SAML Kerberos auth broken

saml
kerberos

#1

Hello,

since I updated my DC to 4.4-0 erata47 the kerberos-SSO isn’t working anymore. My Clients and users get still kerberos tickets from the kdc for e.g. shares but not for http/ucs-sso.example.com.

As I followed these instructions from “Debugging the SAML Kerberos authentication” post, I ended up with

root@dc1:~# kinit -t /etc/simplesamlphp.keytab HTTP/ucs-sso.$(ucr get domainname)@$(ucr get kerberos/realm)

I get an Password incorrect…

what’s wrong here? any Ideas?

kind regards phiku


#2

Take a look at the keys stored in the keytab with ktutil -k /etc/simplesamlphp.keytab list & post the list here. Please also post the output of ucr get domainname and ucr get kerberos/realm, just to make sure the values are set correctly.


#3
 ktutil -k /etc/simplesamlphp.keytab list
/etc/simplesamlphp.keytab:

Vno  Type                     Principal                       Aliases
  2  des-cbc-crc              HTTP/ucs-sso.phiku.de@PHIKU.DE
  2  des-cbc-crc              ucs-sso@PHIKU.DE
  2  des-cbc-md5              HTTP/ucs-sso.phiku.de@PHIKU.DE
  2  des-cbc-md5              ucs-sso@PHIKU.DE
  2  arcfour-hmac-md5         HTTP/ucs-sso.phiku.de@PHIKU.DE
  2  arcfour-hmac-md5         ucs-sso@PHIKU.DE
  2  aes128-cts-hmac-sha1-96  HTTP/ucs-sso.phiku.de@PHIKU.DE
  2  aes128-cts-hmac-sha1-96  ucs-sso@PHIKU.DE
  2  aes256-cts-hmac-sha1-96  HTTP/ucs-sso.phiku.de@PHIKU.DE
  2  aes256-cts-hmac-sha1-96  ucs-sso@PHIKU.DE
  3  des-cbc-crc              HTTP/ucs-sso.phiku.de@PHIKU.DE
  3  des-cbc-crc              ucs-sso@PHIKU.DE
  3  des-cbc-md5              HTTP/ucs-sso.phiku.de@PHIKU.DE
  3  des-cbc-md5              ucs-sso@PHIKU.DE
  3  arcfour-hmac-md5         HTTP/ucs-sso.phiku.de@PHIKU.DE
  3  arcfour-hmac-md5         ucs-sso@PHIKU.DE
  3  aes128-cts-hmac-sha1-96  HTTP/ucs-sso.phiku.de@PHIKU.DE
  3  aes128-cts-hmac-sha1-96  ucs-sso@PHIKU.DE
  3  aes256-cts-hmac-sha1-96  HTTP/ucs-sso.phiku.de@PHIKU.DE
  3  aes256-cts-hmac-sha1-96  ucs-sso@PHIKU.DE

ucr get domainname and ucr get kerberos/realm:

phiku.de
ucr get kerberos/realm
PHIKU.DE

#4

Does ucr get kerberos/realm really yield lower-case phiku.de instread of PHIKU.DE? 'cause Kerberos is case-sensitive, and your keytab contains keys in the expected upper case.

However, the error message would be different if the requested ID used lower case:

[0 root@master ~] kinit -t /etc/simplesamlphp.keytab HTTP/ucs-sso.mbu-test.intranet@MBU-TEST.INTRANET
[0 root@master ~] kdestroy
[0 root@master ~] kinit -t /etc/simplesamlphp.keytab HTTP/ucs-sso.mbu-test.intranet@mbu-test.intranet
kinit: krb5_init_creds_set_keytab: Failed to find HTTP/ucs-sso.mbu-test.intranet@mbu-test.intranet in keytab FILE:/etc/simplesamlphp.keytab (unknown enctype)

It’s possible that the key version in the exported key tab is too old (meaning that a newer version is present on the KDC). Please execute the following & post the output:

univention-s4search --cross-ncs "(|(userPrincipalName=HTTP/ucs-sso.$(ucr get domainname)@$(ucr get kerberos/realm))(cn=ucs-sso))" | ldapsearch-wrapper
univention-s4search --cross-ncs "(|(userPrincipalName=HTTP/ucs-sso.$(ucr get domainname)@$(ucr get kerberos/realm))(cn=ucs-sso))" msDS-KeyVersionNumber
samba-tool domain exportkeytab ucs-sso.keytab --principal HTTP/ucs-sso.$(ucr get domainname)@$(ucr get kerberos/realm)
ktutil -k ucs-sso.keytab list
kinit -t ucs-sso.keytab HTTP/ucs-sso.$(ucr get domainname)@$(ucr get kerberos/realm)

Be sure to clean up afterwards:

kdestroy
rm ucs-sso.keytab

#5

this is workong well. Thank you.


#6

So, do you mean that your problem’s solved now?


#7

It was not working after the cleanup, but if tried again with:

there comes a Password incorrect again, but the SSO works for the clients.


#8

It’s me again. After the last update 4.4-0 errata59, the error comes back. I did your hints again and after a restart it works again