• [EXT] 'HANDLE_AUTHDATA' error when trying to setup Kerberos trust b

    From Robert Sturrock@21:1/5 to Dmitri Pal on Tue Jun 16 01:48:29 2020
    Copy: kerberos@mit.edu (kerberos@mit.edu)

    Hi Dmitri,

    Sorry - I did not give all the background in the interests of brevity. We do not want to establish a full trust between AD and IPA (at this stage). This is for a number of reasons, but is primarily a reluctance to bring a very large and entirely
    irrelevant set of AD groups across to IPA-enrolled hosts.

    The IPA installation is running in a ‘winsync’ arrangement with AD, but as a convenience for the users it would be useful if a TGT from AD were sufficient to access services in the IPA realm, to save them having to ‘kinit' to another kerberos realm.

    So I’m interested in establishing a trust at the Kerberos level only. We have done this successfully between a legacy MIT kerberos service and IPA, so I hoped we could also set one up between AD and IPA, before running into the error I described.

    Any clues as to what the reason for the ‘HANDLE_AUTHDATA’ error might be?

    Regards,

    Robert.


    On 15 Jun 2020, at 11:00 pm, Dmitri Pal <dpal@redhat.com> wrote:



    UoM notice: External email. Be cautious of links, attachments, or impersonation attempts.
    On Mon, Jun 15, 2020 at 2:39 AM Robert Sturrock <rns@unimelb.edu.au> wrote: Hi All,

    I’m trying to create a (one-way) Kerberos trust between AD and a FreeIPA installation, such that user TGTs from AD can be used to access resources in the IPA realm.

    I followed some (non-IPA related) steps for setting up Kerberos trusts between AD and MIT Kerberos - essentially creating a common TGT principal in both systems with a common password. This works to a point (ie. I can get the TGT for IPA using the AD
    TGT), but when I try to fetch a service ticket in the IPA domain I get a ‘HANDLE_AUTHDATA’ error.

    Was there any reason not to follow IPA steps for setting trusts?
    They are very straightforward. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-trust-between-idm-and-ad_installing-identity-management



    Here is what I’m seeing:

    (AD domain = ‘STAFF.LOCALREALM'; IPA domain = ‘PALLAS.LOCALREALM')

    # Get AD TGT:
    Password for rns@STAFF.LOCALREALM: XXXXXXXXX

    $ klist
    Ticket cache: KEYRING:persistent:10846:10846
    Default principal: rns@STAFF.LOCALREALM

    Valid starting Expires Service principal
    11/06/20 13:34:19 11/06/20 23:34:19 krbtgt/STAFF.LOCALREALM@STAFF.LOCALREALM
    renew until 12/06/20 13:34:18

    # Use AD TGT to get an IPA TGT:
    $ kvno krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM
    krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM: kvno = 0

    $ klist
    Ticket cache: KEYRING:persistent:10846:10846
    Default principal: rns@STAFF.LOCALREALM

    Valid starting Expires Service principal
    11/06/20 13:34:24 11/06/20 23:34:19 krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM
    renew until 12/06/20 13:34:18
    11/06/20 13:34:19 11/06/20 23:34:19 krbtgt/STAFF.LOCALREALM@STAFF.LOCALREALM
    renew until 12/06/20 13:34:18

    # Try to fetch an IPA service ticket:
    $ kvno host/palladium1.localdomain@PALLAS.LOCALREALM
    kvno: KDC returned error string: HANDLE_AUTHDATA while getting credentials for host/palladium1.localdomain@PALLAS.LOCALREALM

    Can anyone provide some idea as to what’s going on here and how I resolve this? I don’t really know what ‘HANDLE_AUTHDATA’ indicates and I’m not able to find a lot of documentation explaining this.

    Thanks!

    Robert.

