On Чцв, 11 сту 2024, Rasto Rickardt wrote:
Hello Alexander,
all packages should be current with default RHEL configuration:
Thanks, the configs look OK. So check whether users miss SIDs and
regenerate them with
ipa config-mod --enable-sid --add-sids
as admin.
krb5-workstation-1.18.2-26.el8_9.x86_64
krb5-pkinit-1.18.2-26.el8_9.x86_64
sssd-krb5-2.9.1-4.el8_9.x86_64
krb5-libs-1.18.2-26.el8_9.x86_64
krb5-server-1.18.2-26.el8_9.x86_64
sssd-krb5-common-2.9.1-4.el8_9.x86_64
cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
restrict_anonymous_to_tgt = true
spake_preauth_kdc_challenge = edwards25519
[realms]
ID.EXAMPLE.COM = {
master_key_type = aes256-cts
max_life = 7d
max_renewable_life = 14d
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
default_principal_flags = +preauth
; admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
pkinit_identity =
FILE:/var/kerberos/krb5kdc/kdc.crt,/var/kerberos/krb5kdc/kdc.key
pkinit_anchors = FILE:/var/kerberos/krb5kdc/kdc.crt
pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
pkinit_indicator = pkinit
spake_preauth_indicator = hardened
encrypted_challenge_indicator = hardened
}
[libdefaults]
spake_preauth_kdc_challenge = edwards25519
/etc/krb5.conf and conf.d are in attached file.
I do not see disable_pac anywhere.
Thank you,
Rasto
The error below tells that a user ticket did not have a PAC associated:
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ
(6 etypes {aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
camellia128-cts-cmac(25)}) 10.112.65.75:
S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes
{rep=UNSUPPORTED:(0)} HTTP/[email protected] for
ldap/[email protected], KDC policy rejects
request
Can you also share your client and server's Kerberos configurations?
configs and which rpms are used.
It looks like either SID is missing in the user account and KDC is
forced to ignore that (disable_pac = true in the realm configuration in
kdc.conf). Or some flags are set on IPA services to force ignoring PAC
checks. PAC presence is required for constrained delegation
operations and we now enforce it for krb5 1.18 as well.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
