Bug 1442233
| Summary: | IPA client commands fail when pointing to replica | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Poore <spoore> | ||||||||||
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||||||||
| Status: | CLOSED ERRATA | QA Contact: | Abhijeet Kasurde <akasurde> | ||||||||||
| Severity: | unspecified | Docs Contact: | |||||||||||
| Priority: | unspecified | ||||||||||||
| Version: | 7.4 | CC: | abokovoy, akasurde, cheimes, ksiddiqu, mbabinsk, mkosek, mreznik, pvoborni, rcritten, rharwood, tscherf | ||||||||||
| Target Milestone: | rc | Keywords: | Regression | ||||||||||
| Target Release: | --- | ||||||||||||
| Hardware: | Unspecified | ||||||||||||
| OS: | Unspecified | ||||||||||||
| Whiteboard: | |||||||||||||
| Fixed In Version: | ipa-4.5.0-15.el7 | Doc Type: | If docs needed, set a value | ||||||||||
| Doc Text: | Story Points: | --- | |||||||||||
| Clone Of: | Environment: | ||||||||||||
| Last Closed: | 2017-08-01 09:48:56 UTC | Type: | Bug | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | --- | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
| Embargoed: | |||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Scott Poore
2017-04-13 20:07:01 UTC
Also, I just noticed this: [root@master ~]# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/master.testrelm.test (aes256-cts-hmac-sha1-96) 2 host/master.testrelm.test (aes128-cts-hmac-sha1-96) 2 host/master.testrelm.test (des3-cbc-sha1) 2 host/master.testrelm.test (arcfour-hmac) 2 host/master.testrelm.test (camellia128-cts-cmac) 2 host/master.testrelm.test (camellia256-cts-cmac) [root@replica ~]# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/replica.testrelm.test (aes256-cts-hmac-sha1-96) 1 host/replica.testrelm.test (aes128-cts-hmac-sha1-96) [root@client ~]# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/client.testrelm.test (aes256-cts-hmac-sha1-96) 1 host/client.testrelm.test (aes128-cts-hmac-sha1-96) Created attachment 1271540 [details]
var log from replica
Created attachment 1271541 [details]
var log from master
Created attachment 1271542 [details]
var log from client
Ok, I'm marking this a regression after confirming this bug didn't seem to exist in RHEL7.3 versions. [root@vm-idm-011 ipa]# rpm -q ipa-client ipa-client-4.4.0-14.el7_3.7.x86_64 [root@vm-idm-011 ipa]# ipa user-find -------------- 1 user matched -------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Principal alias: admin UID: 396200000 GID: 396200000 Account disabled: False ---------------------------- Number of entries returned 1 ---------------------------- Also note that I see the same keytypes in RHEL7.3 for master/replicas: Master: [root@vm-idm-012 ~]# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/vm-idm-012.testrelm.test (aes256-cts-hmac-sha1-96) 2 host/vm-idm-012.testrelm.test (aes128-cts-hmac-sha1-96) 2 host/vm-idm-012.testrelm.test (des3-cbc-sha1) 2 host/vm-idm-012.testrelm.test (arcfour-hmac) 2 host/vm-idm-012.testrelm.test (camellia128-cts-cmac) 2 host/vm-idm-012.testrelm.test (camellia256-cts-cmac) Replica: [root@vm-idm-010 ~]# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/vm-idm-010.testrelm.test (aes256-cts-hmac-sha1-96) 1 host/vm-idm-010.testrelm.test (aes128-cts-hmac-sha1-96) Upstream ticket: https://pagure.io/freeipa/issue/6867 The reason this happens is that during replica install we actually add HTTP/ principal twice: 1.) once using local LDAP during "setting up httpd keytab" step, and then 2.) when requesting HTTP cert using certmonger: in this case the certmonger forwards the request to remote master. If the principal added locally in step 1 is not replicated back by the time this step happens, HTTP principal is added again on the remote master leading to conflicting entries when the replication finally catches up after installation. We really need to ensure that there is only one place to add LDAP entries at all times, or we need to verify that the entries are being replicated back to the master before attempting any remote operations. the root cause of this issue was fixed upstream: master: https://pagure.io/freeipa/c/ab71cd5a1693c221950bdfa9ffdfb99b9c317004 ipa-4-5: https://pagure.io/freeipa/c/9871bc08f8b8f51e2a05c4dfa18d844f9c141b8d Verified using IPA version :: ipa-server-4.5.0-16.el7.x86_64 Marking BZ as verified. See attachment for console.log. Created attachment 1286302 [details]
verification_console.log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304 |