On pe, 07 syys 2018, Kees Bakker wrote:
>>>>> The problem with this seems to be related to the fact that directory
/var/lib/krb5kdc
>>>>> is only readable for root.
>>>>>
>>>>> $ ls -ld /var/lib/krb5kdc
>>>>> drwx------ 2 root root 4096 Feb 5 2018 /var/lib/krb5kdc
>>>>>
>>>>> If I chmod the directory to 711 it is possible to login via the
browser.
>>>> I wonder what was used to change it because krb5-server package installs
>>>> it as 755:
>>>>
>>>> # rpm -qlv krb5-server| grep /var/kerberos/krb5kdc
>>>> drwxr-xr-x 2 root root 0 Aug 1 19:19
/var/kerberos/krb5kdc
>>>> -rw------- 1 root root 22 Aug 1 19:13
/var/kerberos/krb5kdc/kadm5.acl
>>>> -rw------- 1 root root 458 Aug 1 19:13
/var/kerberos/krb5kdc/kdc.conf
>>>>
>>>
>>> I'm using Ubuntu 18.04, where it is /var/lib/krb5kdc and this directory
has chmod 700.
>>> That is true on Ubuntu 16.04 as well. Ubuntu 16.04 has freeipa-server
4.3.1-0ubuntu1
>>>
>>> The Ubuntu 18.04 FreeIPA server installation
(4.7.0~pre1+git20180411-2ubuntu2) places a
>>> few files in /var/lib/krb5kdc (that's new).
>>>
>>> So the question is: what was changed (in freeipa?) that it now wants read
access of /var/lib/krb5kdc ?
>> We need access to the KDC's public certificate in case we are dealing
>> with a KDC certificate issued by a local certmonger (self-signed) which
>> is not trusted by the machine.
>>
>> You can read
https://www.freeipa.org/page/V4/Kerberos_PKINIT for
>> details. A short version is:
>> --------
>> When you install 4.5 with --no-pkinit, the installer will generate
>> self-signed certificate for PKINIT. This certificate is only used and
>> trusted by IPA Web UI running on the same server to obtain an anonymous
>> ticket.
>> --------
>>
>> That anonymous PKINIT is required right now to enable two-factor
>> authentication login to web UI because since FreeIPA 4.5 we cannot use
>> HTTP service keytab anymore: FreeIPA framework lost access to the keytab
>> due to privilege separation work we did (read
>>
https://vda.li/en/docs/freeipa-debug-privsep/ for details)
>>
>> Since your KDC PKINIT certificate might be issued by a local self-signed
>> certmonger 'CA' in case you are not using integrated FreeIPA CA, we have
>> to be able to trust *that* public KDC certificate when running 'kinit
>> -n', thus we need access to it.
>>
>
> ( insert emoji with confused face )
> Thanks for explaining this, not that I understand all of it. So, does this mean we
> have to ask the Ubuntu/Debian maintainers to allow read access of /var/lib/krb5kdc ?
Yes.