On su, 14 touko 2023, Sam Morris wrote:
On Fri, May 12, 2023 at 06:19:44PM +0100, Sam Morris via FreeIPA-users wrote:
I wonder about the root cause; is this because MIT Kerberos 1.20 always
wants to include a PAC in its issued TGTs, and it gives up if it can't
retrieve a user's SID from the directory? (If so I wonder if setting
disable_pac = true in the realm section of krb5.conf would have worked
around the problem?)
This seems to be the case. Specifically I:
1. Removed the ipantsecurityidentifier attribute from a user, and
removed ipantuserattrs from the user's objectclass
2. Tried to log in as the user & got the same failures + 'No such file
or directory' message in /var/log/krb5kdc.log
3. Edited /var/kerberos/krb5kdc/kdc.conf, adding 'disable_pac = true'
within the realm-specific configuration in the realms section
4. Restarted krb5kdc
5. Tried to log in as the user and it worked!
The docs for disable_pac say:
If true, the KDC will not issue PACs for this realm, and S4U2Self
and S4U2Proxy operations will be disabled. The default is false,
which will permit the KDC to issue PACs. New in release 1.20.
... which doesn't explain that if the KDC can't issue a PAC for some
reason then the KDC will fail to issue the TGT. But at least I've gotten
to the bottom of things now. :)
RHEL IdM documentation has a separate chapter related to it.
RHEL 9:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_strengthening-kerberos-security-with-pac-information_managing-users-groups-hosts
RHEL 8:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_strengthening-kerberos-security-with-pac-information_managing-users-groups-hosts
This documentation is in place since summer 2022.
"After upgrading, krb5kdc may fail to issue TGTs to users who have not
had a SID assigned to their accounts ('ipa user-show user --all' will
not include an ipantsecurityidentifier attribute). In this case
krb5kdc.log will log a message "HANDLE_AUTHDATA: [email protected] for
krbtgt/[email protected], No such file or directory". This can be
fixed by running 'ipa config-mod --enable-sid --add-sids' as an IPA
admin on another IPA server."
... "or on the same server after temporarily setting "disable_pac =
true" in kdc.conf, and restarting krb5kdc."
You should not be disabling PAC because you are really setting yourself
up to an attack with a known exploit out in a wild.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
