Hello Alexander,
indeed, some users have SIDs (ipantsecurityidentifier) attribute missing.
ipa config-mod --enable-sid --add-sids fixed it. Thank you.
I found
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
Looks like we have installation on early RHEL8 before 8.5, SIDS became
mandatory in the meantime and current update definitely broke it.
Thank you for your help!
Kind Regards,
Rasto
On 11/01/2024 20:56, Alexander Bokovoy wrote:
> On Чцв, 11 сту 2024, Rasto Rickardt wrote:
>> Hello Alexander,
>>
>> all packages should be current with default RHEL configuration:
>
> Thanks, the configs look OK. So check whether users miss SIDs and
> regenerate them with
> ipa config-mod --enable-sid --add-sids
>
> as admin.
>
>>
>> krb5-workstation-1.18.2-26.el8_9.x86_64
>> krb5-pkinit-1.18.2-26.el8_9.x86_64
>> sssd-krb5-2.9.1-4.el8_9.x86_64
>> krb5-libs-1.18.2-26.el8_9.x86_64
>> krb5-server-1.18.2-26.el8_9.x86_64
>> sssd-krb5-common-2.9.1-4.el8_9.x86_64
>>
>> cat /var/kerberos/krb5kdc/kdc.conf
>> [kdcdefaults]
>> kdc_ports = 88
>> kdc_tcp_ports = 88
>> restrict_anonymous_to_tgt = true
>> spake_preauth_kdc_challenge = edwards25519
>>
>> [realms]
>>
ID.EXAMPLE.COM = {
>> master_key_type = aes256-cts
>> max_life = 7d
>> max_renewable_life = 14d
>> acl_file = /var/kerberos/krb5kdc/kadm5.acl
>> dict_file = /usr/share/dict/words
>> default_principal_flags = +preauth
>> ; admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>> pkinit_identity =
>> FILE:/var/kerberos/krb5kdc/kdc.crt,/var/kerberos/krb5kdc/kdc.key
>> pkinit_anchors = FILE:/var/kerberos/krb5kdc/kdc.crt
>> pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
>> pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
>> pkinit_indicator = pkinit
>> spake_preauth_indicator = hardened
>> encrypted_challenge_indicator = hardened
>> }
>> [libdefaults]
>> spake_preauth_kdc_challenge = edwards25519
>>
>> /etc/krb5.conf and conf.d are in attached file.
>>
>> I do not see disable_pac anywhere.
>>
>> Thank you,
>>
>> Rasto
>>
>>> The error below tells that a user ticket did not have a PAC associated:
>>>
>>>> Jan 11 17:41:35
ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6
>>>> etypes {aes256-cts-hmac-sha384-192(20),
>>>> aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
>>>> aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
>>>> camellia128-cts-cmac(25)}) 10.112.65.75:
>>>> S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes
>>>> {rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com(a)id.example.com for
>>>> ldap/ipa7.id.example.com(a)id.example.com, KDC policy rejects request
>>>
>>> Can you also share your client and server's Kerberos configurations?
>>> configs and which rpms are used.
>>>
>>> It looks like either SID is missing in the user account and KDC is
>>> forced to ignore that (disable_pac = true in the realm configuration in
>>> kdc.conf). Or some flags are set on IPA services to force ignoring PAC
>>> checks. PAC presence is required for constrained delegation
>>> operations and we now enforce it for krb5 1.18 as well.
>>
>
>
>
>