[SSSD-users] Re: does sssd support using a Microsoft read-only Domain Controller (RODC)?

Wed, 18 Apr 2018 10:52:15 -0700 

On Tue, Apr 17, 2018 at 2:27 AM, Sumit Bose <sb...@redhat.com> wrote:

> On Mon, Apr 16, 2018 at 04:28:59PM -0400, James Ralston wrote:
>
> > Has anyone figured out how to make sssd utilize a Microsoft
> > read-only Domain Controller (RODC)?
> >
> > But no matter how we create the computer account object, or how we
> > export the Kerberos keytab, sssd cannot use the resulting keytab
> > file to authenticate to the RODC: when sssd sends the AS-REQ, the
> > RODC always replies with KRB5KDC_ERR_PREAUTH_FAILED.
>
> If 'kinit -k' works, SSSD should work as well.

Thanks; that's good to know.

> Can you send the SSSD logs with debug_level=9, most important would
> be the domain log and the ldap_child.log files.
>
> For comparison it would be good to see the output of
>
>     KRB5_TRACE=/dev/stdout kinit -k ....
>
> as well.

OK, I will look into that.  (KRB5_TRACE especially seems like it will
be useful; I wasn't aware of that.)

I think part of why we're struggling here is because the behavior of
sssd doesn't seem to match its documentation.

Specifically…

For RWDCs, when I use Samba "net ads join" to create the computer
account in AD and write the /etc/krb5.keytab file, it always creates
multiple entries:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/myhost.example....@example.org (des-cbc-crc)
   2 host/myhost.example....@example.org (des-cbc-md5)
   2 host/myhost.example....@example.org (aes128-cts-hmac-sha1-96)
   2 host/myhost.example....@example.org (aes256-cts-hmac-sha1-96)
   2 host/myhost.example....@example.org (arcfour-hmac)
   2 host/myh...@example.org (des-cbc-crc)
   2 host/myh...@example.org (des-cbc-md5)
   2 host/myh...@example.org (aes128-cts-hmac-sha1-96)
   2 host/myh...@example.org (aes256-cts-hmac-sha1-96)
   2 host/myh...@example.org (arcfour-hmac)
   2 MYHOST$@EXAMPLE.ORG (des-cbc-crc)
   2 MYHOST$@EXAMPLE.ORG (des-cbc-md5)
   2 MYHOST$@EXAMPLE.ORG (aes128-cts-hmac-sha1-96)
   2 MYHOST$@EXAMPLE.ORG (aes256-cts-hmac-sha1-96)
   2 MYHOST$@EXAMPLE.ORG (arcfour-hmac)

Using "adcli" does much the same thing, but additionally creates
RestrictedKrbHost SPNs:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 MYCLIENT$@EXAMPLE.ORG (aes256-cts-hmac-sha1-96)
   2 MYCLIENT$@EXAMPLE.ORG (aes128-cts-hmac-sha1-96)
   2 MYCLIENT$@EXAMPLE.ORG (des3-cbc-sha1)
   2 MYCLIENT$@EXAMPLE.ORG (arcfour-hmac)
   2 MYCLIENT$@EXAMPLE.ORG (des-cbc-md5)
   2 MYCLIENT$@EXAMPLE.ORG (des-cbc-crc)
   2 host/myclient.example....@example.org (aes256-cts-hmac-sha1-96)
   2 host/myclient.example....@example.org (aes128-cts-hmac-sha1-96)
   2 host/myclient.example....@example.org (des3-cbc-sha1)
   2 host/myclient.example....@example.org (arcfour-hmac)
   2 host/myclient.example....@example.org (des-cbc-md5)
   2 host/myclient.example....@example.org (des-cbc-crc)
   2 host/mycli...@example.org (aes256-cts-hmac-sha1-96)
   2 host/mycli...@example.org (aes128-cts-hmac-sha1-96)
   2 host/mycli...@example.org (des3-cbc-sha1)
   2 host/mycli...@example.org (arcfour-hmac)
   2 host/mycli...@example.org (des-cbc-md5)
   2 host/mycli...@example.org (des-cbc-crc)
   2 RestrictedKrbHost/mycli...@example.org (aes256-cts-hmac-sha1-96)
   2 RestrictedKrbHost/mycli...@example.org (aes128-cts-hmac-sha1-96)
   2 RestrictedKrbHost/mycli...@example.org (des3-cbc-sha1)
   2 RestrictedKrbHost/mycli...@example.org (arcfour-hmac)
   2 RestrictedKrbHost/mycli...@example.org (des-cbc-md5)
   2 RestrictedKrbHost/mycli...@example.org (des-cbc-crc)
   2 RestrictedKrbHost/myclient.example....@example.org
(aes256-cts-hmac-sha1-96)
   2 RestrictedKrbHost/myclient.example....@example.org
(aes128-cts-hmac-sha1-96)
   2 RestrictedKrbHost/myclient.example....@example.org (des3-cbc-sha1)
   2 RestrictedKrbHost/myclient.example....@example.org (arcfour-hmac)
   2 RestrictedKrbHost/myclient.example....@example.org (des-cbc-md5)
   2 RestrictedKrbHost/myclient.example....@example.org (des-cbc-crc)

