On Пан, 04 вер 2023, Sam Morris via FreeIPA-users wrote:
I've made some slight progress. I noticed that at the same time, the KDC logs these messages:
==> /var/log/krb5kdc.log <== Sep 04 09:46:17 ipa5.ipa.example.com krb5kdc[183962](info): TGS_REQ : handle_authdata (-1765328371) Sep 04 09:46:17 ipa5.ipa.example.com krb5kdc[183962](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 192.168.88.5: HANDLE_AUTHDATA: authtime 1693820777, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa5.ipa.example.com@IPA.EXAMPLE.COM for ldap/ipa5.ipa.example.com@IPA.EXAMPLE.COM, KDC can't fulfill requested option Sep 04 09:46:17 ipa5.ipa.example.com krb5kdc[183962](info): ... CONSTRAINED-DELEGATION s4u-client=host/xoanon.ipa.example.com@IPA.EXAMPLE.COM Sep 04 09:46:17 ipa5.ipa.example.com krb5kdc[183962](info): closing down fd 12
It is HANDLE_AUTHDATA issue which is typically a sign of a PAC that cannot be generated. S4U (constrained delegation) operation requires PAC presence.
Since the client here is host/xoanon.ipa.example.com, this means this client most likely has no SID associated with it and cannot be associated with any of the two supported classes of PAC-enabled services: IPA servers and IPA clients. Otherwise it would have had a PAC in the ticket.
I just tried to simulate that with S4U2Self operation where HTTP/master.ipa.test service would pretend that it authenticate host/client.ipa.test via a different protocol and then asked for a service ticket to itself. We have a tool (ipa-print-pac) that allows to print the content of the PAC:
[root@master ~]# kinit -k -t /var/lib/ipa/gssproxy/http.keytab HTTP/master.ipa.test [root@master ~]# /usr/libexec/ipa/ipa-print-pac -E -k /var/lib/ipa/gssproxy/http.keytab impersonate host/client.ipa.test Acquired credentials for host/client.ipa.test PAC_DATA: struct PAC_DATA num_buffers : 0x00000008 (8) version : 0x00000000 (0) buffers: ARRAY(8) buffers: struct PAC_BUFFER type : PAC_TYPE_LOGON_INFO (1) _ndr_size : 0x000001e0 (480) info : * info : union PAC_INFO(case 1) logon_info: struct PAC_LOGON_INFO_CTR info : * info: struct PAC_LOGON_INFO info3: struct netr_SamInfo3 base: struct netr_SamBaseInfo logon_time : Mon Sep 4 13:39:23 2023 UTC logoff_time : Thu Sep 14 02:48:05 30828 UTC kickoff_time : Thu Sep 14 02:48:05 30828 UTC last_password_change : Mon Sep 4 13:37:22 2023 UTC allow_password_change : Mon Sep 4 13:37:22 2023 UTC force_password_change : Thu Sep 14 02:48:05 30828 UTC account_name: struct lsa_String length : 0x001e (30) size : 0x001e (30) string : * string : 'client.ipa.test' full_name: struct lsa_String length : 0x001e (30) size : 0x001e (30) string : * string : 'client.ipa.test' logon_script: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' profile_path: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' home_directory: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' home_drive: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) rid : 0x00000203 (515) primary_gid : 0x00000203 (515) groups: struct samr_RidWithAttributeArray count : 0x00000000 (0) rids : * rids: ARRAY(0) user_flags : 0x00000020 (32) 0: NETLOGON_GUEST 0: NETLOGON_NOENCRYPTION 0: NETLOGON_CACHED_ACCOUNT 0: NETLOGON_USED_LM_PASSWORD 1: NETLOGON_EXTRA_SIDS 0: NETLOGON_SUBAUTH_SESSION_KEY 0: NETLOGON_SERVER_TRUST_ACCOUNT 0: NETLOGON_NTLMV2_ENABLED 0: NETLOGON_RESOURCE_GROUPS 0: NETLOGON_PROFILE_PATH_RETURNED 0: NETLOGON_GRACE_LOGON key: struct netr_UserSessionKey key: ARRAY(16): <REDACTED SECRET VALUES> logon_server: struct lsa_StringLarge length : 0x000c (12) size : 0x000e (14) string : * string : 'MASTER' logon_domain: struct lsa_StringLarge length : 0x0006 (6) size : 0x0008 (8) string : * string : 'IPA' domain_sid : * domain_sid : S-1-5-21-2093978176-3761652416-3478956151 LMSessKey: struct netr_LMSessionKey key: ARRAY(8): <REDACTED SECRET VALUES> acct_flags : 0x00000080 (128) 0: ACB_DISABLED 0: ACB_HOMDIRREQ 0: ACB_PWNOTREQ 0: ACB_TEMPDUP 0: ACB_NORMAL 0: ACB_MNS 0: ACB_DOMTRUST 1: ACB_WSTRUST 0: ACB_SVRTRUST 0: ACB_PWNOEXP 0: ACB_AUTOLOCK 0: ACB_ENC_TXT_PWD_ALLOWED 0: ACB_SMARTCARD_REQUIRED 0: ACB_TRUSTED_FOR_DELEGATION 0: ACB_NOT_DELEGATED 0: ACB_USE_DES_KEY_ONLY 0: ACB_DONT_REQUIRE_PREAUTH 0: ACB_PW_EXPIRED 0: ACB_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 0: ACB_NO_AUTH_DATA_REQD 0: ACB_PARTIAL_SECRETS_ACCOUNT 