66 op=1 RESULT err=14 tag=97 nentries=0 wtime=0.000053060 optime=0.002785684 etime=0.002838003, SASL bind in progress
[25/Oct/2023:10:18:18.775252707 +0000] conn=66 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[25/Oct/2023:10:18:18.777274067 +0000] conn=66 op=2 RESULT err=14 tag=97 nentries=0 wtime=0.000032701 optime=0.002023535 etime=0.002055665, SASL bind in progress
[25/Oct/2023:10:18:18.777546639 +0000] conn=66 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI
[25/Oct/2023:10:18:18.778170589 +0000] conn=66 op=3 RESULT err=0 tag=97 nentries=0 wtime=0.000033773 optime=0.000625624 etime=0.000658535 dn="krbprincipalname=krbtgt/ipa2@ipa1.test,cn=ipa2.test,cn=ad,cn=trusts,dc=ipa1,dc=test"
[25/Oct/2023:10:18:18.778786724 +0000] conn=66 op=4 SRCH base="dc=ipa1,dc=test" scope=2 filter="(&(samaccountname=admin)(objectClass=user)(samaccountname=*)(objectsid=*))" attrs="objectClass samaccountname unixuserpassword uidNumber gidNumber gecos unixhomedirectory loginShell userprincipalname name memberOf objectguid objectsid primarygroupid whenchanged usnchanged accountexpires useraccountcontrol usercertificate;binary mail altSecurityIdentities"
[25/Oct/2023:10:18:18.778882404 +0000] conn=66 op=4 RESULT err=0 tag=101 nentries=0 wtime=0.000118633 optime=0.000095008 etime=0.000212459 notes=F details="Filter Element Missing From Schema" - Invalid attribute in filter - results may not be complete.
[25/Oct/2023:10:18:18.785054328 +0000] conn=66 op=5 SRCH base="dc=ipa1,dc=test" scope=2 filter="(&(|(userprincipalname=admin@ipa1.test)(mail=admin@ipa1.test)(userprincipalname=admin\5C@ipa1.test@IPA1.TEST))(objectClass=user)(samaccountname=*)(objectsid=*))" attrs="objectClass samaccountname unixuserpassword uidNumber gidNumber gecos unixhomedirectory loginShell userprincipalname name memberOf objectguid objectsid primarygroupid whenchanged usnchanged accountexpires useraccountcontrol usercertificate;binary mail altSecurityIdentities"
[25/Oct/2023:10:18:18.785160367 +0000] conn=66 op=5 RESULT err=0 tag=101 nentries=0 wtime=0.000118311 optime=0.000106430 etime=0.000223729 notes=F details="Filter Element Missing From Schema" - Invalid attribute in filter - results may not be complete.
[25/Oct/2023:10:20:32.065919539 +0000] conn=66 op=6 SRCH base="dc=ipa1,dc=test" scope=2 filter="(&(samaccountname=admin)(objectClass=user)(samaccountname=*)(objectsid=*))" attrs="objectClass samaccountname unixuserpassword uidNumber gidNumber gecos unixhomedirectory loginShell userprincipalname name memberOf objectguid objectsid primarygroupid whenchanged usnchanged accountexpires useraccountcontrol usercertificate;binary mail altSecurityIdentities"
[25/Oct/2023:10:20:32.066111950 +0000] conn=66 op=6 RESULT err=0 tag=101 nentries=0 wtime=0.000212468 optime=0.000195998 etime=0.000406943 notes=F details="Filter Element Missing From Schema" - Invalid attribute in filter - results may not be complete.
[25/Oct/2023:10:20:32.070694885 +0000] conn=66 op=7 SRCH base="dc=ipa1,dc=test" scope=2 filter="(&(|(userprincipalname=admin@ipa1.test)(mail=admin@ipa1.test)(userprincipalname=admin\5C@ipa1.test@IPA1.TEST))(objectClass=user)(samaccountname=*)(objectsid=*))" attrs="objectClass samaccountname unixuserpassword uidNumber gidNumber gecos unixhomedirectory loginShell userprincipalname name memberOf objectguid objectsid primarygroupid whenchanged usnchanged accountexpires useraccountcontrol usercertificate;binary mail altSecurityIdentities"
[25/Oct/2023:10:20:32.070825259 +0000] conn=66 op=7 RESULT err=0 tag=101 nentries=0 wtime=0.004566864 optime=0.000129774 etime=0.004695395 notes=F details="Filter Element Missing From Schema" - Invalid attribute in filter - results may not be complete.

master:

  • e399232 ipasam: make krbtgt TDO principal canonical
  • 5adc07a doc/Makefile: run sphinx in serial mode

ipa-4-11:

  • 6aea8f4 ipasam: make krbtgt TDO principal canonical
  • d2dfdec doc/Makefile: run sphinx in serial mode

ipa-4-10:

  • 58eaf8c ipasam: make krbtgt TDO principal canonical
  • 486b6f7 doc/Makefile: run sphinx in serial mode

ipa-4-9:

  • 90eeb04 ipasam: make krbtgt TDO principal canonical
  • 59e67e6 doc/Makefile: run sphinx in serial mode

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-17197

8 months ago

master:

  • e184864 adtrust: add missing ipaAllowedOperations objectclass

ipa-4-12:

  • 477dbba adtrust: add missing ipaAllowedOperations objectclass

ipa-4-11:

  • cfbe9b7 adtrust: add missing ipaAllowedOperations objectclass

ipa-4-10:

  • 008ccb4 adtrust: add missing ipaAllowedOperations objectclass

ipa-4-9:

  • 55ced5a adtrust: add missing ipaAllowedOperations objectclass

Log in to comment on this ticket.

Metadata