Re: [Touch-packages] [Bug 1791325] Re: freeipa server needs read access /var/lib/krb5kdc

Fri, 07 Sep 2018 11:16:11 -0700 

*** This bug is a duplicate of bug 1772447 ***
    https://bugs.launchpad.net/bugs/1772447

keestux <kees.bak...@xs4all.nl> writes:

> That anonymous PKINIT is required right now to enable two-factor
> authentication login to web UI because since FreeIPA 4.5 we cannot use
> HTTP service keytab anymore: FreeIPA framework lost access to the keytab
> due to privilege separation work we did (read
> https://vda.li/en/docs/freeipa-debug-privsep/ for details)

> Since your KDC PKINIT certificate might be issued by a local self-signed
> certmonger 'CA' in case you are not using integrated FreeIPA CA, we have
> to be able to trust *that* public KDC certificate when running 'kinit
> -n', thus we need access to it. "

> He also suggested that this should be changed in Ubuntu. If the directory
> /var/lib/krb5kdc becomes readable (perhaps chmod 711) then it would solve
> this issue.

It seems rather ironic that privilege separation leads to a request to
grant FreeIPA access to (admittedly only the directory of) the single most
sensitive and security-critical component of the entire Kerberos
infrastructure.

I think there should be some other way of solving this.  The public KDC
certificate is, well, public, so maybe don't put it in /var/lib/krb5kdc,
which is not?  (I always put mine in /etc/krb5kdc.)

-- 
Russ Allbery (r...@debian.org)               <http://www.eyrie.org/~eagle/>

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1791325

Title:
  freeipa server needs read access /var/lib/krb5kdc

Status in freeipa package in Ubuntu:
  New
Status in krb5 package in Ubuntu:
  New

Bug description:
  After installing freeipa-server you cannot login via the browser. You'll get
  a message: "Login failed due to an unknown reason."

