cepces with certmonger --session parameter

[aaros-pl]

Hi,

• cepces v0.3.7
• Ubuntu 22.04 LTS
  I'm trying to request domain user certificates using cepces.
  I successfuly added computer to domain, build, compile and install cepces on Ubuntu and can request Machine certificate with cepces using --system bus.
  I wonder if it is possible for actual cepces version to use user kerberos ccache to obtain domain user certificates via CEP/CES in user d-bus session. Or use machine account to obtain domain user certificate on behalf of user. Maybe this is easy to implement?
  I'm open to any suggestions with reconfiguring AD domain / Linux client to make it work somehow.
  cepces.conf

[global]
server=cepces.vmware.loc
type=Policy
auth=Kerberos

endpoint=https://${server}/ADPolicyProvider_CEP_${auth}/service.svc/CEP
cas=/etc/ssl/certs/ca-certificates.crt
poll_interval=3600
openssl_seclevel=1
keytab=/etc/krb5.keytab

# Default: <not defined>
#realm=

# Default: True
ccache=False

# Default: <empty list>
principals=
  ${shortname}$$
  ${SHORTNAME}$$
  host/${SHORTNAME}
  host/${fqdn}

# Default: <not defined>
enctypes=
  des-cbc-crc
  des-cbc-md5
  arcfour-hmac
  aes128-cts-hmac-sha1-96
  aes256-cts-hmac-sha1-96

# Default: True
delegate=True

[certificate]
# Default: <not defined>
#certfile = /path/to/openssl-certfile.pem

# Default: <not defined>
#keyfile = /path/to/openssl-keyfile.pem

My ticket

Ticket cache: FILE:/tmp/krb5cc_XXXXXXXXX_6VeKpC
Default principal: ubuntutest@VMWARE.LOC

Valid starting       Expires              Service principal
17.03.2023 09:51:40  17.03.2023 19:51:40  krbtgt/VMWARE.LOC@VMWARE.LOC
	renew until 18.03.2023 09:51:40

Keytab

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 asdf$@VMWARE.LOC
   2 asdf$@VMWARE.LOC
   2 asdf$@VMWARE.LOC
   2 host/asdf@VMWARE.LOC
   2 host/asdf@VMWARE.LOC
   2 host/asdf@VMWARE.LOC
   2 host/asdf.vmware.loc@VMWARE.LOC
   2 host/asdf.vmware.loc@VMWARE.LOC
   2 host/asdf.vmware.loc@VMWARE.LOC
   2 RestrictedKrbHost/asdf@VMWARE.LOC
   2 RestrictedKrbHost/asdf@VMWARE.LOC
   2 RestrictedKrbHost/asdf@VMWARE.LOC
   2 RestrictedKrbHost/asdf.vmware.loc@VMWARE.LOC
   2 RestrictedKrbHost/asdf.vmware.loc@VMWARE.LOC
   2 RestrictedKrbHost/asdf.vmware.loc@VMWARE.LOC

When I try to run command like
getcert request --session -c cepces -w -v -M 644 -T User -I User -k $HOME/user.key -f $HOME/user.crt
I got

2023-03-17 09:44:14,006 __main__:ERROR:Traceback (most recent call last):
  File "/usr/lib/certmonger/cepces-submit", line 64, in main
    config = Configuration.load(global_overrides=global_overrides,
  File "/usr/local/lib/python3.10/dist-packages/cepces-0.3.7-py3.10.egg/cepces/config.py", line 156, in load
    return Configuration.from_parser(config)
  File "/usr/local/lib/python3.10/dist-packages/cepces-0.3.7-py3.10.egg/cepces/config.py", line 196, in from_parser
    return Configuration(endpoint, endpoint_type, cas, authn.handle(), poll_interval, openssl_seclevel)
  File "/usr/local/lib/python3.10/dist-packages/cepces-0.3.7-py3.10.egg/cepces/auth.py", line 100, in handle
    raise RuntimeError('No suitable key found in keytab.')
RuntimeError: No suitable key found in keytab.

[joakim-tjernlund]

Seems similar to #21