Univention Bugzilla – Bug 48379
Ubuntu DNS settings not enough for kerberos-sso usage
Last modified: 2019-03-18 17:06:42 CET
The customer has successfully configured ucs-sso on his master and backup. The login via saml and Kerberos works excellently on Windows clients, both against the master and against the backup server. Since the customer also uses Ubuntu clients (Ubuntu 18.04.1 LTS) in his environment and wants to use SAML with Kerberos here as well, he also tested these clients. Unfortunately, SAML via Kerberos only works here if ucs-sso is explicitly set for the servers in /etc/hosts. Without these entries the fqdn of the master will be used to resolve. The univention-domain-join should set the DNS settings on the client, so that even a Ubuntu is able to use ucs-sso "correctly".
univention-domain-join already configures the DNS resolver. Even if I take systemd-resolved out of the equation by manually putting ther IP of the UCS master into /etc/resolv.conf it doesn't work. If we make ucs-sso FQDN point to the UCS master IP instead, by adding a corresponding line to /etc/hosts, it starts to work (kdestory, kinit, ff restart) and I see HTTP/ucs-sso service tickets in klist. No such thing without the hosts entry. I tried to get more debug output from firefox by setting NSPR_LOG_MODULES and NSPR_LOG_FILE but that just left me with an empty log file. The only thing I currently can think of is that the reverse lookup for the ucs-sso IP doesn't point back to ucs-sso when you use DNS. If you put the ucs-sso into /etc/hosts the reverse lookup returns the ucs-sso FQDN. But that would be true for any other client too. No clue currently.
I set the waiting support flag. The workaround to make adjustments in the /etc/hosts is not user-friendly for large environments.
This has been successfully tested with the univention-domain-join tool under Ubuntu 16.04, so it seems to be a regression in Ubuntu 18.04 (systemd-resolved?) and we should find out how we can make this work in 18.04 too. In the specific case of the ticket, the customer was not using this tool though, so it cannot be "Waiting for support". The workaround is known and Support may want to document it as a community help.
On ucs with samba installed (MIT kerberos) we set "rdns = false" [1] to avoid the reverse lookup. Does the ubuntu join tool do that? Ubuntu seems to have had problems with that option in the past [2]. [1]: https://web.mit.edu/kerberos/krb5-latest/doc/admin/princ_dns.html#service-principal-canonicalization [2]: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/571572
Re: "rdns = false" - I experimented with that option, because it was the first thing that came to my mind as well (ok, the second). I didn't find an effect in Christinas test VM. Also, my impression was that this option is required on the host that runs the simpleSAML-php provider (as that's the component that's linked to MIT Kerberos). Ok - but I agree, that this could be an issue, because I think both, the MIT and the Heimdal libs are installed on the Ubuntu client, so it may well be the case that firefox uses the MIT libs.
"rdns = false" works for me. But it's not set by the univention-domain-join tool. Maybe firefox switched the kerberos libs? Anything saml related in the syslog on the IDP?
Bug 33214 comment 37 supports your claim.
*** Bug 46380 has been marked as a duplicate of this bug. ***
I have added "rdns = false" to the krb5.conf written by univention-domain-join. The packages have been published: https://launchpad.net/~univention-dev/+archive/ubuntu/ppa/+packages git commits 18.10 (sorted from most recent to oldest): b00c115 Bug #48379: Fix changelog 473a700 Bug #48379: Add changelog entry b885c55 Bug #48379: Improve config to support kerberos-sso usage git commits 18.04 (sorted from most recent to oldest): 74d94f2 Bug #48379: Add changelog entry 7571987 Bug #48379: Improve config to support kerberos-sso usage git commits 16.04 (sorted from most recent to oldest): f230c98 Bug #48379: Add changelog entry fb50641 Bug #48379: Improve config to support kerberos-sso usage git commits 14.04 (sorted from most recent to oldest): 367144f Bug #48379: Add changelog entry cf11022 Bug #48379: Improve config to support kerberos-sso usage
The customer tested the workaround with the "rdns = false" entry on an unjoined Ubuntu and it worked.
OK: Add rdns = false to krb5.conf when joining the domain. Existing install will have to add the line manually, or update the tool and rejoin the domain OK: ucs-sso works after configuring the browser of choice correctly OK: no yaml required OK: packages are available in the PPA Verified and closed, as nothing more needs to be released