  In /var/log/apache2/error.log there is this:
  ---------------------8X-----------------8X------------------
  [Thu Sep 06 12:00:28.720410 2018] [wsgi:error] [pid 6137:tid 140075658061568] 
[remote 10.83.0.11:38596] ipa: INFO: [jsonserver_kerb] 
host/usrv1.ijtest...@ijtest.nl: schema(version=u'2.170'): SUCCESS
  [Thu Sep 06 12:01:00.010427 2018] [:warn] [pid 6140:tid 140076243191552] 
[client 10.83.0.11:38608] failed to set perms (3140) on file 
(/var/run/ipa/ccaches/host~usrv1.ijtest...@ijtest.nl)!, referer: 
https://usrv1.ijtest.nl/ipa/xml
  [Thu Sep 06 12:01:00.099271 2018] [wsgi:error] [pid 6138:tid 140075658061568] 
[remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] 
host/usrv1.ijtest...@ijtest.nl: ping(): SUCCESS
  [Thu Sep 06 12:01:00.101695 2018] [:warn] [pid 6140:tid 140076130498304] 
[client 10.83.0.11:38608] failed to set perms (3140) on file 
(/var/run/ipa/ccaches/host~usrv1.ijtest...@ijtest.nl)!, referer: 
https://usrv1.ijtest.nl/ipa/xml
  [Thu Sep 06 12:01:00.273013 2018] [wsgi:error] [pid 6137:tid 140075658061568] 
[remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] 
host/usrv1.ijtest...@ijtest.nl: ca_is_enabled(version=u'2.107'): SUCCESS
  [Thu Sep 06 12:01:02.805635 2018] [:warn] [pid 6140:tid 140076234798848] 
[client 10.83.0.11:38608] failed to set perms (3140) on file 
(/var/run/ipa/ccaches/host~usrv1.ijtest...@ijtest.nl)!, referer: 
https://usrv1.ijtest.nl/ipa/xml
  [Thu Sep 06 12:01:02.999541 2018] [wsgi:error] [pid 6138:tid 140075658061568] 
[remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] 
host/usrv1.ijtest...@ijtest.nl: host_mod(u'usrv1.ijtest.nl', ipasshpubkey=(), 
updatedns=False, version=u'2.26'): EmptyModlist
  [Thu Sep 06 13:02:22.125841 2018] [wsgi:error] [pid 6138:tid 140075658061568] 
[remote 172.16.16.30:38014] mod_wsgi (pid=6138): Exception occurred processing 
WSGI script '/usr/share/ipa/wsgi.py'.
  [Thu Sep 06 13:02:22.125877 2018] [wsgi:error] [pid 6138:tid 140075658061568] 
[remote 172.16.16.30:38014] Traceback (most recent call last):
  [Thu Sep 06 13:02:22.125898 2018] [wsgi:error] [pid 6138:tid 140075658061568] 
[remote 172.16.16.30:38014]   File "/usr/share/ipa/wsgi.py", line 57, in 
application
  [Thu Sep 06 13:02:22.125961 2018] [wsgi:error] [pid 6138:tid 140075658061568] 
[remote 172.16.16.30:38014]     return api.Backend.wsgi_dispatch(environ, 
start_response)
  [Thu Sep 06 13:02:22.125972 2018] [wsgi:error] [pid 6138:tid 140075658061568] 
[remote 172.16.16.30:38014]   File 
"/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 265, in __call__
  [Thu Sep 06 13:02:22.128833 2018] [wsgi:error] [pid 6138:tid 140075658061568] 
[remote 172.16.16.30:38014]     return self.route(environ, start_response)
  [Thu Sep 06 13:02:22.128846 2018] [wsgi:error] [pid 6138:tid 140075658061568] 
[remote 172.16.16.30:38014]   File 
"/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 277, in route
  [Thu Sep 06 13:02:22.128860 2018] [wsgi:error] [pid 6138:tid 140075658061568] 
[remote 172.16.16.30:38014]     return app(environ, start_response)
  [Thu Sep 06 13:02:22.128872 2018] [wsgi:error] [pid 6138:tid 140075658061568] 
[remote 172.16.16.30:38014]   File 
"/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 935, in __call__
  [Thu Sep 06 13:02:22.128881 2018] [wsgi:error] [pid 6138:tid 140075658061568] 
[remote 172.16.16.30:38014]     self.kinit(user_principal, password, 
ipa_ccache_name)
  [Thu Sep 06 13:02:22.128886 2018] [wsgi:error] [pid 6138:tid 140075658061568] 
[remote 172.16.16.30:38014]   File 
"/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 971, in kinit
  [Thu Sep 06 13:02:22.128892 2018] [wsgi:error] [pid 6138:tid 140075658061568] 
[remote 172.16.16.30:38014]     pkinit_anchors=[paths.KDC_CERT, 
paths.KDC_CA_BUNDLE_PEM],
  [Thu Sep 06 13:02:22.128898 2018] [wsgi:error] [pid 6138:tid 140075658061568] 
[remote 172.16.16.30:38014]   File 
"/usr/lib/python2.7/dist-packages/ipalib/install/kinit.py", line 125, in 
kinit_armor
  [Thu Sep 06 13:02:22.133878 2018] [wsgi:error] [pid 6138:tid 140075658061568] 
[remote 172.16.16.30:38014]     run(args, env=env, raiseonerr=True, 
capture_error=True)
  [Thu Sep 06 13:02:22.133892 2018] [wsgi:error] [pid 6138:tid 140075658061568] 
[remote 172.16.16.30:38014]   File 
"/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 572, in run
  [Thu Sep 06 13:02:22.138435 2018] [wsgi:error] [pid 6138:tid 140075658061568] 
[remote 172.16.16.30:38014]     p.returncode, arg_string, output_log, error_log
  [Thu Sep 06 13:02:22.138488 2018] [wsgi:error] [pid 6138:tid 140075658061568] 
[remote 172.16.16.30:38014] CalledProcessError: CalledProcessError(Command 
['/usr/bin/kinit', '-n', '-c', '/var/run/ipa/ccaches/armor_6138', '-X', 
'X509_anchors=FILE:/var/lib/krb5kdc/kdc.crt', '-X', 
'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned 
non-zero exit status 1: "kinit: Pre-authentication failed: Cannot open file 
'/var/lib/krb5kdc/kdc.crt': Permission denied while getting initial 
credentials\\n")
  ---------------------8X-----------------8X------------------

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1791325/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to