Bug 1043488
Summary: | 'Ticket expired' message lost by the FreeIPA RPC client fallback code | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Javier Ramirez <javier.ramirez> |
Component: | ipa | Assignee: | Martin Kosek <mkosek> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Namita Soman <nsoman> |
Severity: | low | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | CC: | dpal, pablo.iranzo, pep, rcritten, spoore |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.2.0-3.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-08-07 09:04:36 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Javier Ramirez
2013-12-16 12:56:12 UTC
During the CA renewal the trust on the audit certificate wasn't set properly resulting in the CA shutting down right after starting. This caused the LDAP and Apache server certs to not renew and expire. To reproduce this bug, have at least 2 masters. Expired certificates should not be necessary: - kinit admin - ipa cert-show 1 - set date back to when SSL certs still valid - ipa cert-show 1 (or any IPA command, really) - fail There are two problems: 1) The 'Ticket expired' message got lost by the XML-RPC client fallback code. 2) The mod_auth_kerb code to manage the Apache cert for S4U2proxy apparently doesn't consider not-valid-yet to be a reason to get a new ticket. (In reply to Rob Crittenden from comment #1) > During the CA renewal the trust on the audit certificate wasn't set properly > resulting in the CA shutting down right after starting. This caused the LDAP > and Apache server certs to not renew and expire. Should we spawn another BZ for that? Thanks, Pablo Yes, please open a second bug against mod_auth_kerb to investigate its ticket handling code. Rob, what is then the target of this Bugzilla? Just fixing this bug:
> 1) The 'Ticket expired' message got lost by the XML-RPC client fallback code.
? If yes, I will open an upstream ticket. If you also know the place where the message was lost or even have a patch, it is very welcome.
The message was lost in the fallback code. The user has 2 masters and the SRV records configured in DNS, so it tried each one and ate the ticket not yet valid message each time. I suspect that what we want to do is ignore any connection errors due to the remote master being down and report everything else (and still fail over). Ok, I will change then the title of the bug and create an upstream ticket. Upstream ticket: https://fedorahosted.org/freeipa/ticket/4100 According to https://fedorahosted.org/freeipa/ticket/4100#comment:4 and https://fedorahosted.org/freeipa/ticket/4100#comment:5 this is very likely to be fixed in FreeIPA 4.2.0 release which is planned for RHEL-7.2. Moving to POST. Due to the nature of the bug, it is hard to test. But based on the investigation done upstream mentioned in Comment 8 it should be fixed in FreeIPA 4.2.0+ which is being rebased for RHEL-7.2. I will thus close this bug as CURRENTRELEASE. Please reopen the bug if the issue reoccurs with FreeIPA 4.2.0 or older (in RHEL-7.2 Beta or later). Yes this does appear fixed. Version :: ipa-server-4.2.0-11.el7.x86_64 Results :: [root@rhel7-1 ~]# kdestroy -A [root@rhel7-1 ~]# kinit admin Password for admin: [root@rhel7-1 ~]# ipa cert-show 1 Certificate: MIID...truncated... Subject: CN=Certificate Authority,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Not Before: Wed Sep 23 22:11:33 2015 UTC Not After: Sun Sep 23 22:11:33 2035 UTC Fingerprint (MD5): 94:75:09:bb:68:26:9a:37:2d:90:23:9a:70:20:80:36 Fingerprint (SHA1): de:0e:81:fa:2d:c8:13:f7:67:21:f0:c6:d3:8b:1d:95:8f:2e:9b:07 Serial number (hex): 0x1 Serial number: 1 [root@rhel7-1 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_cNjEZJU Default principal: admin Valid starting Expires Service principal 09/29/2015 13:05:54 09/30/2015 13:05:44 HTTP/rhel7-1.example.com 09/29/2015 13:05:46 09/30/2015 13:05:44 krbtgt/EXAMPLE.COM [root@rhel7-1 ~]# date 09291200 Tue Sep 29 12:00:00 CDT 2015 [root@rhel7-1 ~]# ipa cert-show 1 ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('Ticket not yet valid', -1765328351)/ |