[Freeipa-users] Re: GetKeytabControl extended operation

Alexander Bokovoy via FreeIPA-users Mon, 30 Dec 2024 23:22:17 -0800

On Аўт, 31 сне 2024, Yuriy Halytskyy via FreeIPA-users wrote:

Hi, and Happy New Year!


I am trying to request service and host keytabs programmatically. The
idea is to create terraform data source with Go, but I am also
experimenting with python because it has good ASN1 support. There are
already several terraform providers for IPA but they all use RPC only
and there does not appear to be an RPC call to get a keytab.

This looks like straightforward extended operation in ldap:

https://github.com/freeipa/freeipa/blob/3a5ce9cb2af362d97d598f2198cbc20c4c32710b/asn1/asn1c/ipa.asn1#L6

The reply I am supposed to receive is:
   GKReply ::= SEQUENCE {
       newkvno     Int32,
       keys        SEQUENCE OF KrbKey
   }

So I send GKCurrentKeys message, but the reply is interpreted as LDAP
controls both by python and Go ldap libraries? Which doesn't make any
sense to me because controls are supposedly part of ldap request, not
ldap response, but I don't know much about ldap.


Correct. You sent an LDAP request with an extended control and you'd
receive a response with an extended control containing the keys. They
cannot be represented as an LDAP object directly, so LDAP object
returned by this request is empty.

See https://www.freeipa.org/page/V4/Keytab_Retrieval for details.


This is what I get in python after sending a request for
host/ipa.example.t...@ipa.example.test

Request message is:

LDAPMessage:
messageID=30
protocolOp=ProtocolOp:
 extendedReq=ExtendedRequest:
  requestName=2.16.840.1.113730.3.8.10.5
  requestValue=0xa11b3019a0170415686f73742f6970612e6578616d706c652e74657374



Result message:
<<{'controls': [(0,
<<               True,
<<               16,
<<               [(0, False, 4, b'2.16.840.1.113730.3.8.10.5'),
<<                (0,
<<                 False,
<<                 4,
<<
b'\xa2\x81\xf30\x81\xf0\x02\x01\x020\x81\xea0-\xa0+0)\xa0\x03'
<<                 b'\x02\x01\x12\xa1"\x04
R%\xb2\xec\x13=g\xc9J\xad\x07\xbf\x14'
<<                 b'\x83\xac\xccg\xa4w\xfcV\xd8\x90#\x1a%s\xe7\xd8\xb0G\x9c0'
<<                 b'\x1d\xa0\x1b0\x19\xa0\x03\x02\x01\x11\xa1\x12\x04\x10\xf7k'
<<                 b'\x90\x84-\xf0\xa9\x02\xbf\xa5H\xdb\xfe\xa0\x94y0\x1d'
<<                 b'\xa0\x1b0\x19\xa0\x03\x02\x01\x13\xa1\x12\x04\x10MOX'
<<                 b'\x0e\xae\xed\x95_\xba\xe7\xaa\xcd?C7\x050-\xa0+0)\xa0'
<<                 b'\x03\x02\x01\x14\xa1"\x04 \xd5]6\xe4\xf6D\x96#i\xa6\x9fX'
<<                 b"\x93\xd7\xf3\x03\xc9f\xb5'\x022z\x93WZ\xb2\x8c\xe5rW\x0f"
<<                 b'0\x1d\xa0\x1b0\x19\xa0\x03\x02\x01\x19\xa1\x12\x04\x10<'
<<                 b'|\x84\xdd"\x9cl\xed\x01\xdb\xc7\xbe\xd2\xbfg\xbe0-\xa0+0'
<<                 b')\xa0\x03\x02\x01\x1a\xa1"\x04
\xf6.\xd9/\xae\xf8\xc3j4\x03'
<<                 b'\n\x12?\xb4%!\x10+&]\xae\xad\xb5\x07\xf7f\xc6\x93\xb1\xcb'
<<                 b'L\x96')])],
<< 'messageID': 30,
<< 'payload': [(0, False, 10, 0), (0, False, 4, b''), (0, False, 4, b'')],
<< 'protocolOp': 24}

The payload is just 4 bytes...

