Bug 1184628
| Summary: | Principal canonicalization does not work for principals in IPA realm | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin Kosek <mkosek> | |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 7.0 | CC: | dpal, ksiddiqu, mbabinsk, mkosek, pvoborni, rcritten, xdong | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | ipa-4.4.0-1.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1184629 (view as bug list) | Environment: | ||
| Last Closed: | 2016-11-04 05:44:17 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1184629 | |||
| Bug Blocks: | ||||
|
Description
Martin Kosek
2015-01-21 21:00:00 UTC
Shouldn't this bug be assigned to "krb5" ? No. This bug is for updating FreeIPA KDC LDAP driver to be able to handle canonicalization. krb5 bug (Bug 1184629) is for fixing the krb5 loop problem (this is the one you are interested in). Steps to verify: # kinit -C admin should just work (notice the lowercase of the realm). postponing to 7.3. Reasoning: http://www.redhat.com/archives/freeipa-devel/2015-August/msg00141.html This ticket was fixed in scope of ipa-4.4.0-1.el7 (In reply to Martin Kosek from comment #4) > Steps to verify: > > # kinit -C admin > > should just work (notice the lowercase of the realm). Still not able to handle case insensitive realm: # rpm -q ipa-server ipa-server-4.4.0-7.el7.x86_64 # KRB5_TRACE=/dev/stderr kinit -C admin [22738] 1471838597.999062: Getting initial credentials for admin [22738] 1471838598.1834: Sending request (169 bytes) to testrelm.test [22738] 1471838598.2931: Resolving hostname auto-hv-02-guest02.testrelm.test. [22738] 1471838598.3825: Sending initial UDP request to dgram 10.19.34.7:88 [22738] 1471838598.6228: Received answer (172 bytes) from dgram 10.19.34.7:88 [22738] 1471838598.6474: Response was from master KDC [22738] 1471838598.6511: Received error from KDC: -1765328324/Generic error (see e-text) kinit: Generic error (see e-text) while getting initial credentials This looks like a bug in realm canonicalization. Upstream ticket: https://fedorahosted.org/freeipa/ticket/6239 Upstream ticket: https://fedorahosted.org/freeipa/ticket/6239 After discussion with other developers we concluded that the Kerberos realm should not be subject to the case-insensitive matching when canonicalization is requested so the original steps to verify are wrong. You should verify this by using upper-case realm: # kinit -C admin Verified on ipa-server-4.4.0-9.el7: # klist klist: Credentials cache keyring 'persistent:0:0' not found # kinit -C admin Password for admin: # klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin Valid starting Expires Service principal 09/06/2016 05:57:58 09/07/2016 05:57:54 krbtgt/TESTRELM.TEST Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html |