Univention Bugzilla – Bug 33214
Include negotiate module for kerberos authentication
Last modified: 2021-02-28 13:48:49 CET
The backend for univention-saml, simplesamlphp supports authentication based on kerberos. This could be included in a future version to avoid re-authenticating in the browser session http://simplesamlphp.googlecode.com/svn/trunk/modules/negotiate/docs/negotiate.txt
Requested 3 times at the Summit.
Also requested by at least 6 attendees of the UCS expert talk today.
I don't even know if my conversational partner were the same but I also discussed this topic several times with partner/ customers.
Created attachment 7427 [details] patch The attached patch integrates the module into our simplesamlphp configuration. Previous required steps are: 1. apt-get install libkrb5-dev && pecl install krb5 → UCS doesn't have a debian package for it. 2. chgrp samlcgi /etc/krb5.keytab; chmod 660 /etc/krb5.keytab → (WORKAROUND) make /etc/krb5.keytab readable by "samlcgi" user When trying to login I get the following error: Error 2 - KRB5NegotiateAuth::doAuthentication(): GSSAPI mechanism error #100004 Negotiate - authenticate(): doAuthentication() exception: Error while obtaining server credentials → I don't know what this means. Probably something is broken in my kerberos server?
(In reply to Florian Best from comment #4) > Previous required steps are: 3. ucr set saml/idp/auth=univention-negotiate
Requested during workshop
I added extension=krb5.so to: /etc/php5/cgi/php.ini /etc/php5/apache2/php.ini /etc/php5/cli/php.ini
I can confirm that it works like a charm ;-) Steps which I did on server (UCS 4.2) side (not quite sure if all are really necessary): 1. ucr set repository/online/unmaintained=yes 2. univention-install libkrb5-dev php5-dev 3. pecl install krb5 4. pecl list 5. chgrp samlcgi /etc/krb5.keytab 6. vim /etc/simplesamlphp/authsources.php 'univention-negotiate' => array( 'negotiate:Negotiate', 'keytab' => '/etc/krb5.keytab', 'fallback' => 'univention-ldap', 'hostname' => 'ldap://master.ldap.base:7389', 'base' => 'dc=saml,dc=idp', 'adminUser' => 'uid=sys-idp-user,cn=users,dc=saml,dc=idp', 'adminPassword' => 'cat /etc/idp-ldap-user.secret' ), 7. /etc/apache2/sites-available/univention-saml.conf SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 8. touch /usr/share/simplesamlphp/modules/negotiate/enable 9. extension=krb5.so to: /etc/php5/cgi/php.ini /etc/php5/apache2/php.ini /etc/php5/cli/php.ini 10. samba-tool spn add HTTP/master@$(ucr get kerberos/realm)" master$ 11. samba-tool spn add HTTP/ucs-sso@$(ucr get kerberos/realm) master$ 12. /usr/share/univention-samba4/scripts/create-keytab.sh 13. chmod 777 /etc/krb5.keytab <- I know it is a security hole but it was only to prototyping. 14. vim /etc/krb5.conf [libdefaults] ignore_acceptor_hostname = true [domain_realm] .ldap.base = LDAP.BASE ldap.base = LDAP.BASE ucs-sso.ldap.base = LDAP.BASE On client side (https://sysadminspot.com/windows/google-chrome-and-ntlm-auto-logon-using-windows-authentication/): Firefox: about:config network.auth.use-sspi = true network.negotiate-auth.trusted-uris = .ldap.base network.negotiate-auth.delegation-uris = .ldap.base Chrome / IE: Internet Settings -> Trusted Sites -> Add -> https://master.ldap.base + https://ucs-sso.ldap.base
I created a patch in the branch fbest/33214-saml-negotiate-http-authentication which makes all necessary changes configurable (i.e. step 6, 7, and 9 from comment 8). https://git.knut.univention.de/univention/ucs/commits/fbest/33214-saml-negotiate-http-authentication
I tested this on a fresh UCS 4.2-3 system: Step 3 did not work before: univention-install php7.0-xml php-xml php-pear 1:1.10.1 from stretch (https://packages.debian.org/de/stretch/php-pear) was installed manually via dpkg -i The php-pear version in jessie doesn't work with PHP 7 afaik
Package: univention-saml Version: 5.0.4-5A~4.3.0.201802091337 Package: univention-heimdal Version: 11.0.1-3A~4.3.0.201802091339 cherrypicked php-krb5 to 4.3 release from bleeding4.3 Package: php-krb5 Version: 1.1.2-4A~4.3.0.201802091342 Notes for testing at https://etherpad-lite.knut.univention.de/etherpad/p/43_saml_kerberos
I adjusted the existing tests. They were expecting the ldap backend to be present and failed because the negotiate plugin send a different http status code. The previously existing tests are now configured to use the old ldap backend. We need additional tests for kerberos based login Package: ucs-test Version: 8.0.28-6A~4.3.0.201802091706
