Bug 1447375

Summary: ipa-client-install: extra space in pkinit_anchors definition
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Varun Mylaraiah <mvarun>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: ksiddiqu, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-10.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:50:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Vobornik 2017-05-02 14:28:14 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/6916

When performing ipa-client-install, the following section is added in /etc/krb5.conf:

    [realms]
      DOM-IPA.COM = {
        pkinit_anchors = FILE: /etc/ipa/ca.crt
    
      }

Note that the param pkinit_anchors contains an extra space between FILE: and /etc/ipa/ca.crt.

This causes kerberos client to fail when trying pkinit because the ca.crt file is not read:

    $ export KRB5_TRACE=/dev/stderr
    $ kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' demosc1
    [78677] 1493711847.77746: Getting initial credentials for demosc1
    [78677] 1493711847.78070: Sending request (235 bytes) to DOM-IPA.COM
    [78677] 1493711847.78488: Initiating TCP connection to stream 10.34.58.20:88
    [78677] 1493711847.79255: Sending TCP request to stream 10.34.58.20:88
    [78677] 1493711847.85644: Received answer (394 bytes) from stream 10.34.58.20:88
    [78677] 1493711847.85673: Terminating TCP connection to stream 10.34.58.20:88
    [78677] 1493711847.85834: Response was from master KDC
    [78677] 1493711847.85879: Received error from KDC: -1765328359/Additional pre-authentication required
    [78677] 1493711847.85974: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133
    [78677] 1493711847.85993: Selected etype info: etype aes256-cts, salt "rOG^ Fx(s%85k-GC", params ""
    [78677] 1493711847.86006: Received cookie: MIT
    [78677] 1493711853.360097: Preauth module pkinit (147) (info) returned: 0/Success
    PIV Card Holder pin (PIV_II)     PIN: 
    [78677] 1493711860.808408: PKINIT OpenSSL error: Cannot open file ' /etc/ipa/ca.crt'
    [78677] 1493711860.808483: PKINIT OpenSSL error: error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library
    [78677] 1493711860.808500: PKINIT OpenSSL error: error:25070067:DSO support routines:DSO_load:could not load the shared library
    [78677] 1493711860.808514: PKINIT OpenSSL error: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found
    [78677] 1493711860.808521: PKINIT OpenSSL error: error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library
    [78677] 1493711860.808527: PKINIT OpenSSL error: error:25070067:DSO support routines:DSO_load:could not load the shared library
    [78677] 1493711860.808533: PKINIT OpenSSL error: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found
    [78677] 1493711860.808545: PKINIT OpenSSL error: error:2606A074:engine routines:ENGINE_by_id:no such engine
    [78677] 1493711860.808552: PKINIT OpenSSL error: error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library
    [78677] 1493711860.808558: PKINIT OpenSSL error: error:25070067:DSO support routines:DSO_load:could not load the shared library
    [78677] 1493711860.808568: PKINIT OpenSSL error: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found
    [78677] 1493711860.808575: PKINIT OpenSSL error: error:02001002:system library:fopen:No such file or directory
    [78677] 1493711860.808583: PKINIT OpenSSL error: error:2006D080:BIO routines:BIO_new_file:no such file
    [78677] 1493711860.808589: PKINIT client has no configured identity; giving up
    [78677] 1493711860.808613: Preauth module pkinit (16) (real) returned: -1765328360/Cannot open file ' /etc/ipa/ca.crt': could not load the shared library
    [78677] 1493711860.808643: PKINIT client has no configured identity; giving up
    [78677] 1493711860.808655: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed
    [78677] 1493711860.808665: PKINIT client has no configured identity; giving up
    [78677] 1493711860.808677: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed
    Password for demosc1:
Comment 2 Petr Vobornik 2017-05-02 14:29:33 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6916
Comment 3 Petr Vobornik 2017-05-02 14:32:47 UTC 
master:

    26dbab1fd4384b8f3999b153c2d94220cf541ad2 ipa-client-install: remove extra space in pkinit_anchors definition

ipa-4-5:

    a3c4e70650dbcd5dd3f00a7b2fecc051afeebec0 ipa-client-install: remove extra space in pkinit_anchors definition
Comment 6 Varun Mylaraiah 2017-05-16 10:23:47 UTC 
Verified
ipa-client-4.5.0-11.el7.x86_64

No extra space in pkinit_anchors definition.

