Univention Bugzilla – Bug 57445
Squid kerberos authentication is not working on hostnames containing capital letters
Last modified: 2024-07-15 12:26:24 CEST
Testing the authentication shows [...] yuGtzY8RSiTqd+r/zrLpzYpqIVlKwM085U4DFQEjHmW0u4RDprfBS13YfAXiNxB0KYLpCuN6wP+avP3pfQcOgIvHtH+tluyxywfIUN4JlOSX/Kg2P0Luk/DiQyk6xC1yY9ncjlcfgcsqnXWEH3AoS27wMj0iwmfV27/CnfU/fB XSnYdjsc32ydIOtltY=' (decoded length estimate: 1848). negotiate_kerberos_auth.cc(182): pid=18621 :2024/06/24 16:19:51| negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provi de more information. No key table entry found matching HTTP/schul-repl.unterricht.schein.me@ BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. No key table entry found matching HTTP/schul-repl.unterricht.schein.me@ Using the keytab is fine: root@SCHUL-REPL:~/univention-support# kinit --keytab=/var/lib/samba/private/http-proxy-$(hostname).keytab http-proxy-$(hostname) root@SCHUL-REPL:~/univention-support# klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: http-proxy-UCS-SCHUL-REPL@UNTERRICHT.SCHEIN.ME Issued Expires Principal Jun 25 12:53:21 2024 Jun 25 22:53:21 2024 krbtgt/UNTERRICHT.SCHEIN.ME@UNTERRICHT.SCHEIN.ME more investigation: root@SCHUL-REPL:~/univention-support# univention-ldapsearch -Y GSSAPI -s base SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible. (unknown mech-code 0 for mech unknown) root@SCHUL-REPL:~/univention-support# klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: ls-testlehrer@UNTERRICHT.SCHEIN.ME Issued Expires Principal Jun 25 16:52:12 2024 Jun 26 02:52:12 2024 krbtgt/UNTERRICHT.SCHEIN.ME@UNTERRICHT.SCHEIN.ME Jun 25 16:52:16 2024 Jun 26 02:52:12 2024 HTTP/schul-repl.unterricht.schein.me@ Jun 25 16:52:16 2024 Jun 26 02:52:12 2024 HTTP/schul-repl.unterricht.schein.me@UNTERRICHT.SCHEIN.ME Jun 25 16:55:20 2024 Jun 26 02:52:12 2024 cifs/CHUL-REPL@UNTERRICHT.SCHEIN.ME Jun 25 16:56:09 2024 Jun 26 02:52:12 2024 ldap/schul-repl.unterricht.schein.me@UNTERRICHT.SCHEIN.ME The problem is the hostname being uppercase. The keytab file is then exported with the "wrong" casing. And then the ticket squid gets from Kerberos cannot be validated ("No credentials were supplied, or the credentials were unavailable or inaccessible"). It is unclear if this is a bug in squid or if they do it correctly. I would assume the hostname to be checked case insensitive. But apparently, squid thinks otherwise. Same for ldapsearch -Y GSSAPI: it will not work with a Kerberos ticket. smbclient is fine, though: It uses Samba and Samba does it correctly. Back to the problem: We think it lies in the way we export the keytab. samba-tool domain exportkeytab /path/to/file.keytab --principal=HTTP/schul-repl.unterricht.schein.me seems to work. But we are doing it differently in our packages (with heimdal tools (?)). The problem is that this environment will always suffer from the fact that it has uppercase hostname. In fact, we do not allow such a UCS@school installation since years. But unfortunately, this environment seems to be older than that. Every time the system re-joins or something similar, the keytab will be problematic. Procedure root@SCHUL-REPL:~/univention-support# samba-tool domain exportkeytab cschein3.keytab --principal=http-proxy-schul-repl Export one principal to cschein3.keytab root@SCHUL-REPL:~/univention-support# ktutil -k cschein3.keytab list cschein3.keytab: Vno Type Principal Aliases 3 aes256-cts-hmac-sha1-96 http-proxy-schul-repl@UNTERRICHT.SCHEIN.ME 3 aes128-cts-hmac-sha1-96 http-proxy-schul-repl@UNTERRICHT.SCHEIN.ME 3 arcfour-hmac-md5 http-proxy-schul-repl@UNTERRICHT.SCHEIN.ME root@SCHUL-REPL:~/univention-support# samba-tool domain exportkeytab cschein3.keytab --principal=HTTP/schul-repl.unterricht.schein.me Export one principal to cschein3.keytab root@SCHUL-REPL:~/univention-support# ktutil -k cschein3.keytab list cschein3.keytab: Vno Type Principal Aliases 3 aes256-cts-hmac-sha1-96 http-proxy-schul-repl@UNTERRICHT.SCHEIN.ME 3 aes128-cts-hmac-sha1-96 http-proxy-schul-repl@UNTERRICHT.SCHEIN.ME 3 arcfour-hmac-md5 http-proxy-schul-repl@UNTERRICHT.SCHEIN.ME 3 aes256-cts-hmac-sha1-96 HTTP/schul-repl.unterricht.schein.me@UNTERRICHT.SCHEIN.ME 3 aes128-cts-hmac-sha1-96 HTTP/schul-repl.unterricht.schein.me@UNTERRICHT.SCHEIN.ME 3 arcfour-hmac-md5 HTTP/schul-repl.unterricht.schein.me@UNTERRICHT.SCHEIN.ME Working keytab: root@SCHUL-REPL:~/univention-support# ktutil -k /var/lib/samba/private/http-proxy-UCS-EDU-DC.keytab list /var/lib/samba/private/http-proxy-UCS-EDU-DC.keytab: Vno Type Principal Aliases 3 aes256-cts-hmac-sha1-96 http-proxy-ucs-edu-dc@UNTERRICHT.SCHEIN.ME 3 aes128-cts-hmac-sha1-96 http-proxy-ucs-edu-dc@UNTERRICHT.SCHEIN.ME 3 arcfour-hmac-md5 http-proxy-ucs-edu-dc@UNTERRICHT.SCHEIN.ME 3 aes256-cts-hmac-sha1-96 HTTP/ucs-edu-dc.unterricht.schein.me@UNTERRICHT.SCHEIN.ME 3 aes128-cts-hmac-sha1-96 HTTP/ucs-edu-dc.unterricht.schein.me@UNTERRICHT.SCHEIN.ME 3 arcfour-hmac-md5 HTTP/ucs-edu-dc.unterricht.schein.me@UNTERRICHT.SCHEIN.ME https://git.knut.univention.de/univention/dev-issues/dev-incidents/-/issues/38 There is no chance for the customer renaming their hostname, we are not supporting that!
Rerunning the Squid joinskript the keytab will get "wrong" again and the authentication will fail, that is why the customer needs an update and join save workaround, why I set the waiting support flag
This also impacts LDAP authentication using Kerberos, since the entries in the krb5.keytab have the same issue with the principals being uppercase. E.g. ldapsearch -Y GSSAPI doesn't work in such an environment, but that is currently not a usecase for the customer. It should also be noted, that it is forbidden by the school installer to create a schoolserver with a hostname containing uppercase letters.