non samba env join script 99univention-saml-kerberos.inst fails -> kadmin -l dump| grep ucs-sso HTTP/ucs-sso.fb.bf@FB.BF 1::19:D1758B0500587A84A0D5B65F8E868B10:3/46422E42467563732D73736F::18:F1F1573EA31F53932C3F031DB78303C3935034BE829973FC7F20BE97388868BC:3/46422E42467563732D73736F::23:3EA0CF8EA8EC08930C8C7790AF01D28B:3/46422E42467563732D73736F::20:8FCCA09965608751568589454E12F897287A3295D149B92C804EC050BBA39980:3/46422E42467563732D73736F::3:2FAE91E55E2F8352:3/46422E42467563732D73736F::17:F0DFDF3A6479BEC9CE198ADD6437C228:3/46422E42467563732D73736F::16:BCE052B6A86738B9297F29B0E580F21CF80E499851B05B68:3/46422E42467563732D73736F::2:2FAE91E55E2F8352:3/46422E42467563732D73736F::1:2FAE91E55E2F8352:3/46422E42467563732D73736F 20180212113856:UNKNOWN - - - - 86400 604800 126 - 301AA003010100A113A711180F32303138303231323131333835365A but -> kadmin -l ext --keytab=/etc/simplesamlphp/simplesamlphp.keytab HTTP/ucs-sso.fb.bf kadmin: ext HTTP/ucs-sso.fb.bf: Principal does not exist
The UCR variable ucs/server/sso/fqdn should be considered. I think the keytab is currently generated for the hardcoded name "ucs-sso.$domainname".
krb5PrincipalName of the ucs-sso user i set to krb5PrincipalName: HTTP/ucs-sso.fb.bf i think the realm is missing here, if i change that to krb5PrincipalName: HTTP/ucs-sso.fb.bf@FB.BF it works
22c00dca Set correct SPN in OpenLDAP Package: univention-saml Version: 5.0.4-7A~4.3.0.201802131714
Atleast MIT Kerberos does a reverse dns search on the service name. (Windows doesn't seem to do that) Meaning instead of: HTTP/ucs-sso.univention.intranet@UNIVENTION.INTRANET HTTP/$MASTER.univention.intranet@UNIVENTION.INTRANET is used. SimpleSAML doesn't like that. I will check how ubuntu handles that. https://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html
I have a 4.3 master and a 4.2 backup with the s4connector after the update to 4.3 on the master i get 14.02.2018 16:26:10,232 LDAP (PROCESS): sync from ucs: [ user] [ modify] CN=ucs-sso,CN=Users,DC=four,DC=two 14.02.2018 16:26:10,243 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1518618332.272155 14.02.2018 16:26:10,244 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 897, in __sync_file_from_ucs if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))): File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2720, in sync_from_ucs f(self, property_type, object) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/password.py", line 600, in password_sync_ucs_to_s4 supplementalCredentials_new = calculate_supplementalCredentials(krb5Key, supplementalCredentials) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/password.py", line 176, in calculate_supplementalCredentials ud.debug(ud.LDAP, ud.INFO, "calculate_supplementalCredentials: krb5_keytype: %s (%d)" % (enctype, enctype_id)) KRB5_PROG_ETYPE_NOSUPP: {'code': -1765328234} in the connector.log on the backup
(In reply to Felix Botner from comment #18) > I have a 4.3 master and a 4.2 backup with the s4connector > > > after the update to 4.3 on the master i get > > 14.02.2018 16:26:10,232 LDAP (PROCESS): sync from ucs: [ > user] [ modify] CN=ucs-sso,CN=Users,DC=four,DC=two > 14.02.2018 16:26:10,243 LDAP (WARNING): sync failed, saved as rejected > /var/lib/univention-connector/s4/1518618332.272155 > 14.02.2018 16:26:10,244 LDAP (WARNING): Traceback (most recent call > last): > File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", > line 897, in __sync_file_from_ucs > if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, > unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not > self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))): > File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", > line 2720, in sync_from_ucs > f(self, property_type, object) > File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/password.py", > line 600, in password_sync_ucs_to_s4 > supplementalCredentials_new = calculate_supplementalCredentials(krb5Key, > supplementalCredentials) > File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/password.py", > line 176, in calculate_supplementalCredentials > ud.debug(ud.LDAP, ud.INFO, "calculate_supplementalCredentials: > krb5_keytype: %s (%d)" % (enctype, enctype_id)) > KRB5_PROG_ETYPE_NOSUPP: {'code': -1765328234} > > in the connector.log on the backup as soon as i remove ud.debug(ud.LDAP, ud.INFO, "calculate_supplementalCredentials: krb5_keytype: %s (%d)" % (enctype, enctype_id)) from s4/password.py on my 4.2-3 backup it seems to work?
