On 07-09-18 16:10, Alexander Bokovoy wrote: > On pe, 07 syys 2018, Kees Bakker wrote: >>>>>> The problem with this seems to be related to the fact that directory >>>>>> /var/lib/krb5kdc >>>>>> is only readable for root. >>>>>> >>>>>> $ ls -ld /var/lib/krb5kdc >>>>>> drwx------ 2 root root 4096 Feb 5 2018 /var/lib/krb5kdc >>>>>> >>>>>> If I chmod the directory to 711 it is possible to login via the browser. >>>>> I wonder what was used to change it because krb5-server package installs >>>>> it as 755: >>>>> >>>>> # rpm -qlv krb5-server| grep /var/kerberos/krb5kdc >>>>> drwxr-xr-x 2 root root 0 Aug 1 19:19 >>>>> /var/kerberos/krb5kdc >>>>> -rw------- 1 root root 22 Aug 1 19:13 >>>>> /var/kerberos/krb5kdc/kadm5.acl >>>>> -rw------- 1 root root 458 Aug 1 19:13 >>>>> /var/kerberos/krb5kdc/kdc.conf >>>>> >>>> >>>> I'm using Ubuntu 18.04, where it is /var/lib/krb5kdc and this directory >>>> has chmod 700. >>>> That is true on Ubuntu 16.04 as well. Ubuntu 16.04 has freeipa-server >>>> 4.3.1-0ubuntu1 >>>> >>>> The Ubuntu 18.04 FreeIPA server installation >>>> (4.7.0~pre1+git20180411-2ubuntu2) places a >>>> few files in /var/lib/krb5kdc (that's new). >>>> >>>> So the question is: what was changed (in freeipa?) that it now wants read >>>> access of /var/lib/krb5kdc ? >>> We need access to the KDC's public certificate in case we are dealing >>> with a KDC certificate issued by a local certmonger (self-signed) which >>> is not trusted by the machine. >>> >>> You can read https://www.freeipa.org/page/V4/Kerberos_PKINIT for >>> details. A short version is: >>> -------- >>> When you install 4.5 with --no-pkinit, the installer will generate >>> self-signed certificate for PKINIT. This certificate is only used and >>> trusted by IPA Web UI running on the same server to obtain an anonymous >>> ticket. >>> -------- >>> >>> That anonymous PKINIT is required right now to enable two-factor >>> authentication login to web UI because since FreeIPA 4.5 we cannot use >>> HTTP service keytab anymore: FreeIPA framework lost access to the keytab >>> due to privilege separation work we did (read >>> https://vda.li/en/docs/freeipa-debug-privsep/ for details) >>> >>> Since your KDC PKINIT certificate might be issued by a local self-signed >>> certmonger 'CA' in case you are not using integrated FreeIPA CA, we have >>> to be able to trust *that* public KDC certificate when running 'kinit >>> -n', thus we need access to it. >>> >> >> ( insert emoji with confused face ) >> Thanks for explaining this, not that I understand all of it. So, does this >> mean we >> have to ask the Ubuntu/Debian maintainers to allow read access of >> /var/lib/krb5kdc ? > Yes. >
See https://bugs.launchpad.net/bugs/1791325 _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
