Bug 57445 – Squid kerberos authentication is not working on hostnames containing capital letters

Bug 57445 - Squid kerberos authentication is not working on hostnames containing capital letters


Summary:	Squid kerberos authentication is not working on hostnames containing capital ...

Status:	NEW

Product:	UCS@school
Classification:	Unclassified
Component:	Proxy services
Version:	UCS@school 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS@school maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2024-07-11 16:45 CEST by Christina Scheinig
Modified:	2024-07-15 12:26 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.069
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:	Yes
Flags outvoted (downgraded) after PO Review:
Ticket number:	2024060621000117
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christina Scheinig

2024-07-11 16:45:11 CEST

Testing the authentication shows

[...]
yuGtzY8RSiTqd+r/zrLpzYpqIVlKwM085U4DFQEjHmW0u4RDprfBS13YfAXiNxB0KYLpCuN6wP+avP3pfQcOgIvHtH+tluyxywfIUN4JlOSX/Kg2P0Luk/DiQyk6xC1yY9ncjlcfgcsqnXWEH3AoS27wMj0iwmfV27/CnfU/fB
XSnYdjsc32ydIOtltY=' (decoded length estimate: 1848).
negotiate_kerberos_auth.cc(182): pid=18621 :2024/06/24 16:19:51| negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provi
de more information. No key table entry found matching HTTP/schul-repl.unterricht.schein.me@
BH gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information. No key table entry found matching HTTP/schul-repl.unterricht.schein.me@


Using the keytab is fine:

root@SCHUL-REPL:~/univention-support# kinit --keytab=/var/lib/samba/private/http-proxy-$(hostname).keytab http-proxy-$(hostname)
root@SCHUL-REPL:~/univention-support# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: http-proxy-UCS-SCHUL-REPL@UNTERRICHT.SCHEIN.ME
  Issued                Expires               Principal
Jun 25 12:53:21 2024  Jun 25 22:53:21 2024  krbtgt/UNTERRICHT.SCHEIN.ME@UNTERRICHT.SCHEIN.ME

more investigation:
root@SCHUL-REPL:~/univention-support# univention-ldapsearch -Y GSSAPI -s base
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
        additional info: SASL(-1): generic failure: GSSAPI Error:  No credentials were supplied, or the credentials were unavailable or inaccessible. (unknown mech-code 0
 for mech unknown)
root@SCHUL-REPL:~/univention-support# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: ls-testlehrer@UNTERRICHT.SCHEIN.ME

  Issued                Expires               Principal
Jun 25 16:52:12 2024  Jun 26 02:52:12 2024  krbtgt/UNTERRICHT.SCHEIN.ME@UNTERRICHT.SCHEIN.ME
Jun 25 16:52:16 2024  Jun 26 02:52:12 2024  HTTP/schul-repl.unterricht.schein.me@
Jun 25 16:52:16 2024  Jun 26 02:52:12 2024  HTTP/schul-repl.unterricht.schein.me@UNTERRICHT.SCHEIN.ME
Jun 25 16:55:20 2024  Jun 26 02:52:12 2024  cifs/CHUL-REPL@UNTERRICHT.SCHEIN.ME
Jun 25 16:56:09 2024  Jun 26 02:52:12 2024  ldap/schul-repl.unterricht.schein.me@UNTERRICHT.SCHEIN.ME

The problem is the hostname being uppercase. The keytab file is then exported with the "wrong" casing. And then the ticket squid gets from Kerberos cannot be validated ("No credentials were supplied, or the credentials were unavailable or inaccessible").
It is unclear if this is a bug in squid or if they do it correctly. I would assume the hostname to be checked case insensitive. But apparently, squid thinks otherwise. Same for ldapsearch -Y GSSAPI: it will not work with a Kerberos ticket. smbclient is fine, though: It uses Samba and Samba does it correctly.
Back to the problem: We think it lies in the way we export the keytab.
samba-tool domain exportkeytab /path/to/file.keytab --principal=HTTP/schul-repl.unterricht.schein.me seems to work. But we are doing it differently in our packages (with heimdal tools (?)).
The problem is that this environment will always suffer from the fact that it has uppercase hostname. In fact, we do not allow such a UCS@school installation since years. But unfortunately, this environment seems to be older than that. Every time the system re-joins or something similar, the keytab will be problematic.


