'HANDLE_AUTHDATA' error when trying to setup Kerberos trust between AD and FreeIPA

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

'HANDLE_AUTHDATA' error when trying to setup Kerberos trust between AD and FreeIPA

Robert Sturrock
Hi All,

I’m trying to create a (one-way) Kerberos trust between AD and a FreeIPA installation, such that user TGTs from AD can be used to access resources in the IPA realm.

I followed some (non-IPA related) steps for setting up Kerberos trusts between AD and MIT Kerberos - essentially creating a common TGT principal in both systems with a common password.  This works to a point (ie. I can get the TGT for IPA using the AD TGT), but when I try to fetch a service ticket in the IPA domain I get a ‘HANDLE_AUTHDATA’ error.

Here is what I’m seeing:

 (AD domain = ‘STAFF.LOCALREALM'; IPA domain = ‘PALLAS.LOCALREALM')

 # Get AD TGT:
 Password for [hidden email]: XXXXXXXXX

 $ klist
 Ticket cache: KEYRING:persistent:10846:10846
 Default principal: [hidden email]

 Valid starting     Expires            Service principal
 11/06/20 13:34:19  11/06/20 23:34:19  krbtgt/[hidden email]
         renew until 12/06/20 13:34:18

 # Use AD TGT to get an IPA TGT:
 $ kvno krbtgt/[hidden email]
 krbtgt/[hidden email]: kvno = 0

 $ klist
 Ticket cache: KEYRING:persistent:10846:10846
 Default principal: [hidden email]

 Valid starting     Expires            Service principal
 11/06/20 13:34:24  11/06/20 23:34:19  krbtgt/[hidden email]
         renew until 12/06/20 13:34:18
 11/06/20 13:34:19  11/06/20 23:34:19  krbtgt/[hidden email]
         renew until 12/06/20 13:34:18

 # Try to fetch an IPA service ticket:
 $ kvno host/[hidden email]
 kvno: KDC returned error string: HANDLE_AUTHDATA while getting credentials for host/[hidden email]

Can anyone provide some idea as to what’s going on here and how I resolve this?  I don’t really know what ‘HANDLE_AUTHDATA’ indicates and I’m not able to find a lot of documentation explaining this.

Thanks!

Robert.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: 'HANDLE_AUTHDATA' error when trying to setup Kerberos trust between AD and FreeIPA

Dmitri Pal
On Mon, Jun 15, 2020 at 2:39 AM Robert Sturrock <[hidden email]> wrote:

> Hi All,
>
> I’m trying to create a (one-way) Kerberos trust between AD and a FreeIPA
> installation, such that user TGTs from AD can be used to access resources
> in the IPA realm.
>
> I followed some (non-IPA related) steps for setting up Kerberos trusts
> between AD and MIT Kerberos - essentially creating a common TGT principal
> in both systems with a common password.  This works to a point (ie. I can
> get the TGT for IPA using the AD TGT), but when I try to fetch a service
> ticket in the IPA domain I get a ‘HANDLE_AUTHDATA’ error.
>

Was there any reason not to follow IPA steps for setting trusts?
They are very straightforward.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-trust-between-idm-and-ad_installing-identity-management



>
> Here is what I’m seeing:
>
>  (AD domain = ‘STAFF.LOCALREALM'; IPA domain = ‘PALLAS.LOCALREALM')
>
>  # Get AD TGT:
>  Password for [hidden email]: XXXXXXXXX
>
>  $ klist
>  Ticket cache: KEYRING:persistent:10846:10846
>  Default principal: [hidden email]
>
>  Valid starting     Expires            Service principal
>  11/06/20 13:34:19  11/06/20 23:34:19
> krbtgt/[hidden email]
>          renew until 12/06/20 13:34:18
>
>  # Use AD TGT to get an IPA TGT:
>  $ kvno krbtgt/[hidden email]
>  krbtgt/[hidden email]: kvno = 0
>
>  $ klist
>  Ticket cache: KEYRING:persistent:10846:10846
>  Default principal: [hidden email]
>
>  Valid starting     Expires            Service principal
>  11/06/20 13:34:24  11/06/20 23:34:19
> krbtgt/[hidden email]
>          renew until 12/06/20 13:34:18
>  11/06/20 13:34:19  11/06/20 23:34:19
> krbtgt/[hidden email]
>          renew until 12/06/20 13:34:18
>
>  # Try to fetch an IPA service ticket:
>  $ kvno host/[hidden email]
>  kvno: KDC returned error string: HANDLE_AUTHDATA while getting
> credentials for host/[hidden email]
>
> Can anyone provide some idea as to what’s going on here and how I resolve
> this?  I don’t really know what ‘HANDLE_AUTHDATA’ indicates and I’m not
> able to find a lot of documentation explaining this.
>
> Thanks!
>
> Robert.
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


--

Thank you,
Dmitri Pal

Director, Software Engineering
Red Hat Enterprise Linux Platform Security and Identity Management
[hidden email]
 <https://red.ht/sig>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: [EXT] 'HANDLE_AUTHDATA' error when trying to setup Kerberos trust between AD and FreeIPA

Robert Sturrock
Hi Dmitri,

Sorry - I did not give all the background in the interests of brevity.  We do not want to establish a full trust between AD and IPA (at this stage).  This is for a number of reasons, but is primarily a reluctance to bring a very large and entirely irrelevant set of AD groups across to IPA-enrolled hosts.