For adcli, this is the corresponding computer object in AD:

    sAMAccountName: MYCLIENT$
    sAMAccountType: 805306369
    dNSHostName: myclient.example.org
    userPrincipalName: host/myclient.example....@example.org
    servicePrincipalName: RestrictedKrbHost/myclient.example.org
    servicePrincipalName: RestrictedKrbHost/MYCLIENT
    servicePrincipalName: host/myclient.example.org
    servicePrincipalName: host/MYCLIENT

If use Samba to join the host to AD, the account is the same, minus
the RestrictedKrbHost SPNs.

According to the sssd-ldap(5) man page, ldap_sasl_authid defaults to:

    host/hostname@REALM

However, this is ambiguous.  Does this mean:

    host/shorthostname@REALM

…or does it mean:

    host/fqdn@REALM

I'm not sure.

But at least for AD, this doesn't seem to be what sssd is doing.  We
don't set ldap_sasl_authid, but for hosts joined to a RWDC with a
keytab like the examples above, we can see in packet captures that
sssd defaults to using SHORTHOSTNAME$:

    Kerberos AS-REQ
        Pvno: 5
        MSG Type: AS-REQ (10)
        padata: PA-ENC-TIMESTAMP Unknown:149
            Type: PA-ENC-TIMESTAMP (2)
                …
            Type: Unknown (149)
                Value: <MISSING>
        KDC_REQ_BODY
            Padding: 0
            KDCOptions: 00000010 (Renewable OK)
            Client Name (Principal): MYCLIENT$
                Name-type: Principal (1)
                Name: MYCLIENT$
            Realm: EXAMPLE.ORG
            Server Name (Service and Instance): krbtgt/EXAMPLE.ORG
                Name-type: Service and Instance (2)
                Name: krbtgt
                Name: EXAMPLE.ORG
            till: 2018-04-13 20:11:22 (UTC)
            Nonce: 462670550
            Encryption Types: …
                Encryption type: aes256-cts-hmac-sha1-96 (18)
                Encryption type: aes128-cts-hmac-sha1-96 (17)
                Encryption type: rc4-hmac (23)
                Encryption type: des-cbc-crc (1)
                Encryption type: des-cbc-md5 (3)
                Encryption type: des-cbc-md5-nt (20)
                Encryption type: Unknown (19)
                Encryption type: des3-cbc-sha1 (16)
                Encryption type: Unknown (25)
                Encryption type: Unknown (26)
                Encryption type: des-cbc-md4 (2)

This behavior is why we've been trying to export a Kerberos keytab
file from AD that looks *exactly* like one that samba/adcli would
create.  As we've discovered, that's not trivial.

But if in fact we don't need those additional entries—that just the
host/myclient.example....@example.org entry in the keytab file is
sufficient for sssd—then that would help us immensely.

So: if the only thing in the /etc/krb5.keytab file is this:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/myclient.example....@example.org (aes256-cts-hmac-sha1-96)
   2 host/myclient.example....@example.org (aes128-cts-hmac-sha1-96)
   2 host/myclient.example....@example.org (des3-cbc-sha1)
   2 host/myclient.example....@example.org (arcfour-hmac)
   2 host/myclient.example....@example.org (des-cbc-md5)
   2 host/myclient.example....@example.org (des-cbc-crc)

…and the corresponding machine account in AD is:

    sAMAccountName: MYCLIENT$
    sAMAccountType: 805306369
    dNSHostName: myclient.example.org
    userPrincipalName: host/myclient.example....@example.org
    servicePrincipalName: host/myclient.example.org

Should that be sufficient for sssd to work correctly?

Thanks,
James
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

Reply via email to