Procedure

root@SCHUL-REPL:~/univention-support# samba-tool domain exportkeytab cschein3.keytab --principal=http-proxy-schul-repl
Export one principal to cschein3.keytab
root@SCHUL-REPL:~/univention-support# ktutil -k cschein3.keytab list
cschein3.keytab:

Vno  Type                     Principal                                    Aliases
  3  aes256-cts-hmac-sha1-96  http-proxy-schul-repl@UNTERRICHT.SCHEIN.ME  
  3  aes128-cts-hmac-sha1-96  http-proxy-schul-repl@UNTERRICHT.SCHEIN.ME  
  3  arcfour-hmac-md5         http-proxy-schul-repl@UNTERRICHT.SCHEIN.ME  
root@SCHUL-REPL:~/univention-support# samba-tool domain exportkeytab cschein3.keytab --principal=HTTP/schul-repl.unterricht.schein.me
Export one principal to cschein3.keytab
root@SCHUL-REPL:~/univention-support# ktutil -k cschein3.keytab list
cschein3.keytab:

Vno  Type                     Principal                                                    Aliases
  3  aes256-cts-hmac-sha1-96  http-proxy-schul-repl@UNTERRICHT.SCHEIN.ME                  
  3  aes128-cts-hmac-sha1-96  http-proxy-schul-repl@UNTERRICHT.SCHEIN.ME                 
  3  arcfour-hmac-md5         http-proxy-schul-repl@UNTERRICHT.SCHEIN.ME                  
  3  aes256-cts-hmac-sha1-96  HTTP/schul-repl.unterricht.schein.me@UNTERRICHT.SCHEIN.ME  
  3  aes128-cts-hmac-sha1-96  HTTP/schul-repl.unterricht.schein.me@UNTERRICHT.SCHEIN.ME  
  3  arcfour-hmac-md5         HTTP/schul-repl.unterricht.schein.me@UNTERRICHT.SCHEIN.ME  


Working keytab:
root@SCHUL-REPL:~/univention-support# ktutil -k /var/lib/samba/private/http-proxy-UCS-EDU-DC.keytab list
/var/lib/samba/private/http-proxy-UCS-EDU-DC.keytab:

Vno  Type                     Principal                                                    Aliases
  3  aes256-cts-hmac-sha1-96  http-proxy-ucs-edu-dc@UNTERRICHT.SCHEIN.ME                  
  3  aes128-cts-hmac-sha1-96  http-proxy-ucs-edu-dc@UNTERRICHT.SCHEIN.ME                  
  3  arcfour-hmac-md5         http-proxy-ucs-edu-dc@UNTERRICHT.SCHEIN.ME                 
  3  aes256-cts-hmac-sha1-96  HTTP/ucs-edu-dc.unterricht.schein.me@UNTERRICHT.SCHEIN.ME  
  3  aes128-cts-hmac-sha1-96  HTTP/ucs-edu-dc.unterricht.schein.me@UNTERRICHT.SCHEIN.ME 
  3  arcfour-hmac-md5         HTTP/ucs-edu-dc.unterricht.schein.me@UNTERRICHT.SCHEIN.ME



https://git.knut.univention.de/univention/dev-issues/dev-incidents/-/issues/38

There is no chance for the customer renaming their hostname, we are not supporting that!

Comment 1 Christina Scheinig

2024-07-11 16:51:28 CEST

Rerunning the Squid joinskript the keytab will get "wrong" again and the authentication will fail, that is why the customer needs an update and join  save workaround, why I set the waiting support flag

Comment 2 Julia Bremer

2024-07-15 09:47:21 CEST

This also impacts LDAP authentication using Kerberos, since the entries in the krb5.keytab have the same issue with the principals being uppercase. 
E.g. ldapsearch -Y GSSAPI doesn't work in such an environment, but that is currently not a usecase for the customer.

It should also be noted, that it is forbidden by the school installer to create a schoolserver with a hostname containing uppercase letters.