On Пан, 04 вер 2023, Sam Morris via FreeIPA-users wrote:
I've made some slight progress. I noticed that at the same time, the KDC
logs these messages:
==> /var/log/krb5kdc.log <==
Sep 04 09:46:17 ipa5.ipa.example.com krb5kdc[183962](info): TGS_REQ :
handle_authdata (-1765328371)
Sep 04 09:46:17 ipa5.ipa.example.com krb5kdc[183962](info): TGS_REQ (6
etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 192.168.88.5:
HANDLE_AUTHDATA: authtime 1693820777, etypes {rep=UNSUPPORTED:(0)}
HTTP/ipa5.ipa.example....@ipa.example.com for
ldap/ipa5.ipa.example....@ipa.example.com, KDC can't fulfill requested option
Sep 04 09:46:17 ipa5.ipa.example.com krb5kdc[183962](info): ...
CONSTRAINED-DELEGATION s4u-client=host/xoanon.ipa.example....@ipa.example.com
Sep 04 09:46:17 ipa5.ipa.example.com krb5kdc[183962](info): closing down fd
12
It is HANDLE_AUTHDATA issue which is typically a sign of a PAC that
cannot be generated. S4U (constrained delegation) operation requires PAC
presence.
Since the client here is host/xoanon.ipa.example.com, this means this
client most likely has no SID associated with it and cannot be
associated with any of the two supported classes of PAC-enabled
services: IPA servers and IPA clients. Otherwise it would have had a PAC
in the ticket.
I just tried to simulate that with S4U2Self operation where
HTTP/master.ipa.test service would pretend that it authenticate
host/client.ipa.test via a different protocol and then asked for a
service ticket to itself. We have a tool (ipa-print-pac) that allows to
print the content of the PAC:
[root@master ~]# kinit -k -t /var/lib/ipa/gssproxy/http.keytab
HTTP/master.ipa.test
[root@master ~]# /usr/libexec/ipa/ipa-print-pac -E -k
/var/lib/ipa/gssproxy/http.keytab impersonate host/client.ipa.test
Acquired credentials for host/client.ipa.test
PAC_DATA: struct PAC_DATA
num_buffers : 0x00000008 (8)
version : 0x00000000 (0)
buffers: ARRAY(8)
buffers: struct PAC_BUFFER
type : PAC_TYPE_LOGON_INFO (1)
_ndr_size : 0x000001e0 (480)
info : *
info : union PAC_INFO(case 1)
logon_info: struct PAC_LOGON_INFO_CTR
info : *
info: struct PAC_LOGON_INFO
info3: struct netr_SamInfo3
base: struct netr_SamBaseInfo
logon_time : Mon Sep 4
13:39:23 2023 UTC
logoff_time : Thu Sep 14
02:48:05 30828 UTC
kickoff_time : Thu Sep 14
02:48:05 30828 UTC
last_password_change : Mon Sep 4
13:37:22 2023 UTC
allow_password_change : Mon Sep 4
13:37:22 2023 UTC
force_password_change : Thu Sep 14
02:48:05 30828 UTC
account_name: struct lsa_String
length : 0x001e (30)
size : 0x001e (30)
string : *
string :
'client.ipa.test'
full_name: struct lsa_String
length : 0x001e (30)
size : 0x001e (30)
string : *
string :
'client.ipa.test'
logon_script: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : ''
profile_path: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : ''
home_directory: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : ''
home_drive: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : ''
logon_count : 0x0000 (0)
bad_password_count : 0x0000 (0)
rid : 0x00000203 (515)
primary_gid : 0x00000203 (515)
groups: struct samr_RidWithAttributeArray
count : 0x00000000
(0)
rids : *
rids: ARRAY(0)
user_flags : 0x00000020 (32)
0: NETLOGON_GUEST
0: NETLOGON_NOENCRYPTION
0: NETLOGON_CACHED_ACCOUNT
0: NETLOGON_USED_LM_PASSWORD
1: NETLOGON_EXTRA_SIDS
0: NETLOGON_SUBAUTH_SESSION_KEY
0: NETLOGON_SERVER_TRUST_ACCOUNT
0: NETLOGON_NTLMV2_ENABLED
0: NETLOGON_RESOURCE_GROUPS
0: NETLOGON_PROFILE_PATH_RETURNED
0: NETLOGON_GRACE_LOGON
key: struct netr_UserSessionKey
key: ARRAY(16): <REDACTED SECRET VALUES>
logon_server: struct lsa_StringLarge
length : 0x000c (12)
size : 0x000e (14)
string : *
string : 'MASTER'
logon_domain: struct lsa_StringLarge
length : 0x0006 (6)
size : 0x0008 (8)
string : *
string : 'IPA'
domain_sid : *
domain_sid :
S-1-5-21-2093978176-3761652416-3478956151
LMSessKey: struct netr_LMSessionKey
key: ARRAY(8): <REDACTED SECRET VALUES>
acct_flags : 0x00000080 (128)
0: ACB_DISABLED
0: ACB_HOMDIRREQ
0: ACB_PWNOTREQ
0: ACB_TEMPDUP
0: ACB_NORMAL
0: ACB_MNS
0: ACB_DOMTRUST
1: ACB_WSTRUST
0: ACB_SVRTRUST
0: ACB_PWNOEXP
0: ACB_AUTOLOCK
0: ACB_ENC_TXT_PWD_ALLOWED
0: ACB_SMARTCARD_REQUIRED
0: ACB_TRUSTED_FOR_DELEGATION
0: ACB_NOT_DELEGATED
0: ACB_USE_DES_KEY_ONLY
0: ACB_DONT_REQUIRE_PREAUTH
0: ACB_PW_EXPIRED
0: ACB_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
