[Freeipa-users] Re: kadmin principal for an IPA master, but not for slave.

Thursday, 22 August 2019

On 8/22/2019 2:46 AM, Alexander Bokovoy via FreeIPA-users wrote:
...
 On ke, 21 elo 2019, TomK via FreeIPA-users wrote:
> Hey All,
>
> The primary master I have has the kadmin principal for it:
>
> kadmin/ipa03.mws.mds.xyz(a)MWS.MDS.XYZ
>
> The slave (idmipa04) doesn't have a corresponding kadmin/... principal 
> entry.  Can't find these principals in the UI.

 It is only created on the first master because it is part of the process
 that is run within 'kdb5_util create'. This process is not run on
 replica deployment because we already have all the needed master keys
 and the database layout.

 We don't really use KADMIN protocol over network in FreeIPA, so this
 principal is rather unutilized.

> 1) Should the slave installer have created the slave kadmin/... 
> principal?
> 2) If I wanted to create one, should the pass be any random string or 
> something specific?
> 3) Are there specific IPA commands to create the kadmin/... principals 
> with?

 What do you need it for? What operations do you miss from FreeIPA
 CLI/API? 
I'm getting the following on the IPA KDC that I'm tying to a VIP. The 
VIP is handled by HAproxy and is meant to provide redundancy in case of 
failure in a single IPA node without having to reconfigure servers for a 
new IP:

[root@idmipa03 ~]# tail -f /var/log/krb5kdc.log
Aug 21 22:36:14 idmipa03.mws.mds.xyz krb5kdc[5618](info): closing down fd 11
Aug 21 22:36:14 idmipa03.mws.mds.xyz krb5kdc[5618](info): TGS_REQ (8 
etypes {18 17 20 19 16 23 25 26}) 192.168.0.154: ISSUE: authtime 
1566441372, etypes {rep=18 tkt=18 ses=18}, 
HTTP/idmipa03.mws.mds.xyz(a)MWS.MDS.XYZ for 
ldap/idmipa03.mws.mds.xyz(a)MWS.MDS.XYZ
Aug 21 22:36:14 idmipa03.mws.mds.xyz krb5kdc[5618](info): ... 
CONSTRAINED-DELEGATION s4u-client=cmadmin-530029b6(a)MWS.MDS.XYZ
Aug 21 22:36:14 idmipa03.mws.mds.xyz krb5kdc[5618](info): closing down fd 11
Aug 21 22:36:16 idmipa03.mws.mds.xyz krb5kdc[5619](info): AS_REQ (8 
etypes {18 17 20 19 16 23 25 26}) 192.168.0.134: SERVER_NOT_FOUND: 
cmadmin-530029b6(a)MWS.MDS.XYZ for 
kadmin/idmipa04.mws.mds.xyz(a)MWS.MDS.XYZ, Server not found in Kerberos 
database
Aug 21 22:36:16 idmipa03.mws.mds.xyz krb5kdc[5619](info): closing down fd 11
Aug 21 22:36:16 idmipa03.mws.mds.xyz krb5kdc[5616](info): AS_REQ (8 
etypes {18 17 20 19 16 23 25 26}) 192.168.0.134: NEEDED_PREAUTH: 
cmadmin-530029b6(a)MWS.MDS.XYZ for kadmin/admin(a)MWS.MDS.XYZ, Additional 
pre-authentication required
Aug 21 22:36:16 idmipa03.mws.mds.xyz krb5kdc[5616](info): closing down fd 11
Aug 21 22:36:16 idmipa03.mws.mds.xyz krb5kdc[5619](info): AS_REQ (8 
etypes {18 17 20 19 16 23 25 26}) 192.168.0.134: ISSUE: authtime 
1566441376, etypes {rep=18 tkt=18 ses=18}, cmadmin-530029b6(a)MWS.MDS.XYZ 
for kadmin/admin(a)MWS.MDS.XYZ
Aug 21 22:36:16 idmipa03.mws.mds.xyz krb5kdc[5619](info): closing down fd 11
Aug 21 22:38:20 idmipa03.mws.mds.xyz krb5kdc[5617](info): AS_REQ (8 
etypes {18 17 20 19 16 23 25 26}) 192.168.0.134: NEEDED_PREAUTH: 
cmadmin-530029b6(a)MWS.MDS.XYZ for krbtgt/MWS.MDS.XYZ(a)MWS.MDS.XYZ, 
Additional pre-authentication required
Aug 21 22:38:20 idmipa03.mws.mds.xyz krb5kdc[5617](info): closing down fd 11
Aug 21 22:38:20 idmipa03.mws.mds.xyz krb5kdc[5618](info): AS_REQ (8 
etypes {18 17 20 19 16 23 25 26}) 192.168.0.134: ISSUE: authtime 
1566441500, etypes {rep=18 tkt=18 ses=18}, cmadmin-530029b6(a)MWS.MDS.XYZ 
for krbtgt/MWS.MDS.XYZ(a)MWS.MDS.XYZ
Aug 21 22:38:20 idmipa03.mws.mds.xyz krb5kdc[5618](info): closing down fd 11
Aug 21 22:38:21 idmipa03.mws.mds.xyz krb5kdc[5619](info): TGS_REQ (8 
etypes {18 17 20 19 16 23 25 26}) 192.168.0.134: ISSUE: authtime 
1566441500, etypes {rep=18 tkt=18 ses=18}, cmadmin-530029b6(a)MWS.MDS.XYZ 
for HTTP/idmipa03.mws.mds.xyz(a)MWS.MDS.XYZ
Aug 21 22:38:21 idmipa03.mws.mds.xyz krb5kdc[5619](info): closing down fd 11
Aug 21 22:38:21 idmipa03.mws.mds.xyz krb5kdc[5619](info): TGS_REQ (8 
etypes {18 17 20 19 16 23 25 26}) 192.168.0.154: ISSUE: authtime 
1566441500, etypes {rep=18 tkt=18 ses=18}, 
HTTP/idmipa03.mws.mds.xyz(a)MWS.MDS.XYZ for 
ldap/idmipa03.mws.mds.xyz(a)MWS.MDS.XYZ
Aug 21 22:38:21 idmipa03.mws.mds.xyz krb5kdc[5619](info): ... 
CONSTRAINED-DELEGATION s4u-client=cmadmin-530029b6(a)MWS.MDS.XYZ
Aug 21 22:38:21 idmipa03.mws.mds.xyz krb5kdc[5619](info): closing down fd 11
Aug 21 22:38:21 idmipa03.mws.mds.xyz krb5kdc[5619](info): TGS_REQ (8 
etypes {18 17 20 19 16 23 25 26}) 192.168.0.154: ISSUE: authtime 
1566441500, etypes {rep=18 tkt=18 ses=18}, 
HTTP/idmipa03.mws.mds.xyz(a)MWS.MDS.XYZ for 
ldap/idmipa03.mws.mds.xyz(a)MWS.MDS.XYZ
Aug 21 22:38:21 idmipa03.mws.mds.xyz krb5kdc[5619](info): ... 
CONSTRAINED-DELEGATION s4u-client=cmadmin-530029b6(a)MWS.MDS.XYZ
Aug 21 22:38:21 idmipa03.mws.mds.xyz krb5kdc[5619](info): closing down fd 11