/etc/krb5.conf.d/
[realms]
 TESTRELM.TEST = {
  kdc = mgmt9.testrelm.test:88
  master_kdc = mgmt9.testrelm.test:88
  admin_server = mgmt9.testrelm.test:749
  default_domain = testrelm.test
  pkinit_anchors = FILE:/etc/ipa/ca.crt
}

# kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' tuser1
[29484] 1494930126.449771: Resolving unique ccache of type KEYRING
[29484] 1494930126.454008: Getting initial credentials for tuser1
[29484] 1494930126.454403: Sending request (176 bytes) to TESTRELM.TEST
[29484] 1494930126.454673: Initiating TCP connection to stream 10.16.4.19:88
[29484] 1494930126.455035: Sending TCP request to stream 10.16.4.19:88
[29484] 1494930126.457447: Received answer (306 bytes) from stream 10.16.4.19:88
[29484] 1494930126.457468: Terminating TCP connection to stream 10.16.4.19:88
[29484] 1494930126.457606: Response was from master KDC
[29484] 1494930126.457644: Received error from KDC: -1765328359/Additional pre-authentication required
[29484] 1494930126.457719: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133
[29484] 1494930126.457739: Selected etype info: etype aes256-cts, salt "{`]l&bq""C&Yz_r{", params ""
[29484] 1494930126.457747: Received cookie: MIT
[29484] 1494930126.457935: Preauth module pkinit (147) (info) returned: 0/Success
[29484] 1494930126.457995: PKINIT client has no configured identity; giving up
[29484] 1494930126.458008: Preauth module pkinit (16) (real) returned: -1765328360/Preauthentication failed
[29484] 1494930126.458024: PKINIT client has no configured identity; giving up
[29484] 1494930126.458032: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed
[29484] 1494930126.458047: PKINIT client has no configured identity; giving up
[29484] 1494930126.458054: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed
Password for tuser1: 
[29484] 1494930132.913136: AS key obtained for encrypted timestamp: aes256-cts/03D5
[29484] 1494930132.913242: Encrypted timestamp (for 1494930132.912765): plain 301AA011180F32303137303531363130323231325AA10502030DED7D, encrypted D88CEF5A33F84226067B23FCF9F7267C84C56B46441995FFDAD98A9204A72B9241313574786B634D96CEA2171FE6F2636BC297EC566A6825
[29484] 1494930132.913272: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[29484] 1494930132.913279: Produced preauth for next request: 133, 2
[29484] 1494930132.913305: Sending request (271 bytes) to TESTRELM.TEST
[29484] 1494930132.913424: Initiating TCP connection to stream 10.16.4.19:88
[29484] 1494930132.913530: Sending TCP request to stream 10.16.4.19:88
[29484] 1494930132.917454: Received answer (740 bytes) from stream 10.16.4.19:88
[29484] 1494930132.917489: Terminating TCP connection to stream 10.16.4.19:88
[29484] 1494930132.917698: Response was from master KDC
[29484] 1494930132.917766: Processing preauth types: 19
[29484] 1494930132.917781: Selected etype info: etype aes256-cts, salt "{`]l&bq""C&Yz_r{", params ""
[29484] 1494930132.917795: Produced preauth for next request: (empty)
[29484] 1494930132.917815: AS key determined by preauth: aes256-cts/03D5
[29484] 1494930132.917934: Decrypted AS reply; session key is: aes256-cts/3030
[29484] 1494930132.917968: FAST negotiation: available
[29484] 1494930132.918011: Initializing KEYRING:persistent:0:krb_ccache_DWX3YLN with default princ tuser1
[29484] 1494930132.918151: Storing tuser1 -> krbtgt/TESTRELM.TEST in KEYRING:persistent:0:krb_ccache_DWX3YLN
[29484] 1494930132.918231: Storing config in KEYRING:persistent:0:krb_ccache_DWX3YLN for krbtgt/TESTRELM.TEST: fast_avail: yes
[29484] 1494930132.918256: Storing tuser1 -> krb5_ccache_conf_data/fast_avail/krbtgt\/TESTRELM.TEST\@TESTRELM.TEST@X-CACHECONF: in KEYRING:persistent:0:krb_ccache_DWX3YLN
[29484] 1494930132.918313: Storing config in KEYRING:persistent:0:krb_ccache_DWX3YLN for krbtgt/TESTRELM.TEST: pa_type: 2
[29484] 1494930132.918330: Storing tuser1 -> krb5_ccache_conf_data/pa_type/krbtgt\/TESTRELM.TEST\@TESTRELM.TEST@X-CACHECONF: in KEYRING:persistent:0:krb_ccache_DWX3YLN
[root@mgmt9 ~]# 
[root@mgmt9 ~]# 
[root@mgmt9 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_DWX3YLN
Default principal: tuser1

Valid starting       Expires              Service principal
2017-05-16T06:22:12  2017-05-17T06:22:06  krbtgt/TESTRELM.TEST
Comment 7 errata-xmlrpc 2017-08-01 09:50:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304