Why kinit -kt KDB: user@EXAMPLE.COM no longer work after CVE-2024-3183

Solution Verified - Updated 26 Aug 2024

Environment

Products

Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 7
Red Hat Identity Management (IdM)

Packages

ipa-server (See CVE-2024-3183 for exact versions)
krb5-libs
krb5-workstation
krb5-server

Issue

Attribute DISALLOW_SVR is Kerberos principal for user principals
Retrieving user@EXAMPLE.COM from KDB: (vno 0, enctype aes256-cts) with result: -1765328203/Key table entry not found

Resolution

Unfortuntely, requesting user tickets using kinit -kt KDB: is disabled.

However, you might be interested in constrain delegation,
which allow a service to obtain a service ticket to another service on behalf of a user.

Root Cause

Quote from CVE-2024-3183:

To mitigate this vulnerability, ticket requests to user principals are now disallowed in FreeIPA realms by default. This will keep attackers from obtaining data encrypted with the user key directly.

IPA implements this by setting Attribute DISALLOW_SVR for user principal, thus prevent kinit -kt KDB: ... from requesting tickets for users.

Diagnostic Steps

As root, to view the attributes of a principal:

# kadmin.local getprinc <principal>

The output looks like:

Principal: user@EXAMPLE.COM
...
Attributes: REQUIRES_PRE_AUTH DISALLOW_SVR

SBR

Identity Management

Product(s)

Red Hat Enterprise Linux

Components

ipa
krb5

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.