On pe, 07 syys 2018, Kees Bakker wrote:
The problem with this seems to be related to the fact that directory
/var/lib/krb5kdc
is only readable for root.
$ ls -ld /var/lib/krb5kdc
drwx------ 2 root root 4096 Feb 5 2018 /var/lib/krb5kdc
If I chmod the directory to 711 it is possible to login via the browser.
I wonder what was used to change it because krb5-server package installs
it as 755:
# rpm -qlv krb5-server| grep /var/kerberos/krb5kdc
drwxr-xr-x 2 root root 0 Aug 1 19:19
/var/kerberos/krb5kdc
-rw------- 1 root root 22 Aug 1 19:13
/var/kerberos/krb5kdc/kadm5.acl
-rw------- 1 root root 458 Aug 1 19:13
/var/kerberos/krb5kdc/kdc.conf
I'm using Ubuntu 18.04, where it is /var/lib/krb5kdc and this directory has
chmod 700.
That is true on Ubuntu 16.04 as well. Ubuntu 16.04 has freeipa-server
4.3.1-0ubuntu1
The Ubuntu 18.04 FreeIPA server installation (4.7.0~pre1+git20180411-2ubuntu2)
places a
few files in /var/lib/krb5kdc (that's new).
So the question is: what was changed (in freeipa?) that it now wants read
access of /var/lib/krb5kdc ?
We need access to the KDC's public certificate in case we are dealing
with a KDC certificate issued by a local certmonger (self-signed) which
is not trusted by the machine.
You can read https://www.freeipa.org/page/V4/Kerberos_PKINIT for
details. A short version is:
--------
When you install 4.5 with --no-pkinit, the installer will generate
self-signed certificate for PKINIT. This certificate is only used and
trusted by IPA Web UI running on the same server to obtain an anonymous
ticket.
--------
That anonymous PKINIT is required right now to enable two-factor
authentication login to web UI because since FreeIPA 4.5 we cannot use
HTTP service keytab anymore: FreeIPA framework lost access to the keytab
due to privilege separation work we did (read
https://vda.li/en/docs/freeipa-debug-privsep/ for details)
Since your KDC PKINIT certificate might be issued by a local self-signed
certmonger 'CA' in case you are not using integrated FreeIPA CA, we have
to be able to trust *that* public KDC certificate when running 'kinit
-n', thus we need access to it.
( insert emoji with confused face )
Thanks for explaining this, not that I understand all of it. So, does this mean
we
have to ask the Ubuntu/Debian maintainers to allow read access of
/var/lib/krb5kdc ?
Yes.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
