| Summary: | Unable to create encrypted connection with kerberos | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Erinn Looney-Triggs <erinn.looneytriggs> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.0 | CC: | benl, dpal, grajaiya, jgalipea, jwest, mpoole, prc, sgallagh, syeghiay |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-2.0.0-12.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-05-19 13:44:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Erinn Looney-Triggs
2011-02-05 01:16:01 UTC
Stephen will correct me if I am wrong but it seems that you have the domain foo.com configured. See the line: domains = foo.com Everything from the second domain (the default one) is ignored. When you installed IPA what is the domain that you used? Did you use --realm argument when you installed IPA client? If you do not specify it the client will assume that names of the IPA domain and Kerberos realm are the same (just capitalized). If you did and ended up with this, there is definitely a bug. If you didn't would you mind re-installing the client with the right command line options? I took a look at the code. I see two problems here: 1) https://fedorahosted.org/freeipa/ticket/925 2) https://fedorahosted.org/freeipa/ticket/926 Thank you for reporting the issue! Same result when using --realm from the command line, but I think you knew that was happening already. Can you tell us what the contents of /etc/krb5.keytab are? Please run the following as root: ktutil At the prompts, type: ktutil: rkt /etc/krb5.keytab ktutil: l You should see output similar to: slot KVNO Principal ---- ---- ----------------------------------- 1 2 host/vm-130.example.com 2 2 host/vm-130.example.com 3 2 host/vm-130.example.com 4 2 host/vm-130.example.com 5 2 host/vm-130.example.com 6 2 host/vm-130.example.com Please tell us whether host/sb.foo.com appears at least once in this list. It does, also an easier way to get the listing is with klist -kK /etc/krb5.keytab. -Erinn I have two other ideas: 1) Can you try setting SELinux to permissive? I wonder if you are hitting a denial while reading the keytab. 2) Could you try adding: ldap_krb5_keytab = /etc/krb5.keytab To the [domain/foo.com] section of your sssd.conf? I'm wondering if for some reason your local copy of MIT kerberos doesn't default to /etc/krb5.keytab. (The message keytab file [(null)] means that it was trying to use the system default keytab). It's possible that the system default keytab location is set incorrectly (or that something is setting the KRB5_KTNAME environment variable). It would help us understand if we could see /etc/krb5.conf too. krb5.conf:
#File modified by ipa-client-install
[libdefaults]
default_realm = LINUX.FOO.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
LINUX.FOO.COM = {
kdc = ipa.foo.com:88
admin_server = ipa.foo.com:749
default_domain = foo.com
}
[domain_realm]
.foo.com = LINUX.FOO.COM
foo.com = LINUX.FOO.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
1) Can you try setting SELinux to permissive? I wonder if you are hitting a denial while reading the keytab. Checked the audit logs and nothing, unless there is a dontaudit rule for this problem which isn't likely. Dropped it into permissive mode anyway and still the same 2) Could you try adding: ldap_krb5_keytab = /etc/krb5.keytab To the [domain/foo.com] section of your sssd.conf? I'm wondering if for some reason your local copy of MIT kerberos doesn't default to /etc/krb5.keytab. (The message keytab file [(null)] means that it was trying to use the system default keytab). It's possible that the system default keytab location is set incorrectly (or that something is setting the KRB5_KTNAME environment variable). Same result doing with that change added to sssd.conf. sssd was restarted as well. I want to draw your attention again to the error message and what appears to be going wrong to me, you may already be aware of this, but I just want to make sure: Feb 20 00:29:57 sb [sssd[ldap_child[4092]]]: Error processing keytab file [(null)]: Principal [host/sb.foo.com] was not found. Unable to create GSSAPI-encrypted LDAP connection. FOO.COM is not my realm, LINUX.FOO.COM is, why does it continue to search for that realm? Is this perhaps the crux of the issue, that it is searching for a key with that realm, which doesn't exist? (In reply to comment #10) > FOO.COM is not my