0: ACB_NO_AUTH_DATA_REQD
0: ACB_PARTIAL_SECRETS_ACCOUNT
0: ACB_USE_AES_KEYS
sub_auth_status : 0x00000000 (0)
last_successful_logon : NTTIME(0)
last_failed_logon : NTTIME(0)
failed_logon_count : 0x00000000 (0)
reserved : 0x00000000 (0)
sidcount : 0x00000001 (1)
sids : *
sids: ARRAY(1)
sids: struct netr_SidAttr
sid : *
sid :
S-1-18-2
attributes :
0x00000007 (7)
1: SE_GROUP_MANDATORY
1: SE_GROUP_ENABLED_BY_DEFAULT
1: SE_GROUP_ENABLED
0: SE_GROUP_OWNER
0: SE_GROUP_USE_FOR_DENY_ONLY
0: SE_GROUP_INTEGRITY
0: SE_GROUP_INTEGRITY_ENABLED
0: SE_GROUP_RESOURCE
0x00: SE_GROUP_LOGON_ID (0)
resource_groups: struct PAC_DOMAIN_GROUP_MEMBERSHIP
domain_sid : NULL
groups: struct samr_RidWithAttributeArray
count : 0x00000000 (0)
rids : NULL
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_UPN_DNS_INFO (12)
_ndr_size : 0x000000a2 (162)
info : *
info : union PAC_INFO(case 12)
upn_dns_info: struct PAC_UPN_DNS_INFO
upn_name_size : 0x003a (58)
upn_name : *
upn_name :
'host/client.ipa.t...@ipa.test'
dns_domain_name_size : 0x0010 (16)
dns_domain_name : *
dns_domain_name : 'IPA.TEST'
flags : 0x00000002 (2)
0: PAC_UPN_DNS_FLAG_CONSTRUCTED
1: PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID
ex : union PAC_UPN_DNS_INFO_EX(case 2)
sam_name_and_sid: struct PAC_UPN_DNS_INFO_SAM_NAME_AND_SID
samaccountname_size : 0x001e (30)
samaccountname : *
samaccountname : 'client.ipa.test'
objectsid_size : 0x001c (28)
objectsid : *
objectsid :
S-1-5-21-2093978176-3761652416-3478956151-515
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_ATTRIBUTES_INFO (17)
_ndr_size : 0x00000008 (8)
info : *
info : union PAC_INFO(case 17)
attributes_info: struct PAC_ATTRIBUTES_INFO
flags_length : 0x00000002 (2)
flags : 0x00000002 (2)
0: PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED
1: PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_TICKET_CHECKSUM (16)
_ndr_size : 0x0000001c (28)
info : *
info : union PAC_INFO(case 16)
ticket_checksum: struct PAC_SIGNATURE_DATA
type : 0x00000014 (20)
signature : DATA_BLOB length=24
[0000] 58 2E 4D 1A 2D B3 3C 90 30 D5 72 82 BB 93 E4 87 X.M.-.<. 0.r.....
[0010] 74 F6 75 4F 9C 1E 22 D5 t.uO..".
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_LOGON_NAME (10)
_ndr_size : 0x00000034 (52)
info : *
info : union PAC_INFO(case 10)
logon_name: struct PAC_LOGON_NAME
logon_time : Mon Sep 4 13:39:23 2023 UTC
size : 0x002a (42)
account_name : 'host\/client.ipa.test'
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_SRV_CHECKSUM (6)
_ndr_size : 0x0000001c (28)
info : *
info : union PAC_INFO(case 6)
srv_cksum: struct PAC_SIGNATURE_DATA
type : 0x00000014 (20)
signature : DATA_BLOB length=24
[0000] A5 D3 8A 27 C0 91 F1 A0 C3 A0 6A 1A 4D E6 62 F5 ...'.... ..j.M.b.
[0010] EF 94 64 02 81 AC 2C A7 ..d...,.
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_KDC_CHECKSUM (7)
_ndr_size : 0x0000001c (28)
info : *
info : union PAC_INFO(case 7)
kdc_cksum: struct PAC_SIGNATURE_DATA
type : 0x00000014 (20)
signature : DATA_BLOB length=24
[0000] 28 C3 C4 97 20 1A CE F2 33 49 85 B6 C8 2F 97 3E (... ... 3I.../.>
[0010] 8B 65 E5 02 4A 03 6F B2 .e..J.o.
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_FULL_CHECKSUM (19)
_ndr_size : 0x0000001c (28)
info : *
info : union PAC_INFO(case 19)
full_checksum: struct PAC_SIGNATURE_DATA
type : 0x00000014 (20)
signature : DATA_BLOB length=24
[0000] 54 F2 48 08 35 EB E4 F2 46 84 93 9F F9 5C 6B 62 T.H.5... F....\kb
[0010] 0B 5E 51 50 FA 76 8E 60 .^QP.v.`
_pad : 0x00000000 (0)
In case of a failure I would not be able to get PAC output like this.
I guess this is showing that HTTP/ipa5.ipa.example.com (the IPA API
server) is trying to obtain a ticket to LDAP/ipa5.ipa.example.com on
behalf of host/xoanon.ipa.example.com but the KDC is rejecting the
request.
Correct.
If that's right then I guess I need to figure out why that might be.
Unfortunately setting 'debug = true' in /etc/krb5.conf's [logging]
section doesn't cause any more detailed messages to be logged.
krb5 library does not support debugging this way.
If I run gssproxy with --debug-level=2 I can see it logging some stuff
but I guess it's just showing the calls that result in the kdc logging
the above...
gssproxy is not involved in ticket issuance. It is a client app,
effectively.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
