Author: Aly Khimji


A quick tip for anyone who might be experiencing a strange issue when attempting to leverage Red Hat’s IdM KDCproxy functionality. In a recently deployment which required segmentation of RHEL7.2 nodes in a DMZ, there was a requirement for allowing authentication access via an internal KDC. This was a perfect use case for leveraging the KDCproxy functionality. Since SSSD was calling the kdc_child process, which attempts to access the KDC over HTTPS, I was finding some strange behavior in which access was being denied by SSSD when testing authentication to the internal KDC.

A deeper investigation via tcpdump was showing that traffic was not even hitting the wire. Taking a closer look at our trusty friend SELinux, revealed that the kdc_child process was being blocked. This resulted in a failure being returned to SSSD when attempting to validate the authentication, which results in access being denied.

This issue has since been fixed in RHEL7.3 however many customer certify images within their organization and do not do minor updates for extended periods of times. If you fall into this bucket and might have this issue, keep reading.

While tailing the /var/log/audit/audit.log file and attempting to authenticating via the SSSD/KDCproxy function, look for output similar to the below.

—log snippets—

[[email protected] ~]# grep AVC /var/log/audit/audit.log  | egrep "sssd|krb5"

type=AVC msg=audit(1480081889.294:504): avc:  denied  { name_connect } for  pid=3583 comm="krb5_child" dest=443 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket

type=AVC msg=audit(1480081889.295:505): avc:  denied  { name_connect } for  pid=3583 comm="krb5_child" dest=443 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket

type=AVC msg=audit(1480081889.310:506): avc:  denied  { name_connect } for  pid=3585 comm="krb5_child" dest=443 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket

This issue is due to a missing SELinux rule, the krb5_child process failed to retrieve a ticket from the Key Distribution Center (KDC) proxy through HTTPS. This incorrect behavior prevented SSSD from completing the authentication.

I filed a Bugzilla report which did confirm the issue and a request to back port the fix to RHEL7.2 has now been completed, so look for this update if you are running into this bug.

Our Bugzilla report can be found here, and the official errata can be found here.

Hope this helps you. If you are having any other odd issues and need a second set of eyes, feel free to reach out to us!

Tagged:



//comments