realm, LINUX.FOO.COM is, why does it continue to search for > that realm? Is this perhaps the crux of the issue, that it is searching for a > key with that realm, which doesn't exist? You are correct, I misread your initial bug report and thought that FOO.COM was the correct realm. If that's the case, the problem here is simple and obvious. By default, the IPA provider in SSSD (when id_provider = ipa) uses the name of the SSSD domain as both the "IPA domain" and the "Kerberos Realm" for the purposes of setting up the connection. Since your configuration domain is [domain/foo.com], SSSD assumes that the IPA domain name is "foo.com" and the associated Kerberos realm is "FOO.COM". I'm assuming that foo.com IS in fact the IPA domain name, but that you chose a different REALM name. So in essence, your IPA domain name is "foo.com", but your Kerberos realm is "LINUX.FOO.COM". This can be resolved by adding the line: krb5_realm = LINUX.FOO.COM into the [domain/foo.com] section of your sssd.conf. Assuming that this works, I'm turning this bug back over to ipa-client, as it's a bug in the client setup that it did not set this option appropriately when the Kerberos realm != IPA domain. Correct, and adding that line resolved that issue (on to the next issues;), and it looks like a patch was submitted to fix the ipa-client issue. I don't know what sort of magic it takes to get that back ported into RHEL 6, but let me know if you need a support ticket opened so that resources can be assigned. -Erinn (In reply to comment #12) > Correct, and adding that line resolved that issue (on to the next issues;), and > it looks like a patch was submitted to fix the ipa-client issue. I don't know > what sort of magic it takes to get that back ported into RHEL 6, but let me > know if you need a support ticket opened so that resources can be assigned. > > -Erinn The ipa-client in 6.1 will have significant changes over the one in 6.0 so this effort is already accounted for. master: f34c0ab91673ad12edd937e6f3b0e97811f06d6e master: e7ed4035b5bc7bf57d54f5b8dfd789af16671d4b verified:
install IPA with :
ipa-server-install --setup-dns --hostname=hp-sl2x170zg6-02.linux.testrelm -r TESTRELM -n linux.testrelm -p password -P password -a password -U
sssd.conf after installation:
[sssd]
services = nss, pam
config_file_version = 2
domains = linux.testrelm
[nss]
[pam]
[domain/linux.testrelm]
cache_credentials = True
krb5_realm = TESTRELM <================================
ipa_domain = linux.testrelm <===============================
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, hp-sl2x170zg6-02.linux.testrelm
[domain/default]
cache_credentials = True
krb5_realm = TESTRELM <================================
krb5_kdcip = hp-sl2x170zg6-02.linux.testrelm:88
auth_provider = krb5
chpass_provider = krb5
krb5_kpasswd = hp-sl2x170zg6-02.linux.testrelm:749
# kinit admin
Password for admin@TESTRELM:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM
Valid starting Expires Service principal
03/11/11 11:44:02 03/12/11 11:43:59 krbtgt/TESTRELM@TESTRELM
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM
Valid starting Expires Service principal
03/11/11 11:44:02 03/12/11 11:43:59 krbtgt/TESTRELM@TESTRELM
# klist -k
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/hp-sl2x170zg6-02.linux.testrelm@TESTRELM
2 host/hp-sl2x170zg6-02.linux.testrelm@TESTRELM
2 host/hp-sl2x170zg6-02.linux.testrelm@TESTRELM
2 host/hp-sl2x170zg6-02.linux.testrelm@TESTRELM
2 host/hp-sl2x170zg6-02.linux.testrelm@TESTRELM
2 host/hp-sl2x170zg6-02.linux.testrelm@TESTRELM
krb5.conf
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TESTRELM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
TESTRELM = {
kdc = hp-sl2x170zg6-02.linux.testrelm:88
admin_server = hp-sl2x170zg6-02.linux.testrelm:749
default_domain = linux.testrelm
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.linux.testrelm = TESTRELM
linux.testrelm = TESTRELM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[dbmodules]
TESTRELM = {
db_library = kldap
ldap_servers = ldapi://%2fvar%2frun%2fslapd-TESTRELM.socket
ldap_kerberos_container_dn = cn=kerberos,dc=testrelm
ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=testrelm
ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=testrelm
ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
}
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2011-0631.html |