On Mon, Sep 04, 2023 at 04:42:59PM +0300, Alexander Bokovoy via FreeIPA-users
wrote:
> On Пан, 04 вер 2023, Sam Morris via FreeIPA-users wrote:
> > I've made some slight progress. I noticed that at the same time, the KDC
> > logs these messages:
> >
> > ==> /var/log/krb5kdc.log <==
> > Sep 04 09:46:17 ipa5.ipa.example.com krb5kdc[183962](info): TGS_REQ :
> > handle_authdata (-1765328371)
> > Sep 04 09:46:17 ipa5.ipa.example.com krb5kdc[183962](info): TGS_REQ (6
> > etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
> > camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
> > aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 192.168.88.5:
> > HANDLE_AUTHDATA: authtime 1693820777, etypes {rep=UNSUPPORTED:(0)}
> > HTTP/[email protected] for
> > ldap/[email protected], KDC can't fulfill requested
> > option
> > Sep 04 09:46:17 ipa5.ipa.example.com krb5kdc[183962](info): ...
> > CONSTRAINED-DELEGATION
> > s4u-client=host/[email protected]
> > Sep 04 09:46:17 ipa5.ipa.example.com krb5kdc[183962](info): closing down
> > fd 12
>
> It is HANDLE_AUTHDATA issue which is typically a sign of a PAC that
> cannot be generated. S4U (constrained delegation) operation requires PAC
> presence.
>
> Since the client here is host/xoanon.ipa.example.com, this means this
> client most likely has no SID associated with it and cannot be
> associated with any of the two supported classes of PAC-enabled
> services: IPA servers and IPA clients. Otherwise it would have had a PAC
> in the ticket.
Are hosts supposed to have a ipaNTSecurityIdentifier attribute or am I
misunderstanding? None of my hosts do (at least according to 'ipa
host-show --all --raw'), while my users do.
> I just tried to simulate that with S4U2Self operation where
> HTTP/master.ipa.test service would pretend that it authenticate
> host/client.ipa.test via a different protocol and then asked for a
> service ticket to itself. We have a tool (ipa-print-pac) that allows to
> print the content of the PAC:
>
> [root@master ~]# kinit -k -t /var/lib/ipa/gssproxy/http.keytab
> HTTP/master.ipa.test
> [root@master ~]# /usr/libexec/ipa/ipa-print-pac -E -k
> /var/lib/ipa/gssproxy/http.keytab impersonate host/client.ipa.test
Here's my output. There is one less buffer in my PAC: mine is missing
the PAC_TYPE_TICKET_CHECKSUM buffer.
# /usr/libexec/ipa/ipa-print-pac -E -k /var/lib/ipa/gssproxy/http.keytab
impersonate host/xoanon.ipa.example.com
Acquired credentials for host/xoanon.ipa.example.com
PAC_DATA: struct PAC_DATA
num_buffers : 0x00000007 (7)
version : 0x00000000 (0)
buffers: ARRAY(7)
buffers: struct PAC_BUFFER
type : PAC_TYPE_LOGON_INFO (1)
_ndr_size : 0x00000200 (512)
info : *
info : union PAC_INFO(case 1)
logon_info: struct PAC_LOGON_INFO_CTR
info : *
info: struct PAC_LOGON_INFO
info3: struct netr_SamInfo3
base: struct netr_SamBaseInfo
logon_time : Mon Sep 4
17:17:03 2023 UTC
logoff_time : Thu Sep 14
02:48:05 30828 UTC
kickoff_time : Thu Sep 14
02:48:05 30828 UTC
last_password_change : Fri Jun 4
15:02:46 2021 UTC
allow_password_change : Fri Jun 4
15:02:46 2021 UTC
force_password_change : Thu Sep 14
02:48:05 30828 UTC
account_name: struct lsa_String
length : 0x0030
(48)
size : 0x0030
(48)
string : *
string :
'xoanon.ipa.example.com'
full_name: struct lsa_String
length : 0x0030
(48)
size : 0x0030
(48)
string : *
string :
'xoanon.ipa.example.com'
logon_script: struct lsa_String
length : 0x0000
(0)
size : 0x0000
(0)
string : *
string : ''
profile_path: struct lsa_String
length : 0x0000
(0)
size : 0x0000
(0)
string : *
string : ''
home_directory: struct lsa_String
length : 0x0000
(0)
size : 0x0000
(0)
string : *
string : ''
home_drive: struct lsa_String
length : 0x0000
(0)
size : 0x0000
(0)
string : *
string : ''
logon_count : 0x0000 (0)
bad_password_count : 0x0000 (0)
rid : 0x00000203
(515)
primary_gid : 0x00000203
(515)
groups: struct
samr_RidWithAttributeArray
count :
0x00000000 (0)
rids : *
rids: ARRAY(0)
user_flags : 0x00000020
(32)
0: NETLOGON_GUEST
0: NETLOGON_NOENCRYPTION
0: NETLOGON_CACHED_ACCOUNT
0: NETLOGON_USED_LM_PASSWORD
1: NETLOGON_EXTRA_SIDS
0: NETLOGON_SUBAUTH_SESSION_KEY
0: NETLOGON_SERVER_TRUST_ACCOUNT
0: NETLOGON_NTLMV2_ENABLED