(In reply to Felix Botner from comment #19) > (In reply to Felix Botner from comment #18) > > I have a 4.3 master and a 4.2 backup with the s4connector > > > > > > after the update to 4.3 on the master i get > > > > 14.02.2018 16:26:10,232 LDAP (PROCESS): sync from ucs: [ > > user] [ modify] CN=ucs-sso,CN=Users,DC=four,DC=two > > 14.02.2018 16:26:10,243 LDAP (WARNING): sync failed, saved as rejected > > /var/lib/univention-connector/s4/1518618332.272155 > > 14.02.2018 16:26:10,244 LDAP (WARNING): Traceback (most recent call > > last): > > File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", > > line 897, in __sync_file_from_ucs > > if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, > > unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not > > self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))): > > File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", > > line 2720, in sync_from_ucs > > f(self, property_type, object) > > File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/password.py", > > line 600, in password_sync_ucs_to_s4 > > supplementalCredentials_new = calculate_supplementalCredentials(krb5Key, > > supplementalCredentials) > > File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/password.py", > > line 176, in calculate_supplementalCredentials > > ud.debug(ud.LDAP, ud.INFO, "calculate_supplementalCredentials: > > krb5_keytype: %s (%d)" % (enctype, enctype_id)) > > KRB5_PROG_ETYPE_NOSUPP: {'code': -1765328234} > > > > in the connector.log on the backup > > as soon as i remove > > ud.debug(ud.LDAP, ud.INFO, "calculate_supplementalCredentials: krb5_keytype: > %s (%d)" % (enctype, enctype_id)) > > from s4/password.py on my 4.2-3 backup it seems to work? i think this is bug #46292
Commit 07e23c05b50 added the option ignore_acceptor_hostname to the krb5.conf UCR template. That option is an MIT Kerberos option that is not supported by Heimdal. The string is not in these files: * heimdal-7.1.0+dfsg/lib/krb5/verify_krb5_conf.c * heimdal-7.1.0+dfsg/lib/krb5/krb5.conf.cat5 compare: * https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html vs * https://github.com/heimdal/heimdal/blob/heimdal-7-1-branch/lib/krb5/krb5.conf.5
Ah, as discussed, that option worked (and was necessary) because php-krb5 Build-Depends on libkrb5-dev (MIT Kerberos) instead of heimdal-dev. So please try to use heimdal-dev instead, probably Jürn's test case will behave differently too then. Let's see...
The kerberos authentication doesn't seem to work without samba. I tried building php-krb5 with heimdal-dev instead of libkrb5-dev but it failed.
Ok, yes, I compared with the heimdal sources, and some structures used in php-krb5-1.1.2/src/krb5.c don't seem to be present in heimdal. I also tried compiling against "heimdal-multidev" but it failed finding some constants that are note present in Heimdal. Even manually defining "#define HAVE_KRB5_HEIMDAL 1" didn't fix the compile errors, so I guess that support is unmaintained.
