Ubuntu
freeipa package

freeipa server needs read access /var/lib/krb5kdc

Bug #1791325 reported by Kees Bakker
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
freeipa (Ubuntu)
New
Undecided
Unassigned
krb5 (Ubuntu)
New
Undecided
Unassigned

Bug Description

After installing freeipa-server you cannot login via the browser. You'll get
a message: "Login failed due to an unknown reason."

In /var/log/apache2/error.log there is this:
---------------------8X-----------------8X------------------
[Thu Sep 06 12:00:28.720410 2018] [wsgi:error] [pid 6137:tid 140075658061568] [remote 10.83.0.11:38596] ipa: INFO: [jsonserver_kerb] <email address hidden>: schema(version=u'2.170'): SUCCESS
[Thu Sep 06 12:01:00.010427 2018] [:warn] [pid 6140:tid 140076243191552] [client 10.83.0.11:38608] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~<email address hidden>)!, referer: https://usrv1.ijtest.nl/ipa/xml
[Thu Sep 06 12:01:00.099271 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] <email address hidden>: ping(): SUCCESS
[Thu Sep 06 12:01:00.101695 2018] [:warn] [pid 6140:tid 140076130498304] [client 10.83.0.11:38608] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~<email address hidden>)!, referer: https://usrv1.ijtest.nl/ipa/xml
[Thu Sep 06 12:01:00.273013 2018] [wsgi:error] [pid 6137:tid 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] <email address hidden>: ca_is_enabled(version=u'2.107'): SUCCESS
[Thu Sep 06 12:01:02.805635 2018] [:warn] [pid 6140:tid 140076234798848] [client 10.83.0.11:38608] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~<email address hidden>)!, referer: https://usrv1.ijtest.nl/ipa/xml
[Thu Sep 06 12:01:02.999541 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] <email address hidden>: host_mod(u'usrv1.ijtest.nl', ipasshpubkey=(), updatedns=False, version=u'2.26'): EmptyModlist
[Thu Sep 06 13:02:22.125841 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] mod_wsgi (pid=6138): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Thu Sep 06 13:02:22.125877 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] Traceback (most recent call last):
[Thu Sep 06 13:02:22.125898 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/share/ipa/wsgi.py", line 57, in application
[Thu Sep 06 13:02:22.125961 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] return api.Backend.wsgi_dispatch(environ, start_response)
[Thu Sep 06 13:02:22.125972 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 265, in __call__
[Thu Sep 06 13:02:22.128833 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] return self.route(environ, start_response)
[Thu Sep 06 13:02:22.128846 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 277, in route
[Thu Sep 06 13:02:22.128860 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] return app(environ, start_response)
[Thu Sep 06 13:02:22.128872 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 935, in __call__
[Thu Sep 06 13:02:22.128881 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] self.kinit(user_principal, password, ipa_ccache_name)
[Thu Sep 06 13:02:22.128886 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 971, in kinit
[Thu Sep 06 13:02:22.128892 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
[Thu Sep 06 13:02:22.128898 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/lib/python2.7/dist-packages/ipalib/install/kinit.py", line 125, in kinit_armor
[Thu Sep 06 13:02:22.133878 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] run(args, env=env, raiseonerr=True, capture_error=True)
[Thu Sep 06 13:02:22.133892 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 572, in run
[Thu Sep 06 13:02:22.138435 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] p.returncode, arg_string, output_log, error_log
[Thu Sep 06 13:02:22.138488 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] CalledProcessError: CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', '/var/run/ipa/ccaches/armor_6138', '-X', 'X509_anchors=FILE:/var/lib/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero exit status 1: "kinit: Pre-authentication failed: Cannot open file '/var/lib/krb5kdc/kdc.crt': Permission denied while getting initial credentials\\n")
---------------------8X-----------------8X------------------

Revision history for this message
Kees Bakker (keestux) wrote :

There was a discussion on the freeipa users list and Alexander Bokovoy was
kind enough to explain what was happening.

"We need access to the KDC's public certificate in case we are dealing
with a KDC certificate issued by a local certmonger (self-signed) which
is not trusted by the machine.

You can read https://www.freeipa.org/page/V4/Kerberos_PKINIT for
details. A short version is:
--------
When you install 4.5 with --no-pkinit, the installer will generate
self-signed certificate for PKINIT. This certificate is only used and
trusted by IPA Web UI running on the same server to obtain an anonymous
ticket.
--------

That anonymous PKINIT is required right now to enable two-factor
authentication login to web UI because since FreeIPA 4.5 we cannot use
HTTP service keytab anymore: FreeIPA framework lost access to the keytab
due to privilege separation work we did (read
https://vda.li/en/docs/freeipa-debug-privsep/ for details)

Since your KDC PKINIT certificate might be issued by a local self-signed
certmonger 'CA' in case you are not using integrated FreeIPA CA, we have
to be able to trust *that* public KDC certificate when running 'kinit
-n', thus we need access to it. "

He also suggested that this should be changed in Ubuntu. If the directory
/var/lib/krb5kdc becomes readable (perhaps chmod 711) then it would solve
this issue.

The directory /var/lib/krb5kdc is part of the package krb5-kdc.

Revision history for this message
Russ Allbery (rra-debian) wrote : Re: [Bug 1791325] Re: freeipa server needs read access /var/lib/krb5kdc

keestux <email address hidden> writes:

> That anonymous PKINIT is required right now to enable two-factor
> authentication login to web UI because since FreeIPA 4.5 we cannot use
> HTTP service keytab anymore: FreeIPA framework lost access to the keytab
> due to privilege separation work we did (read
> https://vda.li/en/docs/freeipa-debug-privsep/ for details)

> Since your KDC PKINIT certificate might be issued by a local self-signed
> certmonger 'CA' in case you are not using integrated FreeIPA CA, we have
> to be able to trust *that* public KDC certificate when running 'kinit
> -n', thus we need access to it. "

> He also suggested that this should be changed in Ubuntu. If the directory
> /var/lib/krb5kdc becomes readable (perhaps chmod 711) then it would solve
> this issue.

It seems rather ironic that privilege separation leads to a request to
grant FreeIPA access to (admittedly only the directory of) the single most
sensitive and security-critical component of the entire Kerberos
infrastructure.

I think there should be some other way of solving this. The public KDC
certificate is, well, public, so maybe don't put it in /var/lib/krb5kdc,
which is not? (I always put mine in /etc/krb5kdc.)

--
Russ Allbery (<email address hidden>) <http://www.eyrie.org/~eagle/>

Revision history for this message
Sam Hartman (hartmans) wrote :

I agree with Russ.
On the Debian side, I would not support a change to krb5-kdc to make
/var/lib/krb5kdc world readable.
I think putting the public cert in /etc/krb5kdc is fine: I can make a
case it's configuration not state.
If you don't like that, place it somewhere else under /var/lib.

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

This has already been fixed on freeipa git to use another path for these (/var/lib/ipa/certs/)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.