The IPA installation is running in a ‘winsync’ arrangement with AD, but as a convenience for the users it would be useful if a TGT from AD were sufficient to access services in the IPA realm, to save them having to ‘kinit' to another kerberos realm.

So I’m interested in establishing a trust at the Kerberos level only.  We have done this successfully between a legacy MIT kerberos service and IPA, so I hoped we could also set one up between AD and IPA, before running into the error I described.

Any clues as to what the reason for the ‘HANDLE_AUTHDATA’ error might be?

Regards,

Robert.


> On 15 Jun 2020, at 11:00 pm, Dmitri Pal <[hidden email]> wrote:
>
>
>
> UoM notice: External email. Be cautious of links, attachments, or impersonation attempts.
> On Mon, Jun 15, 2020 at 2:39 AM Robert Sturrock <[hidden email]> wrote:
> Hi All,
>
> I’m trying to create a (one-way) Kerberos trust between AD and a FreeIPA installation, such that user TGTs from AD can be used to access resources in the IPA realm.
>
> I followed some (non-IPA related) steps for setting up Kerberos trusts between AD and MIT Kerberos - essentially creating a common TGT principal in both systems with a common password.  This works to a point (ie. I can get the TGT for IPA using the AD TGT), but when I try to fetch a service ticket in the IPA domain I get a ‘HANDLE_AUTHDATA’ error.
>
> Was there any reason not to follow IPA steps for setting trusts?
> They are very straightforward.
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-trust-between-idm-and-ad_installing-identity-management
>
>  
>
> Here is what I’m seeing:
>
>  (AD domain = ‘STAFF.LOCALREALM'; IPA domain = ‘PALLAS.LOCALREALM')
>
>  # Get AD TGT:
>  Password for [hidden email]: XXXXXXXXX
>
>  $ klist
>  Ticket cache: KEYRING:persistent:10846:10846
>  Default principal: [hidden email]
>
>  Valid starting     Expires            Service principal
>  11/06/20 13:34:19  11/06/20 23:34:19  krbtgt/[hidden email]
>          renew until 12/06/20 13:34:18
>
>  # Use AD TGT to get an IPA TGT:
>  $ kvno krbtgt/[hidden email]
>  krbtgt/[hidden email]: kvno = 0
>
>  $ klist
>  Ticket cache: KEYRING:persistent:10846:10846
>  Default principal: [hidden email]
>
>  Valid starting     Expires            Service principal
>  11/06/20 13:34:24  11/06/20 23:34:19  krbtgt/[hidden email]
>          renew until 12/06/20 13:34:18
>  11/06/20 13:34:19  11/06/20 23:34:19  krbtgt/[hidden email]
>          renew until 12/06/20 13:34:18
>
>  # Try to fetch an IPA service ticket:
>  $ kvno host/[hidden email]
>  kvno: KDC returned error string: HANDLE_AUTHDATA while getting credentials for host/[hidden email]
>
> Can anyone provide some idea as to what’s going on here and how I resolve this?  I don’t really know what ‘HANDLE_AUTHDATA’ indicates and I’m not able to find a lot of documentation explaining this.
>
> Thanks!
>
> Robert.
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> --
> Thank you,
> Dmitri Pal
> Director, Software Engineering
> Red Hat Enterprise Linux Platform Security and Identity Management
> [hidden email]
>


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: [EXT] 'HANDLE_AUTHDATA' error when trying to setup Kerberos trust between AD and FreeIPA

Dmitri Pal
On Mon, Jun 15, 2020 at 9:49 PM Robert Sturrock <[hidden email]> wrote:

> Hi Dmitri,
>
> Sorry - I did not give all the background in the interests of brevity.  We
> do not want to establish a full trust between AD and IPA (at this stage).
> This is for a number of reasons, but is primarily a reluctance to bring a
> very large and entirely irrelevant set of AD groups across to IPA-enrolled
> hosts.
>
> The IPA installation is running in a ‘winsync’ arrangement with AD, but as
> a convenience for the users it would be useful if a TGT from AD were
> sufficient to access services in the IPA realm, to save them having to
> ‘kinit' to another kerberos realm.
>
> So I’m interested in establishing a trust at the Kerberos level only.  We
> have done this successfully between a legacy MIT kerberos service and IPA,
> so I hoped we could also set one up between AD and IPA, before running into
> the error I described.
>
> Any clues as to what the reason for the ‘HANDLE_AUTHDATA’ error might be?
>

Thanks for the explanation.
I suspect that IdM does not know anything about the principal you are using
and thus fails to fetch/process authorization data that it needs to put
into the ticket.
But this is my pure speculation based on a general understanding of the IPA
architecture.
You might get better help on the freeipa-users list but frankly I am not
sure anyone tried or would recommend such a setup there. You are crossing
uncharted territory for sure.

