freeipa team mailing list archive

Thread
Date
[Bug 1791325] Re: freeipa server needs read access /var/lib/krb5kdc

To: freeipa@xxxxxxxxxxxxxxxxxxx
From: keestux <kees.bakker@xxxxxxxxx>
Date: Fri, 07 Sep 2018 15:25:45 -0000
Reply-to: Bug 1791325 <1791325@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
There was a discussion on the freeipa users list and Alexander Bokovoy was
kind enough to explain what was happening.

"We need access to the KDC's public certificate in case we are dealing
with a KDC certificate issued by a local certmonger (self-signed) which
is not trusted by the machine.

You can read https://www.freeipa.org/page/V4/Kerberos_PKINIT for
details. A short version is:
--------
When you install 4.5 with --no-pkinit, the installer will generate
self-signed certificate for PKINIT. This certificate is only used and
trusted by IPA Web UI running on the same server to obtain an anonymous
ticket.
--------

That anonymous PKINIT is required right now to enable two-factor
authentication login to web UI because since FreeIPA 4.5 we cannot use
HTTP service keytab anymore: FreeIPA framework lost access to the keytab
due to privilege separation work we did (read
https://vda.li/en/docs/freeipa-debug-privsep/ for details)

Since your KDC PKINIT certificate might be issued by a local self-signed
certmonger 'CA' in case you are not using integrated FreeIPA CA, we have
to be able to trust *that* public KDC certificate when running 'kinit
-n', thus we need access to it. "

He also suggested that this should be changed in Ubuntu. If the directory
/var/lib/krb5kdc becomes readable (perhaps chmod 711) then it would solve
this issue.

The directory /var/lib/krb5kdc is part of the package krb5-kdc.

** Also affects: krb5 (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1791325

Title:
  freeipa server needs read access /var/lib/krb5kdc

Status in freeipa package in Ubuntu:
  New
Status in krb5 package in Ubuntu:
  New

Bug description:
  After installing freeipa-server you cannot login via the browser. You'll get
  a message: "Login failed due to an unknown reason."

  In /var/log/apache2/error.log there is this:
  ---------------------8X-----------------8X------------------
  [Thu Sep 06 12:00:28.720410 2018] [wsgi:error] [pid 6137:tid 140075658061568] [remote 10.83.0.11:38596] ipa: INFO: [jsonserver_kerb] host/usrv1.ijtest.nl@xxxxxxxxx: schema(version=u'2.170'): SUCCESS
  [Thu Sep 06 12:01:00.010427 2018] [:warn] [pid 6140:tid 140076243191552] [client 10.83.0.11:38608] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~usrv1.ijtest.nl@xxxxxxxxx)!, referer: https://usrv1.ijtest.nl/ipa/xml
  [Thu Sep 06 12:01:00.099271 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] host/usrv1.ijtest.nl@xxxxxxxxx: ping(): SUCCESS
  [Thu Sep 06 12:01:00.101695 2018] [:warn] [pid 6140:tid 140076130498304] [client 10.83.0.11:38608] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~usrv1.ijtest.nl@xxxxxxxxx)!, referer: https://usrv1.ijtest.nl/ipa/xml
  [Thu Sep 06 12:01:00.273013 2018] [wsgi:error] [pid 6137:tid 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] host/usrv1.ijtest.nl@xxxxxxxxx: ca_is_enabled(version=u'2.107'): SUCCESS
  [Thu Sep 06 12:01:02.805635 2018] [:warn] [pid 6140:tid 140076234798848] [client 10.83.0.11:38608] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~usrv1.ijtest.nl@xxxxxxxxx)!, referer: https://usrv1.ijtest.nl/ipa/xml
  [Thu Sep 06 12:01:02.999541 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] host/usrv1.ijtest.nl@xxxxxxxxx: host_mod(u'usrv1.ijtest.nl', ipasshpubkey=(), updatedns=False, version=u'2.26'): EmptyModlist
  [Thu Sep 06 13:02:22.125841 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] mod_wsgi (pid=6138): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
  [Thu Sep 06 13:02:22.125877 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] Traceback (most recent call last):
  [Thu Sep 06 13:02:22.125898 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]   File "/usr/share/ipa/wsgi.py", line 57, in application
  [Thu Sep 06 13:02:22.125961 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]     return api.Backend.wsgi_dispatch(environ, start_response)
  [Thu Sep 06 13:02:22.125972 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]   File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 265, in __call__
  [Thu Sep 06 13:02:22.128833 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]     return self.route(environ, start_response)
  [Thu Sep 06 13:02:22.128846 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]   File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 277, in route
  [Thu Sep 06 13:02:22.128860 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]     return app(environ, start_response)
  [Thu Sep 06 13:02:22.128872 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]   File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 935, in __call__
  [Thu Sep 06 13:02:22.128881 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]     self.kinit(user_principal, password, ipa_ccache_name)
  [Thu Sep 06 13:02:22.128886 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]   File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 971, in kinit
  [Thu Sep 06 13:02:22.128892 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]     pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
  [Thu Sep 06 13:02:22.128898 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]   File "/usr/lib/python2.7/dist-packages/ipalib/install/kinit.py", line 125, in kinit_armor
  [Thu Sep 06 13:02:22.133878 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]     run(args, env=env, raiseonerr=True, capture_error=True)
  [Thu Sep 06 13:02:22.133892 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]   File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 572, in run
  [Thu Sep 06 13:02:22.138435 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014]     p.returncode, arg_string, output_log, error_log
  [Thu Sep 06 13:02:22.138488 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] CalledProcessError: CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', '/var/run/ipa/ccaches/armor_6138', '-X', 'X509_anchors=FILE:/var/lib/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero exit status 1: "kinit: Pre-authentication failed: Cannot open file '/var/lib/krb5kdc/kdc.crt': Permission denied while getting initial credentials\\n")
  ---------------------8X-----------------8X------------------

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1791325/+subscriptions
Follow ups

Re: [Bug 1791325] Re: freeipa server needs read access /var/lib/krb5kdc
From: Russ Allbery, 2018-09-07
References

[Bug 1791325] [NEW] freeipa server needs read access /var/lib/krb5kdc
From: keestux, 2018-09-07