[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC
- In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 21 Dec 2022 21:25:55 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186 --- Comment #45 from Cy Schubert <cy@FreeBSD.org> --- How did you add the FreeBSD servers to the FreeIPA Kerberos realm? After you added the host principals to the Kerberos realm, did you export (using xst in kadmin) the principals to keytab files and copy those files to each FreeBSD server? FreeIPA includes an ipa-join command to join (like an Active Directory join) the servers to the Kerberos realm. If you have not done this you will never be able to use a TGT to log into those servers. This is true of vanilla all KRB5s (MIT and Heimdal). In MIT one needs to ank -randkey xst host/servername@EXAMPLE.COM, then -randkey host/servername@EXAMPLE.COM. In Active Directory one needs to (using winbind) net ads join. I see in FreeIPA one needs to run ipa-join. ipa-join is a Linux ELF binary. Did you copy that binary to the FreeBSD servers and run it under Linux emulation (which I doubt will work properly) or did you manage to join the servers to the realm in a different way? For example, you will need a host principal like the one for a server in my Kerberos realm. kadmin: getprinc host/slippy Principal: host/slippy@MYREALM.COM Expiration date: [never] Last password change: Mon Aug 14 20:21:24 PDT 2017 Password expiration date: [never] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Aug 14 20:21:24 PDT 2017 (root/admin@MYREALM.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 4 Key: vno 3, DEPRECATED:des3-cbc-sha1 Key: vno 3, DEPRECATED:arcfour-hmac Key: vno 3, aes128-cts-hmac-sha1-96 Key: vno 3, aes256-cts-hmac-sha1-96 MKey: vno 1 Attributes: Policy: [none] The above is a host principal for one of the machines in my realm. Below is its keytab: ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 ftp/slippy.cwsent.com@EXAMPLE.COM 2 3 ftp/slippy.cwsent.com@EXAMPLE.COM 3 3 ftp/slippy.cwsent.com@EXAMPLE.COM 4 3 ftp/slippy.cwsent.com@EXAMPLE.COM 5 3 ftp/slippy2.cwsent.com@EXAMPLE.COM 6 3 ftp/slippy2.cwsent.com@EXAMPLE.COM 7 3 ftp/slippy2.cwsent.com@EXAMPLE.COM 8 3 ftp/slippy2.cwsent.com@EXAMPLE.COM 9 3 ftp/slippy2@EXAMPLE.COM 10 3 ftp/slippy2@EXAMPLE.COM 11 3 ftp/slippy2@EXAMPLE.COM 12 3 ftp/slippy2@EXAMPLE.COM 13 3 ftp/slippy6.cwsent.com@EXAMPLE.COM 14 3 ftp/slippy6.cwsent.com@EXAMPLE.COM 15 3 ftp/slippy6.cwsent.com@EXAMPLE.COM 16 3 ftp/slippy6.cwsent.com@EXAMPLE.COM 17 3 ftp/slippy6@EXAMPLE.COM 18 3 ftp/slippy6@EXAMPLE.COM 19 3 ftp/slippy6@EXAMPLE.COM 20 3 ftp/slippy6@EXAMPLE.COM 21 3 ftp/slippy8.cwsent.com@EXAMPLE.COM 22 3 ftp/slippy8.cwsent.com@EXAMPLE.COM 23 3 ftp/slippy8.cwsent.com@EXAMPLE.COM 24 3 ftp/slippy8.cwsent.com@EXAMPLE.COM 25 3 ftp/slippy8@EXAMPLE.COM 26 3 ftp/slippy8@EXAMPLE.COM 27 3 ftp/slippy8@EXAMPLE.COM 28 3 ftp/slippy8@EXAMPLE.COM 29 3 ftp/slippy@EXAMPLE.COM 30 3 ftp/slippy@EXAMPLE.COM 31 3 ftp/slippy@EXAMPLE.COM 32 3 ftp/slippy@EXAMPLE.COM 33 3 host/slippy.cwsent.com@EXAMPLE.COM 34 3 host/slippy.cwsent.com@EXAMPLE.COM 35 3 host/slippy.cwsent.com@EXAMPLE.COM 36 3 host/slippy.cwsent.com@EXAMPLE.COM 37 3 host/slippy2.cwsent.com@EXAMPLE.COM 38 3 host/slippy2.cwsent.com@EXAMPLE.COM 39 3 host/slippy2.cwsent.com@EXAMPLE.COM 40 3 host/slippy2.cwsent.com@EXAMPLE.COM 41 3 host/slippy2@EXAMPLE.COM 42 3 host/slippy2@EXAMPLE.COM 43 3 host/slippy2@EXAMPLE.COM 44 3 host/slippy2@EXAMPLE.COM 45 3 host/slippy6.cwsent.com@EXAMPLE.COM 46 3 host/slippy6.cwsent.com@EXAMPLE.COM 47 3 host/slippy6.cwsent.com@EXAMPLE.COM 48 3 host/slippy6.cwsent.com@EXAMPLE.COM 49 3 host/slippy6@EXAMPLE.COM 50 3 host/slippy6@EXAMPLE.COM 51 3 host/slippy6@EXAMPLE.COM 52 3 host/slippy6@EXAMPLE.COM 53 3 host/slippy8.cwsent.com@EXAMPLE.COM 54 3 host/slippy8.cwsent.com@EXAMPLE.COM 55 3 host/slippy8.cwsent.com@EXAMPLE.COM 56 3 host/slippy8.cwsent.com@EXAMPLE.COM 57 3 host/slippy8@EXAMPLE.COM 58 3 host/slippy8@EXAMPLE.COM 59 3 host/slippy8@EXAMPLE.COM 60 3 host/slippy8@EXAMPLE.COM 61 3 host/slippy@EXAMPLE.COM 62 3 host/slippy@EXAMPLE.COM 63 3 host/slippy@EXAMPLE.COM 64 3 host/slippy@EXAMPLE.COM 65 3 kadmin/slippy@EXAMPLE.COM 66 3 kadmin/slippy@EXAMPLE.COM 67 3 kadmin/slippy@EXAMPLE.COM 68 3 kadmin/slippy@EXAMPLE.COM 69 3 kiprop/slippy@EXAMPLE.COM 70 3 kiprop/slippy@EXAMPLE.COM 71 3 kiprop/slippy@EXAMPLE.COM 72 3 kiprop/slippy@EXAMPLE.COM ktutil: Notice I have principals for each service offered on this machine, for each key deprecated and valid keys. (My KDC database is cluttered with keys as it was originally created in 1995 and exported and imported multiple times as the database format was updated and re-encrypted using more secure ciphers over the years.) You should see the same in your KDC and you should also be able to load and list the contents of your keytab (unless FreeIPA behaves the same as Active Directory stashing this in the winbind, or whatever FreeIPA uses, cache.) Without adding host principals to your realm and saving a copy of those principals in that server's keytab you will never, even under MIT KRB5 or Heimdal KRB5, be able to log into those servers using a TGT. Does FreeIPA also use its LDAP directory like Active Directory does? Because one cannot use MIT KRB5 natively with Active Directory and if FreeIPA behaves the same then one would need to port the entire FreeIPA software stack to FreeBSD. Trying FreeIPA out on a Fedora box, its similarities with Active Directory are noticeable. -- You are receiving this mail because: You are the assignee for the bug.