The message that appears in the client is:

+ kadmin -k -t /tmp/cmf9215806201763456498.keytab -p 
cmadmin-530029b6(a)MWS.MDS.XYZ -r MWS.MDS.XYZ -q 'modprinc -maxrenewlife 
"432000 sec" hue/cm-r01en02.mws.mds.xyz(a)MWS.MDS.XYZ&#39;
kadmin: Communication failure with server while initializing kadmin 
interface

(Sorry, I don't have better timestamps off the client)

I haven't fully investigated this so some assumptions are present 
however, if my interpretation is on target, the command fails because 
the VIP invariably points to the secondary node where the kadmin/.... 
principal doesn't exist (Hence the message.)

I'm simply running a keepalived between the nodes, (No HAproxy).  Since 
services bind on any interface on either host, I don't really need 
anything like HAproxy for now.

Still, on multiple attempts to use the KDC, the client will eventually 
hit the secondary node ( idmipa04 ) and therefore apparently hit that 
snag (My interpretation of what I see at least).  The credentials I give 
to this application include admin(a)MWS.MDS.XYZ .

...

 KADMIN protocol isn't really useful in FreeIPA case. KADMIN doesn't have
 proper access controls since all operations there are still done under
 super-privileged identity when the request comes to KDB layer rather
 than the original requester identity. It is, thus, not possible to
 re-bind to LDAP from KDB driver as the original requester to make sure
 LDAP server enforces proper access controls per each entry.

 kadmin daemon has own static definition, kadm5.acl, for access control.
 However, it is useless for the dynamic multi-master environments like
 FreeIPA.

-- 
Thx,
TK.

2024

2023

2022

2021

2020

2019

2018

2017

[Freeipa-users] Re: kadmin principal for an IPA master, but not for slave.