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos


    --
    Thank you,
    Dmitri Pal
    Director, Software Engineering
    Red Hat Enterprise Linux Platform Security and Identity Management dpal@redhat.com


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Robbie Harwood@21:1/5 to Robert Sturrock on Tue Jun 16 07:06:39 2020
    To: dpal@redhat.com (Dmitri Pal)
    Copy: kerberos@mit.edu (kerberos@mit.edu)

    Robert Sturrock <rns@unimelb.edu.au> writes:

    Hi Dmitri,

    Sorry - I did not give all the background in the interests of brevity.
    We do not want to establish a full trust between AD and IPA (at this
    stage). This is for a number of reasons, but is primarily a
    reluctance to bring a very large and entirely irrelevant set of AD
    groups across to IPA-enrolled hosts.

    The IPA installation is running in a ‘winsync’ arrangement with AD,
    but as a convenience for the users it would be useful if a TGT from AD
    were sufficient to access services in the IPA realm, to save them
    having to ‘kinit' to another kerberos realm.

    So I’m interested in establishing a trust at the Kerberos level only.
    We have done this successfully between a legacy MIT kerberos service
    and IPA, so I hoped we could also set one up between AD and IPA,
    before running into the error I described.

    Any clues as to what the reason for the ‘HANDLE_AUTHDATA’ error might be?

    For context, the full error is:

    kvno: KDC returned error string: HANDLE_AUTHDATA while getting credentials for host/palladium1.localdomain@PALLAS.LOCALREALM

    Anyway, first step is to check the KDC logs (since that's who generated
    the error) - there's possibly more information there.

    Thanks,
    --Robbie

    --=-=-Content-Type: application/pgp-signature; name="signature.asc"

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAl7op78ACgkQJTL5F2qV pEKwJBAAss6lb7zovh5bZg3L3Ua0YxKxDBTx9pFseVZSGPXSDM3yfAJ4sDsAlRFu ikJkDmFuaAj/JsCLxS/b9b/fQ3bDdjdE1Uj1v+0t5K4BwrY9S9Y7Zh7Y816hCxla hm1GIapgcCWL1lXNCprEHCUH1N8Uo56P5ceBN8hRAoSeygDGjrbenzx0rbbWqwMB KVScMhZFhmtno9+LR/wYVZY7WSsgrv1Pm0ZZTFs6IWQIOzvTboLxxTNq3xtPovPl dHR1ZGMG9+BdLb/9HWN3xPhv4OGDic3bY45Arm96Fpq/0+MonYx3hhdGu3stM+8q wQV/IH+1gcMMES9rD4FxwQxRZhzuXI2ed4+7/5tMoPTIpfs5VXMmR1ghEk5IzZOC mTKoZXKSxYjUcWaIjRbr5ih51uOpIGVmBBrV3oLklx7biHWB4E1DepUsVUD/579b k7+HTzS+I+twKdEK/R2QtxHIV2LV3o1cJuBQsld8UTEW4MEBaXMgiSaF7Hb9S+mU 274Q/xjSdZe/y4kPK/MXq6kJXJPhK9dafrmAUBKhQdq5hjwEhmIYI7KHcCvhRnaH 1g0HPux99SgjxHQ8fOR39d0ZQRd1NGFCBx8A+Q8rr6y2eSbasNgkB/lWHMob36QB g4JZ1qLVw7ugU1XPM8O3Ls+aN679aPl3JzQC+FzPoAIS5QmwuuY=MWfQ
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Dmitri Pal@21:1/5 to Robert Sturrock on Mon Jun 15 22:20:44 2020
    Copy: kerberos@mit.edu (kerberos@mit.edu)

    On Mon, Jun 15, 2020 at 9:49 PM Robert Sturrock <rns@unimelb.edu.au> wrote:

    Hi Dmitri,

    Sorry - I did not give all the background in the interests of brevity. We
    do not want to establish a full trust between AD and IPA (at this stage). This is for a number of reasons, but is primarily a reluctance to bring a very large and entirely irrelevant set of AD groups across to IPA-enrolled hosts.