0: NETLOGON_RESOURCE_GROUPS
0: NETLOGON_PROFILE_PATH_RETURNED
0: NETLOGON_GRACE_LOGON
key: struct netr_UserSessionKey
key: ARRAY(16): <REDACTED SECRET
VALUES>
logon_server: struct lsa_StringLarge
length : 0x0008
(8)
size : 0x000a
(10)
string : *
string :
'IPA5'
logon_domain: struct lsa_StringLarge
length : 0x000c
(12)
size : 0x000e
(14)
string : *
string :
'EXAMPLE'
domain_sid : *
domain_sid :
S-1-5-21-1341176315-1040986168-522724017
LMSessKey: struct netr_LMSessionKey
key: ARRAY(8): <REDACTED SECRET
VALUES>
acct_flags : 0x00000080
(128)
0: ACB_DISABLED
0: ACB_HOMDIRREQ
0: ACB_PWNOTREQ
0: ACB_TEMPDUP
0: ACB_NORMAL
0: ACB_MNS
0: ACB_DOMTRUST
1: ACB_WSTRUST
0: ACB_SVRTRUST
0: ACB_PWNOEXP
0: ACB_AUTOLOCK
0: ACB_ENC_TXT_PWD_ALLOWED
0: ACB_SMARTCARD_REQUIRED
0: ACB_TRUSTED_FOR_DELEGATION
0: ACB_NOT_DELEGATED
0: ACB_USE_DES_KEY_ONLY
0: ACB_DONT_REQUIRE_PREAUTH
0: ACB_PW_EXPIRED
0:
ACB_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
0: ACB_NO_AUTH_DATA_REQD
0: ACB_PARTIAL_SECRETS_ACCOUNT
0: ACB_USE_AES_KEYS
sub_auth_status : 0x00000000
(0)
last_successful_logon : NTTIME(0)
last_failed_logon : NTTIME(0)
failed_logon_count : 0x00000000
(0)
reserved : 0x00000000
(0)
sidcount : 0x00000001 (1)
sids : *
sids: ARRAY(1)
sids: struct netr_SidAttr
sid : *
sid :
S-1-18-2
attributes :
0x00000007 (7)
1: SE_GROUP_MANDATORY
1:
SE_GROUP_ENABLED_BY_DEFAULT
1: SE_GROUP_ENABLED
0: SE_GROUP_OWNER
0:
SE_GROUP_USE_FOR_DENY_ONLY
0: SE_GROUP_INTEGRITY
0:
SE_GROUP_INTEGRITY_ENABLED
0: SE_GROUP_RESOURCE
0x00: SE_GROUP_LOGON_ID
(0)
resource_groups: struct
PAC_DOMAIN_GROUP_MEMBERSHIP
domain_sid : NULL
groups: struct samr_RidWithAttributeArray
count : 0x00000000
(0)
rids : NULL
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_UPN_DNS_INFO (12)
_ndr_size : 0x000000ec (236)
info : *
info : union PAC_INFO(case 12)
upn_dns_info: struct PAC_UPN_DNS_INFO
upn_name_size : 0x005e (94)
upn_name : *
upn_name :
'host/[email protected]'
dns_domain_name_size : 0x0022 (34)
dns_domain_name : *
dns_domain_name : 'IPA.EXAMPLE.COM'
flags : 0x00000002 (2)
0: PAC_UPN_DNS_FLAG_CONSTRUCTED
1: PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID
ex : union
PAC_UPN_DNS_INFO_EX(case 2)
sam_name_and_sid: struct
PAC_UPN_DNS_INFO_SAM_NAME_AND_SID
samaccountname_size : 0x0030 (48)
samaccountname : *
samaccountname :
'xoanon.ipa.example.com'
objectsid_size : 0x001c (28)
objectsid : *
objectsid :
S-1-5-21-1341176315-1040986168-522724017-515
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_ATTRIBUTES_INFO (17)
_ndr_size : 0x00000008 (8)
info : *
info : union PAC_INFO(case 17)
attributes_info: struct PAC_ATTRIBUTES_INFO
flags_length : 0x00000002 (2)
flags : 0x00000002 (2)
0: PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED
1: PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_LOGON_NAME (10)
_ndr_size : 0x00000046 (70)
info : *
info : union PAC_INFO(case 10)
logon_name: struct PAC_LOGON_NAME
logon_time : Mon Sep 4 17:17:03 2023 UTC
size : 0x003c (60)
account_name :
'host\/xoanon.ipa.example.com'
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_SRV_CHECKSUM (6)
_ndr_size : 0x00000010 (16)
info : *
info : union PAC_INFO(case 6)
srv_cksum: struct PAC_SIGNATURE_DATA
type : 0x00000010 (16)
signature : DATA_BLOB length=12
[0000] 3B 51 6F E5 9D 90 7A 5F 8D 39 83 7D ;Qo...z_ .9.}
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_KDC_CHECKSUM (7)
_ndr_size : 0x00000010 (16)
info : *
info : union PAC_INFO(case 7)
kdc_cksum: struct PAC_SIGNATURE_DATA
type : 0x00000010 (16)
signature : DATA_BLOB length=12
[0000] F3 F2 5B CC CB FC 9F EC E2 99 7D E8 ..[..... ..}.
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_FULL_CHECKSUM (19)
_ndr_size : 0x00000010 (16)
info : *
info : union PAC_INFO(case 19)
full_checksum: struct PAC_SIGNATURE_DATA
type : 0x00000010 (16)
signature : DATA_BLOB length=12
[0000] B9 F3 A3 DB C6 1A 9D 17 B1 8E 26 E9 ........ ..&.
_pad : 0x00000000 (0)
... other than that it looks similar.
I get the same when I run it on ipa3 (also running RHEL 8).
If I run it on ipa6 (RHEL 9) I get all 8 buffers including
PAC_TYPE_TICKET_CHECKSUM..
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