Thanks
Dmitri



>
> Regards,
>
> Robert.
>
>
> > On 15 Jun 2020, at 11:00 pm, Dmitri Pal <[hidden email]> wrote:
> >
> >
> >
> > UoM notice: External email. Be cautious of links, attachments, or
> impersonation attempts.
> > On Mon, Jun 15, 2020 at 2:39 AM Robert Sturrock <[hidden email]>
> wrote:
> > Hi All,
> >
> > I’m trying to create a (one-way) Kerberos trust between AD and a FreeIPA
> installation, such that user TGTs from AD can be used to access resources
> in the IPA realm.
> >
> > I followed some (non-IPA related) steps for setting up Kerberos trusts
> between AD and MIT Kerberos - essentially creating a common TGT principal
> in both systems with a common password.  This works to a point (ie. I can
> get the TGT for IPA using the AD TGT), but when I try to fetch a service
> ticket in the IPA domain I get a ‘HANDLE_AUTHDATA’ error.
> >
> > Was there any reason not to follow IPA steps for setting trusts?
> > They are very straightforward.
> >
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-trust-between-idm-and-ad_installing-identity-management
> >
> >
> >
> > Here is what I’m seeing:
> >
> >  (AD domain = ‘STAFF.LOCALREALM'; IPA domain = ‘PALLAS.LOCALREALM')
> >
> >  # Get AD TGT:
> >  Password for [hidden email]: XXXXXXXXX
> >
> >  $ klist
> >  Ticket cache: KEYRING:persistent:10846:10846
> >  Default principal: [hidden email]
> >
> >  Valid starting     Expires            Service principal
> >  11/06/20 13:34:19  11/06/20 23:34:19
> krbtgt/[hidden email]
> >          renew until 12/06/20 13:34:18
> >
> >  # Use AD TGT to get an IPA TGT:
> >  $ kvno krbtgt/[hidden email]
> >  krbtgt/[hidden email]: kvno = 0
> >
> >  $ klist
> >  Ticket cache: KEYRING:persistent:10846:10846
> >  Default principal: [hidden email]
> >
> >  Valid starting     Expires            Service principal
> >  11/06/20 13:34:24  11/06/20 23:34:19
> krbtgt/[hidden email]
> >          renew until 12/06/20 13:34:18
> >  11/06/20 13:34:19  11/06/20 23:34:19
> krbtgt/[hidden email]
> >          renew until 12/06/20 13:34:18
> >
> >  # Try to fetch an IPA service ticket:
> >  $ kvno host/[hidden email]
> >  kvno: KDC returned error string: HANDLE_AUTHDATA while getting
> credentials for host/[hidden email]
> >
> > Can anyone provide some idea as to what’s going on here and how I
> resolve this?  I don’t really know what ‘HANDLE_AUTHDATA’ indicates and I’m
> not able to find a lot of documentation explaining this.
> >
> > Thanks!
> >
> > Robert.
> >
> > ________________________________________________
> > Kerberos mailing list           [hidden email]
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
> > --
> > Thank you,
> > Dmitri Pal
> > Director, Software Engineering
> > Red Hat Enterprise Linux Platform Security and Identity Management
> > [hidden email]
> >
>
>

--

Thank you,
Dmitri Pal

Director, Software Engineering
Red Hat Enterprise Linux Platform Security and Identity Management
[hidden email]
 <https://red.ht/sig>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: [EXT] 'HANDLE_AUTHDATA' error when trying to setup Kerberos trust between AD and FreeIPA

Robbie Harwood
In reply to this post by Robert Sturrock
Robert Sturrock <[hidden email]> writes:

> Hi Dmitri,
>
> Sorry - I did not give all the background in the interests of brevity.
> We do not want to establish a full trust between AD and IPA (at this
> stage).  This is for a number of reasons, but is primarily a
> reluctance to bring a very large and entirely irrelevant set of AD
> groups across to IPA-enrolled hosts.
>
> The IPA installation is running in a ‘winsync’ arrangement with AD,
> but as a convenience for the users it would be useful if a TGT from AD
> were sufficient to access services in the IPA realm, to save them
> having to ‘kinit' to another kerberos realm.
>
> So I’m interested in establishing a trust at the Kerberos level only.
> We have done this successfully between a legacy MIT kerberos service
> and IPA, so I hoped we could also set one up between AD and IPA,
> before running into the error I described.
>
> Any clues as to what the reason for the ‘HANDLE_AUTHDATA’ error might be?
For context, the full error is:

    kvno: KDC returned error string: HANDLE_AUTHDATA while getting credentials for host/[hidden email]

Anyway, first step is to check the KDC logs (since that's who generated
the error) - there's possibly more information there.

Thanks,
--Robbie

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

signature.asc (847 bytes) Download Attachment