Ok, as discussed, I've adjusted the UCR template for /etc/krb5.conf to gather the MIT specific libdefaults in one place. I've also added the "rdns" option required for ucs-test, which can be adjusted by ucr set kerberos/fefaults/rdns=false . The univention-heimdal package has been rebuilt.
user creation has been split in order to support installing samba at a later time a001d83f Create ucs-sso user in u-saml joinscript 2ade8f25 Split saml-kerberos user creation Package: univention-saml Version: 5.0.4-10A~4.3.0.201802201140 Package: univention-samba4 Version: 7.0.2-4A~4.3.0.201802201142
We discussed transfering the kerberos keytab to multiple UCS Backups. Ideally one would call 'kadmin -l' to export the keytab locally. That way, one would be independent from implementation details, i.e. is samba installed or not. This is prevented because the s4-connector does not sync the KeyVersionNumber back to OpenLDAP. So fixing bug 32082 would be very helpful
e0c76596 + 040911d6 On DC Backup, copy keytab from master univention-samba4 7.0.2-5A~4.3.0.201802211709 univention-saml 5.0.4-11A~4.3.0.201802211712
(In reply to Erik Damrose from comment #27) > We discussed transfering the kerberos keytab to multiple UCS Backups. > Ideally one would call 'kadmin -l' to export the keytab locally. FYI: With every export the KVNO get incremented to render all previous exports as invalid - this is by design. Your also should read <https://blogs.msdn.microsoft.com/openspecification/2009/11/13/to-kvno-or-not-to-kvno-what-is-the-version/>
(In reply to Philipp Hahn from comment #29) > FYI: With every export the KVNO get incremented to render all previous > exports as invalid - this is by design. I tested this with and without samba4 installed. The kvno is not increased in both cases and i can still get a ticket. Did i do something wrong?
33bacc80 Create ucs-sso user as functional and hidden Package: univention-saml Version: 5.0.4-12A~4.3.0.201802221225
(In reply to Philipp Hahn from comment #29) > FYI: With every export the KVNO get incremented to render all previous > exports as invalid - this is by design. The kpasswdd / Samba increments the version number in the backend database on password changes. kadmin just exports what is there.
Latest Tests i did: 4.3 DVD install singlemaster, install samba4, join win7. test login -> OK 4.3 DVD install master, backup, install samba4 on both, join win7, login -> OK, shutdown master, login -> OK (login OK means always with saml-kerberos)
install tests fail with + univention-check-join-status [master] 2018-02-23T06:07:10.356479 Warning: 'univention-samba4-saml-kerberos' is not configured. [master] 2018-02-23T06:07:10.356479 Error: Not all install files configured: 1 missing 018-02-23 05:56:40.974399210+01:00 (in joinscript_save_current_version) __MSG__:Einrichten von 98univention-samba4-saml-kerberos __STEP__:79 Configure /usr/lib/univention-install/98univention-samba4-saml-kerberos.inst 2018-02-23 05:56:41.569287577+01:00 (in joinscript_init) Waiting for user replication... ERROR: User ucs-sso not found ERROR: User ucs-sso not found ERROR: User ucs-sso not found ERROR: User ucs-sso not found ERROR: User ucs-sso not found ERROR: User ucs-sso not found ERROR: User ucs-sso not found ERROR: User ucs-sso not found ERROR: User ucs-sso not found ERROR: User ucs-sso not found ERROR: User ucs-sso not found __STEP__:80
http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-0/job/Installation%20Tests/mode=master-all-components/ws/test/
I created the ucs-sso user with with univentionObjectFlag: functional to avoid counting the user against the ucs licence. However, functional accounts are not synced to S4, i created Bug 46377 for that. 8862547e Partly revert previous version, only create ucs-sso user as hidden univention-saml 5.0.4-13A~4.3.0.201802230958
Works with ubuntu joined into domain (no samba4) using the univention-domain-join tool and adding rdns=false into krb5.conf (see bug 46380 for adding this as default)
Please add a changelog entry. The changelog entry is independently from other release notes hints.
4254539a changelog
What I tested: Ubuntu nosamba against master -> OK Ubuntu nosamba against backup -> OK Ubuntu samba against master -> OK Windows samba against master -> OK Changelog -> OK
UCS 4.3 has been released: https://docs.software-univention.de/release-notes-4.3-0-en.html https://docs.software-univention.de/release-notes-4.3-0-de.html If this error occurs again, please use "Clone This Bug".