Bug 1437946

Summary: Upgrade to FreeIPA 4.5.0 does not configure anonymous principal for PKINIT
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Nikhil Dehadrai <ndehadra>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: ipa-qe, ksiddiqu, mbabinsk, ndehadra, nsoman, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-5.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:47:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Vobornik 2017-03-31 14:05:41 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/6792

When upgrading from FreeIPA 4.4.3 to FreeIPA 4.5.0, the RPM upgrade fails with the following message:

```console
 Cleanup     : freeipa-client-common-4.4.3-2.fc25.noarch                                                     34/39 
  Cleanup     : freeipa-common-4.4.3-2.fc25.noarch                                                            35/39 
  Cleanup     : bind-pkcs11-libs-32:9.10.4-4.P6.fc25.x86_64                                                   36/39 
  Cleanup     : bind-libs-lite-32:9.10.4-4.P6.fc25.x86_64                                                     37/39 
  Cleanup     : bind-libs-32:9.10.4-4.P6.fc25.x86_64                                                          38/39 
  Cleanup     : bind-license-32:9.10.4-4.P6.fc25.noarch                                                       39/39 
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Failed to configure anonymous PKINIT
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
```

When inspecting `/var/log/ipaupgrade.log` we can see that the PKINIT keypair is issued but the anonymous principal is not created by upgrader code:

```console
<SNIP>
2017-03-21T15:51:07Z DEBUG stderr=
2017-03-21T15:51:07Z DEBUG Starting external process
2017-03-21T15:51:07Z DEBUG args=/usr/bin/kinit -n -c /tmp/krbccMLh35h/ccache
2017-03-21T15:51:07Z DEBUG Process finished, return code=1
2017-03-21T15:51:07Z DEBUG stdout=
2017-03-21T15:51:07Z DEBUG stderr=kinit: Client 'WELLKNOWN/ANONYMOUS' not found in Kerberos database while getting initial credentials

2017-03-21T15:51:07Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-03-21T15:51:07Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 48, in run
    raise admintool.ScriptError(str(e))

2017-03-21T15:51:07Z DEBUG The ipa-server-upgrade command failed, exception: ScriptError: Failed to configure anonymous PKINIT
2017-03-21T15:51:07Z ERROR Failed to configure anonymous PKINIT
```

This causes the password auth to IPA server (via JSON-RPC API or WebUI) to fail after upgrade and thus breaks the core functionality.

Steps to reproduce:

1.) Install FreeIPA 4.4.3 or older
2.) Upgrade to FreeIPA 4.5.0

Actual results:

Upgrade fails and WebUI logins on updated master do not work

Expected results:

Upgrade finishes without errors and WebUI works.
Comment 2 Petr Vobornik 2017-03-31 14:06:02 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6792
Comment 3 Petr Vobornik 2017-03-31 14:06:44 UTC 
master:

    c2d95d3962d525017732618e66b39b099235d43e Upgrade: configure PKINIT after adding anonymous principal
    1fc48cd0af3b19272fcfe25235e55eae249bb6c9 Remove unused variable from failed anonymous PKINIT handling
    17aa51ef0291b9c6174509f52913076ae599357f Split out anonymous PKINIT test to a separate method
    5c22f905d48d3d8dd50e394290e1feb8f6dedcaa Ensure KDC is propery configured after upgrade

ipa-4-5:

    b9002bf6273151cb480dfba7ffa7480d037984ee Upgrade: configure PKINIT after adding anonymous principal
    4b2b1d33157963a8b3d8229d1edd573dcbb93fb5 Remove unused variable from failed anonymous PKINIT handling
    c1393029b6a853cc2cb874f4f93706368627d7c4 Split out anonymous PKINIT test to a separate method
    89fc0a126be67755d4a687b427a6c67b3cbc4337 Ensure KDC is propery configured after upgrade
Comment 10 Martin Babinsky 2017-05-05 11:17:45 UTC 
Hmmm, it looks like you have an old version of python-cryptography installed, can you please check that you have at least python-cryptography > 1.4? there were some incompatible API changes that can break older versions.
Comment 12 Martin Babinsky 2017-05-09 11:47:19 UTC 
Great, after succesful upgrade check that `kinit -n` gets you a valid TGT and if yes, you can mark the BZ as verified. The issue with broken python2-cryptography is unrelated to this BZ and you may file a separate bug for it.
Comment 15 Nikhil Dehadrai 2017-05-22 10:51:38 UTC 
IPA server version: ipa-server-4.5.0-13.el7.x86_64
Python2-cryptography version: python2-cryptography-1.7.2-1.el7.x86_64

Tested the bug with following observations:

1) Verified that upgrade of IPA server to latest version is successful.
2) No errors/ failures are observed during upgrade process.
3) The said "PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE) Failed to configure PKINIT" message is not observed during upgrade process on using latest version of 'python2-cryptography' package during upgrade.
4) All the basic commands work successfully after upgrade.
5) Verified the same for other upgrade paths:
  - RHEL 7.1.z > Rhel 7.4
  - RHEL 7.2.z > Rhel 7.4
  - RHEL 7.3 > Rhel 7.4
  - RHEL 7.3.z > Rhel 7.4
6) For log through UI after upgrade we are unable to login for which a separate bug is logged BZ#1451733

Thus on the basis of above observations, marking status of bug to "VERIFIED"
Comment 17 errata-xmlrpc 2017-08-01 09:47:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304