#9485 handle better default user authentication types for services
Closed: fixed a year ago by frenaud. Opened a year ago by abbra.

From https://issues.redhat.com/browse/RHEL-4874

How reproducible:

[root@example ~]# ipa config-mod --user-auth-type=pkinit

ipa cannot be started

[root@example ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Failed to restart krb5kdc Service
Shutting down

Steps to Reproduce:

[root@example ~]# ipa config-mod --user-auth-type={otp,pkinit}
  Maximum username length: 32
  Maximum hostname length: 64
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: test.realm
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TEST.REALM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash, KDC:Disable Last Success
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-sx0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:sx0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  Default user authentication types: otp, pkinit
  IPA masters: example.test.realm
  IPA master capable of PKINIT: example.test.realm
  IPA CA servers: example.test.realm
  IPA CA renewal master: example.test.realm
  IPA DNS servers: example.test.realm

[root@example ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Failed to restart krb5kdc Service
Shutting down

[root@example ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: STOPPED
kadmin Service: STOPPED
named Service: STOPPED
httpd Service: STOPPED
ipa-custodia Service: STOPPED
^CCancelled.
------

And following logs can be seen in the krb5kdc.log during this time.

------
May 02 22:40:41 example.test.realm krb5kdc[103666](Error): Cannot find master key record in database - while fetching master keys list for realm TEST.REALM
May 02 22:43:53 example.test.realm krb5kdc[103761](Error): Cannot find master key record in database - while fetching master keys list for realm TEST.REALM
May 02 22:44:14 example.test.realm krb5kdc[103837](Error): Cannot find master key record in database - while fetching master keys list for realm TEST.REALM

Additionally: the global configuration ipa config-mod --user-auth-type={password,otp} prevents host principals from authenticating with PKINIT. For auto-enrollment we rely on PKINIT with X.509 certs to install IPA clients. One of test setups had PKINIT globally disabled and then installation of new clients failed with error message "KDC policy rejects request".


Metadata Update from @abbra:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7084
- Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-4874

a year ago

master:

  • 00f8ddb ipa-kdb: add better detection of allowed user auth type
  • 69ae9fe ipa-kdb: when applying ticket policy, do not deny PKINIT
  • 62c44c9 ipa-kdb: clarify user auth table mapping use of _AUTH_PASSWORD
  • c3bc938 ipatests: make sure PKINIT enrollment works with a strict policy

ipa-4-11:

  • c90ba94 ipa-kdb: add better detection of allowed user auth type
  • 1fb0261 ipa-kdb: when applying ticket policy, do not deny PKINIT
  • fab0833 ipa-kdb: clarify user auth table mapping use of _AUTH_PASSWORD
  • 02b17c8 ipatests: make sure PKINIT enrollment works with a strict policy

ipa-4-10:

  • 94cd9a2 ipa-kdb: add better detection of allowed user auth type
  • 4f998f7 ipa-kdb: when applying ticket policy, do not deny PKINIT
  • bb83a4f ipa-kdb: clarify user auth table mapping use of _AUTH_PASSWORD
  • 6e5bc8a ipatests: make sure PKINIT enrollment works with a strict policy

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

ipa-4-9:

  • 1946a8b ipa-kdb: add better detection of allowed user auth type
  • d542a23 ipa-kdb: when applying ticket policy, do not deny PKINIT
  • 16fd9fe ipa-kdb: clarify user auth table mapping use of _AUTH_PASSWORD
  • e53b394 ipatests: make sure PKINIT enrollment works with a strict policy

Log in to comment on this ticket.

Metadata