1727144 – adcli join fails with new krb5-libs; adcli needs to backport patches to only use permitted enctypes from upstream

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1727144 - adcli join fails with new krb5-libs; adcli needs to backport patches to only use permitted enctypes from upstream

Summary: adcli join fails with new krb5-libs; adcli needs to backport patches to only ...

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	adcli
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Sumit Bose
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	F31BetaBlocker
TreeView+	depends on / blocked

Reported:	2019-07-04 16:05 UTC by Alessio
Modified:	2021-04-08 06:12 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-07-05 18:07:23 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Alessio 2019-07-04 16:05:36 UTC

Preamble: I'm pretty new to sssd, realmd, AD, and so on.

While in F30 "sudo realm join TEST.LAN" works, in Rawhide I get:

$ sudo realm join TEST.LAN
Password for Administrator: 
See: journalctl REALMD_OPERATION=r92.1155
realm: Couldn't join realm: Failed to join the domain

In journalctl the error seems to be:

Jul 04 12:45:18 fetora realmd[1151]: adcli: 'code == 0' not true at _adcli_krb5_keytab_test_salt
Jul 04 12:45:18 fetora realmd[1151]:  ! Couldn't authenticate with keytab while discovering which salt to use: FEDORA$@TEST.LAN: Bad encryption type
Jul 04 12:45:18 fetora realmd[1151]:  ! Couldn't add keytab entries: FILE:/etc/krb5.keytab: Bad encryption type
Jul 04 12:45:18 fetora realmd[1151]: adcli: joining domain fgm.lan failed: Couldn't add keytab entries: FILE:/etc/krb5.keytab: Bad encryption type
Jul 04 12:45:18 fetora realmd[1151]:  ! Failed to join the domain

The content of file /etc/krb5.conf.d/crypto-policies is the same between F30 and Rawhide.

Comment 1 Adam Williamson 2019-07-04 16:57:27 UTC

This seems to be a violation of Basic criterion "It must be possible to join the system to a FreeIPA or Active Directory domain at install time and post-install, and the system must respect the identity, authentication and access control configuration provided by the domain." - https://fedoraproject.org/wiki/Basic_Release_Criteria#Remote_authentication

Comment 2 Jakub Hrozek 2019-07-05 08:32:01 UTC

Sumit, who maintains realmd is on an extended vacation, so I'll try to keep this moving forward at least today, then I'm off for pretty much two weeks..

$ rpm -q adcli realmd krb5-libs
adcli-0.8.2-3.fc30.x86_64
realmd-0.16.3-19.fc30.x86_64
krb5-libs-1.17-14.fc30.x86_64

Everything works:
$ sudo realm leave win.trust.test
$ sudo realm join win.trust.test
Password for Administrator: 
$ id administrator.test
uid=1974600500(administrator.test) gid=1974600513(domain users.test) groups=1974600513(domain users.test),1974600572(denied rodc password replication group.test),1974600518(schema admins.test),1974600519(enterprise admins.test),1974600520(group policy creator owners.test),1974600512(domain admins.test)

And then upgrading only krb5-libs breaks things:
$ dnf --nogpgcheck --releasever=rawhide upgrade krb5-libs
$ sudo realm join win.trust.test                             
Password for Administrator: 
See: journalctl REALMD_OPERATION=r289.3373
realm: Couldn't join realm: Failed to join the domain

In the journald snippet I see:
Jul 05 10:22:20 adclient.win.trust.test realmd[3330]: adcli: 'code == 0' not true at _adcli_krb5_keytab_test_salt
Jul 05 10:22:20 adclient.win.trust.test realmd[3330]:  ! Couldn't authenticate with keytab while discovering which salt to use: ADCLIENT$@WIN.TRUST.TEST: Bad encryption type
Jul 05 10:22:20 adclient.win.trust.test realmd[3330]:  ! Couldn't add keytab entries: FILE:/etc/krb5.keytab: Bad encryption type

So I'm going to assume that this has to do with the 3DES removal that I see in the changelog of the recent krb5-libs versions. I'm really not familiar with adcli code, but there an array of permitted enctypes that also lists several DES variants, so I'm just going to try a hail mary patch and remove the des pieces..I'm not sure if I can do more considering my vacation starts in 6.5 hours..

Comment 3 Jakub Hrozek 2019-07-05 09:24:40 UTC

Ah, it tur

Comment 4 Jakub Hrozek 2019-07-05 09:35:59 UTC

(Sorry, I started a comment earlier, then reassigned the bug to adcli which submitted the WIP comment..)

Ah, it turns out that Sumit was, as usual, ahead of everyone else :-) and the needed fixes were already upstream, so all it took was to backport them to the fedora packages.

Here is a PR:
https://src.fedoraproject.org/rpms/adcli/pull-request/1

Here is a test build:
https://copr.fedorainfracloud.org/coprs/jhrozek/adcli-krb5-enctypes/

If that works, I hope some provenpackager can build the package.

Comment 5 Alessio 2019-07-05 09:44:30 UTC

> Here is a test build:
> https://copr.fedorainfracloud.org/coprs/jhrozek/adcli-krb5-enctypes/

Installing this package, it works.

$ sudo realm join TEST.LAN
Password for Administrator:

$ sudo realm list
test.lan
  type: kerberos
  realm-name: TEST.LAN
  domain-name: test.lan
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U
  login-policy: allow-realm-logins


Thanks!

Comment 6 Adam Williamson 2019-07-05 18:07:23 UTC

Did someone light the provenpackager lantern?!

https://koji.fedoraproject.org/koji/taskinfo?taskID=36061859

Comment 7 John 2021-04-08 06:05:47 UTC

Why am i now seeing this problem on EL8

# rpm -q adcli realmd krb5-libs
adcli-0.8.2-7.el8.x86_64
realmd-0.16.3-19.el8.x86_64
krb5-libs-1.18.2-5.el8.x86_64

I got this when joining the realm:
   ! Couldn't authenticate with keytab while discovering which salt to use:
but then messages about adding keys to keytab, so i as hoping the new keys would resolve that issue
And the join to domain seemed to work.

But after joining domain, sssd is not working:

2021-04-08 15:53:00): [be[blah.com]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Pre-authentication failed: Key table entry not found], expired on [0]

Apr 08 16:02:11 blah.com ldap_child[23330][23330]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Pre-authentication failed: Key table entry not found. Unable to create GSSAPI-encrypted LDAP connection.

Sick of this.

Comment 8 John 2021-04-08 06:07:00 UTC

And I'm seeing this on recently patched EL8.3, after having run:

update-crypto-policies --set LEGACY

Comment 9 John 2021-04-08 06:12:17 UTC

Hmm.

my krb5.conf had this, as this was required in the past:

 default_tgs_enctypes=arcfour-hmac
 default_tkt_enctypes=arcfour-hmac

But over last 3 years, various old domain controllers have been removed, and looks like no longer needed.

Removing those lines, and sssd is happy again now.

Note You need to log in before you can comment on or make changes to this bug.