    The IPA installation is running in a ‘winsync’ arrangement with AD, but as
    a convenience for the users it would be useful if a TGT from AD were sufficient to access services in the IPA realm, to save them having to ‘kinit' to another kerberos realm.

    So I’m interested in establishing a trust at the Kerberos level only. We have done this successfully between a legacy MIT kerberos service and IPA,
    so I hoped we could also set one up between AD and IPA, before running into the error I described.

    Any clues as to what the reason for the ‘HANDLE_AUTHDATA’ error might be?


    Thanks for the explanation.
    I suspect that IdM does not know anything about the principal you are using
    and thus fails to fetch/process authorization data that it needs to put
    into the ticket.
    But this is my pure speculation based on a general understanding of the IPA architecture.
    You might get better help on the freeipa-users list but frankly I am not
    sure anyone tried or would recommend such a setup there. You are crossing uncharted territory for sure.

    Thanks
    Dmitri




    Regards,

    Robert.


    On 15 Jun 2020, at 11:00 pm, Dmitri Pal <dpal@redhat.com> wrote:



    UoM notice: External email. Be cautious of links, attachments, or
    impersonation attempts.
    On Mon, Jun 15, 2020 at 2:39 AM Robert Sturrock <rns@unimelb.edu.au>
    wrote:
    Hi All,

    I’m trying to create a (one-way) Kerberos trust between AD and a FreeIPA
    installation, such that user TGTs from AD can be used to access resources
    in the IPA realm.

    I followed some (non-IPA related) steps for setting up Kerberos trusts
    between AD and MIT Kerberos - essentially creating a common TGT principal
    in both systems with a common password. This works to a point (ie. I can
    get the TGT for IPA using the AD TGT), but when I try to fetch a service ticket in the IPA domain I get a ‘HANDLE_AUTHDATA’ error.

    Was there any reason not to follow IPA steps for setting trusts?
    They are very straightforward.

    https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-trust-between-idm-and-ad_installing-identity-management



    Here is what I’m seeing:

    (AD domain = ‘STAFF.LOCALREALM'; IPA domain = ‘PALLAS.LOCALREALM')

    # Get AD TGT:
    Password for rns@STAFF.LOCALREALM: XXXXXXXXX

    $ klist
    Ticket cache: KEYRING:persistent:10846:10846
    Default principal: rns@STAFF.LOCALREALM

    Valid starting Expires Service principal
    11/06/20 13:34:19 11/06/20 23:34:19
    krbtgt/STAFF.LOCALREALM@STAFF.LOCALREALM
    renew until 12/06/20 13:34:18

    # Use AD TGT to get an IPA TGT:
    $ kvno krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM
    krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM: kvno = 0

    $ klist
    Ticket cache: KEYRING:persistent:10846:10846
    Default principal: rns@STAFF.LOCALREALM

    Valid starting Expires Service principal
    11/06/20 13:34:24 11/06/20 23:34:19
    krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM
    renew until 12/06/20 13:34:18
    11/06/20 13:34:19 11/06/20 23:34:19
    krbtgt/STAFF.LOCALREALM@STAFF.LOCALREALM
    renew until 12/06/20 13:34:18

    # Try to fetch an IPA service ticket:
    $ kvno host/palladium1.localdomain@PALLAS.LOCALREALM
    kvno: KDC returned error string: HANDLE_AUTHDATA while getting
    credentials for host/palladium1.localdomain@PALLAS.LOCALREALM

    Can anyone provide some idea as to what’s going on here and how I
    resolve this? I don’t really know what ‘HANDLE_AUTHDATA’ indicates and I’m
    not able to find a lot of documentation explaining this.

    Thanks!

    Robert.

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos


    --
    Thank you,
    Dmitri Pal
    Director, Software Engineering
    Red Hat Enterprise Linux Platform Security and Identity Management dpal@redhat.com




    --

    Thank you,
    Dmitri Pal

    Director, Software Engineering
    Red Hat Enterprise Linux Platform Security and Identity Management dpal@redhat.com
    <https://red.ht/sig>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)