0: ACB_USE_AES_KEYS sub_auth_status : 0x00000000 (0) last_successful_logon : NTTIME(0) last_failed_logon : NTTIME(0) failed_logon_count : 0x00000000 (0) reserved : 0x00000000 (0) sidcount : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct netr_SidAttr sid : * sid : S-1-18-2 attributes : 0x00000007 (7) 1: SE_GROUP_MANDATORY 1: SE_GROUP_ENABLED_BY_DEFAULT 1: SE_GROUP_ENABLED 0: SE_GROUP_OWNER 0: SE_GROUP_USE_FOR_DENY_ONLY 0: SE_GROUP_INTEGRITY 0: SE_GROUP_INTEGRITY_ENABLED 0: SE_GROUP_RESOURCE 0x00: SE_GROUP_LOGON_ID (0) resource_groups: struct PAC_DOMAIN_GROUP_MEMBERSHIP domain_sid : NULL groups: struct samr_RidWithAttributeArray count : 0x00000000 (0) rids : NULL _pad : 0x00000000 (0) buffers: struct PAC_BUFFER type : PAC_TYPE_UPN_DNS_INFO (12) _ndr_size : 0x000000a2 (162) info : * info : union PAC_INFO(case 12) upn_dns_info: struct PAC_UPN_DNS_INFO upn_name_size : 0x003a (58) upn_name : * upn_name : 'host/client.ipa.test@IPA.TEST' dns_domain_name_size : 0x0010 (16) dns_domain_name : * dns_domain_name : 'IPA.TEST' flags : 0x00000002 (2) 0: PAC_UPN_DNS_FLAG_CONSTRUCTED 1: PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID ex : union PAC_UPN_DNS_INFO_EX(case 2) sam_name_and_sid: struct PAC_UPN_DNS_INFO_SAM_NAME_AND_SID samaccountname_size : 0x001e (30) samaccountname : * samaccountname : 'client.ipa.test' objectsid_size : 0x001c (28) objectsid : * objectsid : S-1-5-21-2093978176-3761652416-3478956151-515 _pad : 0x00000000 (0) buffers: struct PAC_BUFFER type : PAC_TYPE_ATTRIBUTES_INFO (17) _ndr_size : 0x00000008 (8) info : * info : union PAC_INFO(case 17) attributes_info: struct PAC_ATTRIBUTES_INFO flags_length : 0x00000002 (2) flags : 0x00000002 (2) 0: PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED 1: PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY _pad : 0x00000000 (0) buffers: struct PAC_BUFFER type : PAC_TYPE_TICKET_CHECKSUM (16) _ndr_size : 0x0000001c (28) info : * info : union PAC_INFO(case 16) ticket_checksum: struct PAC_SIGNATURE_DATA type : 0x00000014 (20) signature : DATA_BLOB length=24 [0000] 58 2E 4D 1A 2D B3 3C 90 30 D5 72 82 BB 93 E4 87 X.M.-.<. 0.r..... [0010] 74 F6 75 4F 9C 1E 22 D5 t.uO..". _pad : 0x00000000 (0) buffers: struct PAC_BUFFER type : PAC_TYPE_LOGON_NAME (10) _ndr_size : 0x00000034 (52) info : * info : union PAC_INFO(case 10) logon_name: struct PAC_LOGON_NAME logon_time : Mon Sep 4 13:39:23 2023 UTC size : 0x002a (42) account_name : 'host/client.ipa.test' _pad : 0x00000000 (0) buffers: struct PAC_BUFFER type : PAC_TYPE_SRV_CHECKSUM (6) _ndr_size : 0x0000001c (28) info : * info : union PAC_INFO(case 6) srv_cksum: struct PAC_SIGNATURE_DATA type : 0x00000014 (20) signature : DATA_BLOB length=24 [0000] A5 D3 8A 27 C0 91 F1 A0 C3 A0 6A 1A 4D E6 62 F5 ...'.... ..j.M.b. [0010] EF 94 64 02 81 AC 2C A7 ..d...,. _pad : 0x00000000 (0) buffers: struct PAC_BUFFER type : PAC_TYPE_KDC_CHECKSUM (7) _ndr_size : 0x0000001c (28) info : * info : union PAC_INFO(case 7) kdc_cksum: struct PAC_SIGNATURE_DATA type : 0x00000014 (20) signature : DATA_BLOB length=24 [0000] 28 C3 C4 97 20 1A CE F2 33 49 85 B6 C8 2F 97 3E (... ... 3I.../.> [0010] 8B 65 E5 02 4A 03 6F B2 .e..J.o. _pad : 0x00000000 (0) buffers: struct PAC_BUFFER type : PAC_TYPE_FULL_CHECKSUM (19) _ndr_size : 0x0000001c (28) info : * info : union PAC_INFO(case 19) full_checksum: struct PAC_SIGNATURE_DATA type : 0x00000014 (20) signature : DATA_BLOB length=24 [0000] 54 F2 48 08 35 EB E4 F2 46 84 93 9F F9 5C 6B 62 T.H.5... F....\kb [0010] 0B 5E 51 50 FA 76 8E 60 .^QP.v.` _pad : 0x00000000 (0)
In case of a failure I would not be able to get PAC output like this.
I guess this is showing that HTTP/ipa5.ipa.example.com (the IPA API server) is trying to obtain a ticket to LDAP/ipa5.ipa.example.com on behalf of host/xoanon.ipa.example.com but the KDC is rejecting the request.
Correct.
If that's right then I guess I need to figure out why that might be. Unfortunately setting 'debug = true' in /etc/krb5.conf's [logging] section doesn't cause any more detailed messages to be logged.
krb5 library does not support debugging this way.
If I run gssproxy with --debug-level=2 I can see it logging some stuff but I guess it's just showing the calls that result in the kdc logging the above...
gssproxy is not involved in ticket issuance. It is a client app, effectively.