Bug 1565520

Summary: ipa client pointing to replica shows KDC has no support for encryption type [rhel-7.5.z]
Product: Red Hat Enterprise Linux 7 Reporter: Oneata Mircea Teodor <toneata>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.4CC: daniel.guettes, ddas, fbarreto, frenaud, gswami, ipa-maint, ksiddiqu, lmanasko, mkadmiel, mreznik, msugaya, myusuf, pvarma, pvoborni, rcritten, spoore, tscherf, xdong
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.4-10.el7_5.1 Doc Type: Bug Fix
Doc Text:
Previously, a replication conflict could happen when running the ipa-replica-install utility in specific timing conditions. Due to the conflict, two service principals were created for the http/replica service. As a consequence, ipa-replica-install failed with the "KDC has no support for encryption type." error message. With this update, ipa-replica-install consistently communicates with a single master to create the service principal and the service keytab, which prevents potential replication conflicts. As a result, ipa-replica-install succeeds.
Story Points: ---
Clone Of: 1470916 Environment:
Last Closed: 2018-05-14 16:11:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1470916    
Bug Blocks:    

Description Oneata Mircea Teodor 2018-04-10 08:19:57 UTC
This bug has been copied from bug #1470916 and has been proposed to be backported to 7.5 z-stream (EUS).

Comment 3 Mohammad Rizwan 2018-04-16 09:31:45 UTC
Version:
ipa-client-4.5.4-10.el7_5.1.x86_64
ipa-server-4.5.4-10.el7_5.1.x86_64
ipa-server-dns-4.5.4-10.el7_5.1.noarch

Steps:
1.  install ipa master with dns
2.  install ipa replica with dns
3.  point client to replica for dns
    $ echo "nameserver <replica-ip>" >> /etc/resolve.conf  (on client)

4.  stop ipa on master to make sure it's not used
5.  install ipa client
6.  run ipa cert-request

Actual result:

[root@client ~]# ipa cert-request --principal=HTTP/client.testrelm.test http-func-services.csr
  Issuing CA: ipa
  Certificate: MIIEPjCCAyagAwIBAgIED/8AAjANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTgwNDE2MDkyMDU4WhcNMjAwNDE2MDkyMDU4WjA3MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR0wGwYDVQQDDBRjbGllbnQudGVzdHJlbG0udGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOKNt4LfiWswOh4CPfYpQ9v3kFUI8t8wwfN9hQlH6PHJeNj6tsweqFG88FZYLblACgOZ2Ctyq0lK1rBXYdrWHSevzJzzaDBhpPvE0N8S1pHi0IbdxV3ux2NFOMv+M0dohRjJ7luV+XIpPwr9Z1uA7jfPfRgDBLNM1n2ibA+75h8rNcMXPF/fc50wES4lwHArf6eeWE/HlWdo9QsRSxgtqwDOGVuJqOgGMS6tY/ue4d30eOBUgX8H0qszegCT0Xou7TdmXcK/F2jziF1wliTzSKUMBh6I6Dm0dVLZPUukg2iumY8SzYvIy4ryTLflPcXpIkL0htmf63V0TvjfkmvKDlMCAwEAAaOCAU8wggFLMB8GA1UdIwQYMBaAFE/53SjSGlYK5GW87xs9/K7vc3X3MD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBTdOgg5Zfa2KHlEyk7NGEMEh2uFszAfBgNVHREEGDAWghRjbGllbnQudGVzdHJlbG0udGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAUTT3DWQf+2+q+/jSWs5vfa7yjQWLUa0s0g9BQwEvTqiZECguJXL4ruK2BHeosoACgITwHTURL9F46trf0a5Qs7l+hpstFSjxrOQFOIQRrcLmyO+SufbTW1hMG+xwpwzI3ERK6I6DcdHtkgMXO+OxOrM+WWCGEv0T9So2GYIZ7valraIH0f2YyxTxjc80cz/oC0iLNhSSe+k02pv3Yx8TcR6oyY9rDyBbO37SXfT2GSAF21BWKvLvaI6052rlii97OyHAX7l5gTmG9SXh+ZyyQiLeBgpL5v9kZtjUZpLqUVMZe7EqNovcwcGRFh6fkI8j5UyyssqfvDaMTO+8oeyALw==
  Subject: CN=client.testrelm.test,O=TESTRELM.TEST
  Subject DNS name: client.testrelm.test
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Mon Apr 16 09:20:58 2018 UTC
  Not After: Thu Apr 16 09:20:58 2020 UTC
  Serial number: 268369922
  Serial number (hex): 0xFFF0002


Expected result:
no failures. cert-request success

Comment 8 Mohammad Rizwan 2018-04-18 15:14:37 UTC
Based on comment#3, Marking the bug as verified.

Comment 11 errata-xmlrpc 2018-05-14 16:11:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1395