[Freeipa-users] Re: ipa-getcert request results in CA_REJECTED, on an enrolled host

[Alexander Bokovoy via FreeIPA-users]

On Аўт, 12 сак 2024, Bo Lind via FreeIPA-users wrote:

root@naughtyhost:~# ipa host-show --all --raw naughtyhost|grep -i canon
 krbcanonicalname: host/naughtyhost.example.local@EXAMPLE.LOCAL

Looks like that part is in order...? Does the capitalization matter?

It does.

When you attempt to do that request, what do you see in the
/var/log/krb5kdc.log on the IPA server, related to requests from this
host?

Typically you'd see something like the sequence below. I am using
'master2.ipa2.test' which is an IPA server in itself as an example here,
but for your case host/master2.ipa2.test would be
host/naughtyhost.example.local and it would talk to your IPA server:

1. Get TGT using the host keytab:
Mar 13 09:36:00 master2.ipa2.test krb5kdc[548787](info): AS_REQ (6 etypes 
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.0.192.177: 
NEEDED_PREAUTH: host/master2.ipa2.t...@ipa2.test for 
krbtgt/ipa2.t...@ipa2.test, Additional pre-authentication required
Mar 13 09:36:00 master2.ipa2.test krb5kdc[548787](info): closing down fd 11
Mar 13 09:36:00 master2.ipa2.test krb5kdc[548787](info): AS_REQ (6 etypes 
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.0.192.177: ISSUE: 
authtime 1710322560, etypes {rep=aes256-cts-hmac-sha384-192(20), 
tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha384-192(20)}, 
host/master2.ipa2.t...@ipa2.test for krbtgt/ipa2.t...@ipa2.test
Mar 13 09:36:00 master2.ipa2.test krb5kdc[548787](info): closing down fd 11

2. Request a service ticket to IPA API:
Mar 13 09:36:00 master2.ipa2.test krb5kdc[548787](info): TGS_REQ (6 etypes 
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.0.192.177: ISSUE: 
authtime 1710322560, etypes {rep=aes256-cts-hmac-sha384-192(20), 
tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha384-192(20)}, 
host/master2.ipa2.t...@ipa2.test for HTTP/master2.ipa2.t...@ipa2.test
Mar 13 09:36:00 master2.ipa2.test krb5kdc[548787](info): closing down fd 11

3. IPA API needs to talk to LDAP server so it needs own TGT ticket
first:
Mar 13 09:36:00 master2.ipa2.test krb5kdc[548788](info): AS_REQ (6 etypes 
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.0.192.177: 
NEEDED_PREAUTH: HTTP/master2.ipa2.t...@ipa2.test for 
krbtgt/ipa2.t...@ipa2.test, Additional pre-authentication required
Mar 13 09:36:00 master2.ipa2.test krb5kdc[548788](info): closing down fd 11
Mar 13 09:36:00 master2.ipa2.test krb5kdc[548787](info): AS_REQ (6 etypes 
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.0.192.177: ISSUE: 
authtime 1710322560, etypes {rep=aes256-cts-hmac-sha384-192(20), 
tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha384-192(20)}, 
HTTP/master2.ipa2.t...@ipa2.test for krbtgt/ipa2.t...@ipa2.test
Mar 13 09:36:00 master2.ipa2.test krb5kdc[548787](info): closing down fd 11

4. And then asks for a service ticket to LDAP service on behalf of the
original Kerberos client (host requesting an operation):
Mar 13 09:36:00 master2.ipa2.test krb5kdc[548787](info): TGS_REQ (6 etypes 
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.0.192.177: ISSUE: 
authtime 1710322560, etypes {rep=aes256-cts-hmac-sha384-192(20), 
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha384-192(20)}, 
HTTP/master2.ipa2.t...@ipa2.test for ldap/master2.ipa2.t...@ipa2.test
Mar 13 09:36:00 master2.ipa2.test krb5kdc[548787](info): ... 
CONSTRAINED-DELEGATION s4u-client=host/master2.ipa2.t...@ipa2.test
Mar 13 09:36:00 master2.ipa2.test krb5kdc[548787](info): closing down fd 11

If you'd see any breakage in those steps, show the log.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue