| Summary: | 'Ticket expired' message lost by the FreeIPA RPC client fallback code | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Javier Ramirez <javier.ramirez> |
| Component: | ipa | Assignee: | Martin Kosek <mkosek> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Namita Soman <nsoman> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | dpal, pablo.iranzo, pep, rcritten, spoore |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.2.0-3.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-08-07 09:04:36 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
During the CA renewal the trust on the audit certificate wasn't set properly resulting in the CA shutting down right after starting. This caused the LDAP and Apache server certs to not renew and expire. To reproduce this bug, have at least 2 masters. Expired certificates should not be necessary: - kinit admin - ipa cert-show 1 - set date back to when SSL certs still valid - ipa cert-show 1 (or any IPA command, really) - fail There are two problems: 1) The 'Ticket expired' message got lost by the XML-RPC client fallback code. 2) The mod_auth_kerb code to manage the Apache cert for S4U2proxy apparently doesn't consider not-valid-yet to be a reason to get a new ticket. (In reply to Rob Crittenden from comment #1) > During the CA renewal the trust on the audit certificate wasn't set properly > resulting in the CA shutting down right after starting. This caused the LDAP > and Apache server certs to not renew and expire. Should we spawn another BZ for that? Thanks, Pablo Yes, please open a second bug against mod_auth_kerb to investigate its ticket handling code. Rob, what is then the target of this Bugzilla? Just fixing this bug:
> 1) The 'Ticket expired' message got lost by the XML-RPC client fallback code.
? If yes, I will open an upstream ticket. If you also know the place where the message was lost or even have a patch, it is very welcome.
The message was lost in the fallback code. The user has 2 masters and the SRV records configured in DNS, so it tried each one and ate the ticket not yet valid message each time. I suspect that what we want to do is ignore any connection errors due to the remote master being down and report everything else (and still fail over). Ok, I will change then the title of the bug and create an upstream ticket. Upstream ticket: https://fedorahosted.org/freeipa/ticket/4100 According to https://fedorahosted.org/freeipa/ticket/4100#comment:4 and https://fedorahosted.org/freeipa/ticket/4100#comment:5 this is very likely to be fixed in FreeIPA 4.2.0 release which is planned for RHEL-7.2. Moving to POST. Due to the nature of the bug, it is hard to test. But based on the investigation done upstream mentioned in Comment 8 it should be fixed in FreeIPA 4.2.0+ which is being rebased for RHEL-7.2. I will thus close this bug as CURRENTRELEASE. Please reopen the bug if the issue reoccurs with FreeIPA 4.2.0 or older (in RHEL-7.2 Beta or later). Yes this does appear fixed.
Version ::
ipa-server-4.2.0-11.el7.x86_64
Results ::
[root@rhel7-1 ~]# kdestroy -A
[root@rhel7-1 ~]# kinit admin
Password for admin:
[root@rhel7-1 ~]# ipa cert-show 1
Certificate: MIID...truncated...
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Not Before: Wed Sep 23 22:11:33 2015 UTC
Not After: Sun Sep 23 22:11:33 2035 UTC
Fingerprint (MD5): 94:75:09:bb:68:26:9a:37:2d:90:23:9a:70:20:80:36
Fingerprint (SHA1): de:0e:81:fa:2d:c8:13:f7:67:21:f0:c6:d3:8b:1d:95:8f:2e:9b:07
Serial number (hex): 0x1
Serial number: 1
[root@rhel7-1 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_cNjEZJU
Default principal: admin
Valid starting Expires Service principal
09/29/2015 13:05:54 09/30/2015 13:05:44 HTTP/rhel7-1.example.com
09/29/2015 13:05:46 09/30/2015 13:05:44 krbtgt/EXAMPLE.COM
[root@rhel7-1 ~]# date 09291200
Tue Sep 29 12:00:00 CDT 2015
[root@rhel7-1 ~]# ipa cert-show 1
ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('Ticket not yet valid', -1765328351)/
|
Description of problem: ipa cert-show $id shows only the ERROR field of the output and at some cases, this info is not clear enough. Version-Release number of selected component (if applicable): ipa-admintools-3.0.0-26.el6_4.2.x86_64 How reproducible: always Steps to Reproduce: 1. ipa environment with some cert issue (expireds) 2. ipa cert-show 1 3. Actual results: ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://hostname/ipa/xml, https://hostname/ipa/xml Expected results: ipa: INFO: Connection to https://hostname/ipa/xml failed with Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket not yet valid) ipa: INFO: trying https://hostname/ipa/xml ipa: INFO: Connection to https://hostname2/ipa/xml failed with [Errno -5985] Could not connect to hostname2 using any address ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://hostname1/ipa/xml, https://hostname2/ipa/xml Additional info: In this particular case the problem was a bad kerberos ticket at /tmp/krb5cc_xx and the helpful info was the "Ticket not yet valid" message from the verbose output.