That bit blob in controls is valid keytab list and I can decode it
using asn1 definitions from

c.result['controls']['2.16.840.1.113730.3.8.10.5'].values().mapping['value']

b'\xa2\x81\xf30\x81\xf0\x02\x01\x020\x81\xea0-\xa0+0)\xa0\x03\x02\x01\x12\xa1"\x04
R%\xb2\xec\x13=g\xc9J\xad\x07\xbf\x14\x83\xac\xccg\xa4w\xfcV\xd8\x90#\x1a%s\xe7\xd8\xb0G\x9c0\x1d\xa0\x1b0\x19\xa0\x03\x02\x01\x11\xa1\x12\x04\x10\xf7k\x90\x84-\xf0\xa9\x02\xbf\xa5H\xdb\xfe\xa0\x94y0\x1d\xa0\x1b0\x19\xa0\x03\x02\x01\x13\xa1\x12\x04\x10MOX\x0e\xae\xed\x95_\xba\xe7\xaa\xcd?C7\x050-\xa0+0)\xa0\x03\x02\x01\x14\xa1"\x04
\xd5]6\xe4\xf6D\x96#i\xa6\x9fX\x93\xd7\xf3\x03\xc9f\xb5\'\x022z\x93WZ\xb2\x8c\xe5rW\x0f0\x1d\xa0\x1b0\x19\xa0\x03\x02\x01\x19\xa1\x12\x04\x10<|\x84\xdd"\x9cl\xed\x01\xdb\xc7\xbe\xd2\xbfg\xbe0-\xa0+0)\xa0\x03\x02\x01\x1a\xa1"\x04
\xf6.\xd9/\xae\xf8\xc3j4\x03\n\x12?\xb4%!\x10+&]\xae\xad\xb5\x07\xf7f\xc6\x93\xb1\xcbL\x96'

Go produces similar result. This is what the response looks like:
LDAP Response: (Universal, Constructed, Sequence and Sequence of)
Len=297 "<nil>"
Message ID: (Universal, Primitive, Integer) Len=1 "2"
Extended Response: (Application, Constructed, 0x18) Len=7 "<nil>"
 (Universal, Primitive, Enumerated) Len=1 "0"
 (Universal, Primitive, Octet String) Len=0 ""
 (Universal, Primitive, Octet String) Len=0 ""
(Context, Constructed, 0x00) Len=281 "<nil>"
 (Universal, Constructed, Sequence and Sequence of) Len=277 "<nil>"
  (Universal, Primitive, Octet String) Len=26 "2.16.840.1.113730.3.8.10.5"
  (Universal, Primitive, Octet String) Len=246
"\xa2\x81\xf30\x81\xf0\x02\x01\x020\x81\xea0-\xa0+0)\xa0\x03\x02\x01\x12\xa1\"\x04
R%\xb2\xec\x13=g\xc9J\xad\a\xbf\x14\x83\xac\xccg\xa4w\xfcVؐ#\x1a%s\xe7ذG\x9c0\x1d\xa0\x1b0\x19\xa0\x03\x02\x01\x11\xa1\x12\x04\x10\xf7k\x90\x84-\xf0\xa9\x02\xbf\xa5H\xdb\xfe\xa0\x94y0\x1d\xa0\x1b0\x19\xa0\x03\x02\x01\x13\xa1\x12\x04\x10MOX\x0e\xae\xed\x95_\xba\xe7\xaa\xcd?C7\x050-\xa0+0)\xa0\x03\x02\x01\x14\xa1\"\x04
\xd5]6\xe4\xf6D\x96#i\xa6\x9fX\x93\xd7\xf3\x03\xc9f\xb5'\x022z\x93WZ\xb2\x8c\xe5rW\x0f0\x1d\xa0\x1b0\x19\xa0\x03\x02\x01\x19\xa1\x12\x04\x10<|\x84\xdd\"\x9cl\xed\x01\xdbǾҿg\xbe0-\xa0+0)\xa0\x03\x02\x01\x1a\xa1\"\x04
\xf6.\xd9/\xae\xf8\xc3j4\x03\n\x12?\xb4%!\x10+&]\xae\xad\xb5\a\xf7fƓ\xb1\xcbL\x96"

Again, the extended response is just 4 bytes of nothing, and the
actual result is provided after that and Go is confused (and so am I).

[root@ipa /]# ipa --version
VERSION: 4.11.0, API_VERSION: 2.253

Is there a bug here, or does this work as intended?

Cheers,
Yuriy
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue




--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: GetKeytabControl extended operation

Reply via email to