Bug 1758406
Summary: | KRA authentication fails when IPA CA has custom Subject DN | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Fraser Tweedale <ftweedal> |
Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.7 | CC: | ipa-qe, jvaast, myusuf, pasik, pcech, rcritten, ssidhaye, tscherf, twoerner |
Target Milestone: | rc | Keywords: | TestCaseProvided |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.6.6-12.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | 1758404 | Environment: | |
Last Closed: | 2020-09-29 19:58:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1758404 | ||
Bug Blocks: |
Description
Fraser Tweedale
2019-10-04 04:02:09 UTC
Verification steps: https://bugzilla.redhat.com/show_bug.cgi?id=1758404#c2 Fixed upstream master: https://pagure.io/freeipa/c/326d417d98b092e175623cd28e46586df00e60a2 https://pagure.io/freeipa/c/7ea50ff76d2ee5367b75d999c2baa2a7a480f34a https://pagure.io/freeipa/c/e767386e7120be3515d6a34529b51ae658248038 The last commit adds a test in ipatests/test_integration/test_ca_custom_sdn.py (this is a new file, downstream metadata needs to be created to trigger the test). Upstream ticket: https://pagure.io/freeipa/issue/8084 *** Bug 1758995 has been marked as a duplicate of this bug. *** RHEL-7.8 is already near the end of a Development Phase and development is being wrapped up. This bug is being moved to RHEL 7.9. If you believe this particular bug should be reconsidered for 7.8, please let us know. Hi Florence, Even though applying the workaround fixed our environment for some time, the Internal Error message came back and we are now unable to retrieve any Vault. Therefore the workaround doesn't fully fix the issue. Could you please prioritise this fix so that it can be pushed for 7.8? Currently support case is opened to try to fix the issue with 7.7. Thanks, Hi Jeremy, do you mean that the "description" attribute of the entry uid=ipakra,ou=people,o=kra,o=ipaca got overwritten? Do you still see the same value for description in both uid=ipakra,ou=people,o=kra,o=ipaca and uid=ipara,ou=people,o=ipaca? Hi Florence, Yes the description attribute was correctly overwritten to match with our custom subject. The value is also the same for both uid=ipakra,ou=people,o=kra,o=ipaca and uid=ipara,ou=people,o=ipaca. However we are still seeing the following when trying to retrieve vaults: # ipa vault-retrieve Secrets --shared ipa: ERROR: an internal error has occurred (In reply to Jeremy Vaast from comment #9) > Hi Florence, > > Yes the description attribute was correctly overwritten to match with our > custom subject. > The value is also the same for both uid=ipakra,ou=people,o=kra,o=ipaca and > uid=ipara,ou=people,o=ipaca. > > > However we are still seeing the following when trying to retrieve vaults: > # ipa vault-retrieve Secrets --shared > ipa: ERROR: an internal error has occurred Hi Jeremy, in this case I would advise to open a new bug as it looks like a different issue. Please include httpd's error_log after enabling the debug mode: - create /etc/ipa/server.conf with the following content: [global] debug = True - restart ipa services with ipactl restart - launch the ipa vault-retrieve command - include /var/log/httpd/error_log to the bugzilla. The error_log will contain the full stack trace of the error and allow us to debug the issue. After this point you can delete /etc/ipa/server.conf and restart ipa services to disable the debug mode. Hi Florence, New Bugzilla was opened here with the requested information https://bugzilla.redhat.com/show_bug.cgi?id=1797707 Thanks. Removing needinfo as Jeremy already answered in #c9 Fixed upstream: ipa-4-8: 09c6db7 krainstance: set correct issuer DN in uid=ipakra entry 23f4e00 upgrade: fix ipakra people entry 'description' attribute 5d68d04 (HEAD) test_integration: add tests for custom CA subject DN ipa-4-7: 1071eb2 krainstance: set correct issuer DN in uid=ipakra entry 4aad2c9 upgrade: fix ipakra people entry 'description' attribute 4767add (HEAD) test_integration: add tests for custom CA subject DN ipa-4-6: 946d96f krainstance: set correct issuer DN in uid=ipakra entry 2fa8c69 upgrade: fix ipakra people entry 'description' attribute 0a0e802 (HEAD) test_integration: add tests for custom CA subject DN tests passed in pipeline. Hence marking as verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: ipa security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:3936 |