Bug 1117306
Summary: | [RFE] Allow multiple Principals per host entry (Kerberos aliases) | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Dmitri Pal <dpal> |
Component: | ipa | Assignee: | Martin Kosek <mkosek> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | CC: | jcholast, ksiddiqu, mbabinsk, mbasti, pvoborni, rcritten, xdong |
Target Milestone: | rc | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.4.0-4.el7 | Doc Type: | Enhancement |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-04 05:44:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dmitri Pal
2014-07-08 13:17:11 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3961 Upstream ticket: https://fedorahosted.org/freeipa/ticket/3864 Upstream ticket: https://fedorahosted.org/freeipa/ticket/5927 master: https://fedorahosted.org/freeipa/changeset/e43231456d8de954423582dbee439e330573d04b https://fedorahosted.org/freeipa/changeset/5f963e1ad18fdf52d0b41e143fd12f236b2a1ce7 https://fedorahosted.org/freeipa/changeset/229ab40dd3d21346db8cd6dc65c03285f917271b https://fedorahosted.org/freeipa/changeset/3f93f805571c1b791f0c378053ae8ecf37126e7f https://fedorahosted.org/freeipa/changeset/7ed7a86511ec516c2f785968050f5d0a42978ba5 https://fedorahosted.org/freeipa/changeset/b169a72735fccb170adb5c84ec1bcc10a70e5494 https://fedorahosted.org/freeipa/changeset/705f66f7490c64de1adc129221b31927616c485d https://fedorahosted.org/freeipa/changeset/1bba2ed45df83684be1d50ef6e1ddb10f7a7d074 https://fedorahosted.org/freeipa/changeset/06d945a04607dc36e25af78688b4295420489fb9 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/de6abc7af2dac7994b0fff4396115320d1a9a54d https://fedorahosted.org/freeipa/changeset/e6fc8f84d3ad5fc4c030ad592a3d743c02393439 https://fedorahosted.org/freeipa/changeset/974eb7b5efd20ad2195b0ad578637ab31f4c1df4 https://fedorahosted.org/freeipa/changeset/c2af032c0333f7e210c54369159d1d9f5e3fec74 https://fedorahosted.org/freeipa/changeset/d1517482b5e9508780087ec48be63a5bb531fed9 https://fedorahosted.org/freeipa/changeset/7e803aa4625869ef6a8e78a09cd99270c4cc77e5 https://fedorahosted.org/freeipa/changeset/750a392fe22aa8ddcb21077e8c24b96d36ecf20c https://fedorahosted.org/freeipa/changeset/a28d312796839e3413c98ee37d34ccc892e85357 https://fedorahosted.org/freeipa/changeset/e6ff83e3610d553f6ff98e3adbfbe3c6984b2f17 https://fedorahosted.org/freeipa/changeset/acf2234ebc8609a35a8f45598d5d817cbdbff121 Web UI part fixed upstream: Fixed upstreammaster: https://fedorahosted.org/freeipa/changeset/df56fd3371bd20a2ce8f5d0097e05437b7827e29 https://fedorahosted.org/freeipa/changeset/2232a5bb09b3e99d10598ab64d0bf5d8ef006df4 https://fedorahosted.org/freeipa/changeset/4bc2e3164fbc4fdbbd4ecd1d26001a5d4671dd94 https://fedorahosted.org/freeipa/changeset/2da3090a9716bc47e9cf29329ac9bdb734376cb6 https://fedorahosted.org/freeipa/changeset/62c4e15d16cf1b29d4a23db146c774ba01bf5935 https://fedorahosted.org/freeipa/changeset/2ec59b7f232d9119d32d7a5574efba8965904ee8 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/0ade41abbad324d8c54449f3b1024a7651dc259d Upstream ticket: https://fedorahosted.org/freeipa/ticket/6099 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/da2305ddb99ab982c757ab723acc95cda3d2f025 1.) create an arbitrary host entry with `ipa host-add --force`: # ipa host-add host.example.com --force ----------------------------- Added host "host.example.com" ----------------------------- Host name: host.example.com Principal name: host/host.example.com Principal alias: host/host.example.com Password: False Keytab: False Managed by: host.example.com 2.) add host principal alias to the entry: # ipa host-add-principal host.example.com host/host.example.org -------------------------------------------- Added new aliases to host "host.example.com" -------------------------------------------- Host name: host.example.com Principal alias: host/host.example.com, host/host.example.org 3.) request a keytab for the alias: # ipa-getkeytab -p host/host.example.org -k /root/host.keytab Keytab successfully retrieved and stored in: /root/host.keytab 4.) kinit as the alias while requesting canonicalization: # kinit -C -kt /root/host.keytab host/host.example.org Expected result: The command in 4.) will succeed and fetch TGT with the canonical principal name of the host: # klist Ticket cache: KEYRING:persistent:0:krb_ccache_IZzDMoN Default principal: host/host.example.com Valid starting Expires Service principal 08/22/2016 12:31:26 08/23/2016 12:31:26 krbtgt/IPA.TEST Additional steps: 5.) re-kinit as admin: # kdestroy && kinit admin 6.) remove principal alias from host entry: # ipa host-remove-principal host.example.com host/host.example.org -------------------------------------------- Removed aliases from host "host.example.com" -------------------------------------------- Host name: host.example.com Principal alias: host/host.example.com 7.) repeat step 4.) and verify that you get the following error: # kinit -C -kt /root/host.keytab host/host.example.org kinit: Client 'host/host.example.org' not found in Kerberos database while getting initial credentials Verified on ipa-server-4.4.0-7.el7: 1.create an arbitrary host entry with `ipa host-add --force`: # ipa host-add host.example.com --force ----------------------------- Added host "host.example.com" ----------------------------- Host name: host.example.com Principal name: host/host.example.com Principal alias: host/host.example.com Password: False Keytab: False Managed by: host.example.com Host name: host.example.com Principal alias: host/host.example.com@TESTRELM, host/host.example.org@TESTRELM 2.add host principal alias to the entry: # ipa host-add-principal host.example.com host/host.example.org -------------------------------------------- Added new aliases to host "host.example.com" -------------------------------------------- Host name: host.example.com Principal alias: host/host.example.com, host/host.example.org 3.request a keytab for the alias: # ipa-getkeytab -p host/host.example.org -k /root/host.keytab Keytab successfully retrieved and stored in: /root/host.keytab 4.kinit as the alias while requesting canonicalization: # kinit -C -kt /root/host.keytab host/host.example.org # klist Ticket cache: KEYRING:persistent:0:krb_ccache_Ofh2e8c Default principal: host/host.example.com Valid starting Expires Service principal 08/22/2016 10:06:25 08/23/2016 10:06:25 krbtgt/TESTRELM.TEST 5.re-kinit as admin: # kdestroy;kinit admin Password for admin: 6.remove principal alias from host entry: # ipa host-remove-principal host.example.com host/host.example.org -------------------------------------------- Removed aliases from host "host.example.com" -------------------------------------------- Host name: host.example.com Principal alias: host/host.example.com 7.repeat step 4.) and verify that you get the following error: # kinit -C -kt /root/host.keytab host/host.example.org kinit: Client 'host/host.example.org' not found in Kerberos database while getting initial credentials Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html |