Bug 712162

Summary: Re-joining a host appends the keytab with an existing KVNO.
Product: Red Hat Enterprise Linux 6 Reporter: Gowrishankar Rajaiyan <grajaiya>
Component: doc-Identity_Management_GuideAssignee: Deon Ballard <dlackey>
Status: CLOSED CURRENTRELEASE QA Contact: ecs-bugs
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: dlackey, dpal, jgalipea, jskeoch, kchamart, mkosek
Target Milestone: rcKeywords: Documentation, Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-12 19:15:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gowrishankar Rajaiyan 2011-06-09 16:34:43 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.0.0-25.el6.x86_64
ipa-client-2.0.0-25.el6.x86_64

How reproducible:
Always

Steps to Reproduce:

On client:
1. Install ipa-client
# klist -ekt /etc/krb5.keytab 
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (aes256-cts-hmac-sha1-96) 
   1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (aes128-cts-hmac-sha1-96) 
   1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (des3-cbc-sha1) 
   1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (arcfour-hmac) 

2. # ipa-join -u
Unenrollment successful.

3. # ipa-join 
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=LAB.ENG.PNQ.REDHAT.COM

4. # klist -ekt /etc/krb5.keytab (Observe the KVNO)
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (aes256-cts-hmac-sha1-96) 
   1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (aes128-cts-hmac-sha1-96) 
   1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (des3-cbc-sha1) 
   1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (arcfour-hmac) 
   1 06/09/11 06:00:42 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (aes256-cts-hmac-sha1-96) 
   1 06/09/11 06:00:42 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (aes128-cts-hmac-sha1-96) 
   1 06/09/11 06:00:42 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (des3-cbc-sha1) 
   1 06/09/11 06:00:42 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (arcfour-hmac) 

5. # ipa-join -u
Error obtaining initial credentials: Decrypt integrity check failed.


Actual results:
1. IPA client fails to unenroll the second time. 
2. The keytab is appended with the same KVNO for the host principal.
3. SSSD auth fails since it is unable to bind using this keytab
(Thu Jun  9 06:40:57 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_get_tgt_recv] (6): Child responded: 14 [Decrypt integrity check failed], expired on [0]
(Thu Jun  9 06:40:57 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_kinit_done] (4): Could not get TGT: 14 [Bad address]
(Thu Jun  9 06:40:57 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [fo_set_port_status] (4): Marking port 0 of server 'bumblebee.lab.eng.pnq.redhat.com' as 'not working'
(Thu Jun  9 06:40:57 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_handle_release] (8): Trace: sh[0x16c1030], connected[1], ops[(nil)], ldap[0x16c1710], destructor_lock[0], release_memory[0]


Expected results:
- Should remove the keytab when unenrolled.
OR
- Should check if the host principal already exists in the keytab and do a ipa-rmkeytab the host principal and then re-add.

Additional info:
Comment 2 Rob Crittenden 2011-06-09 17:13:39 UTC 
This is not a valid test. ipa-join does not claim to remove keytab entries (in fact ipa-rmkeytab does).

ipa-client-install should be used to unenroll a client, not ipa-join -u.
Comment 3 Gowrishankar Rajaiyan 2011-06-10 06:15:04 UTC 
Then it doesn't make any sense to me of having this confusing option (-u) for ipa-join.

# ipa-join --help
Usage: ipa-join [OPTION...]
  -d, --debug                 Print the raw XML-RPC output in GSSAPI mode
  -q, --quiet                 Quiet mode. Only errors are displayed.
  -u, --unenroll              Unenroll this host from IPA server
  -h, --hostname=hostname     Hostname of this server
  -s, --server=hostname       IPA Server to use
  -k, --keytab=filename       Specifies where to store keytab information.
  -w, --bindpw=password       LDAP password (if not using Kerberos)




I don't see this option in 5.7 client:

[root@drifter ~]# ipa-join --help
Usage: ipa-join [OPTION...]
  -d, --debug                                            Print the raw XML-RPC
                                                         output
  -q, --quiet                                            Print as little as
                                                         possible
  -h, --hostname=Host Name                               Use this hostname
                                                         instead of the node
                                                         name
  -s, --server=IPA Server Name                           IPA Server to use
  -k, --keytab=Keytab File Name                          File were to store
                                                         the keytab information
  -w, --bindpw=password to use if not using kerberos     LDAP password

Help options:
  -?, --help                                             Show this help message
  --usage                                                Display brief usage
                                                         message

[root@drifter ~]# rpm -qf `which ipa-join`
ipa-client-2.0-10.el5_6.1
Comment 4 Dmitri Pal 2011-06-10 13:57:18 UTC 
The functionality is correct. IMO it is not a bug. Yes it is a bit confusing but AFAIR we already talked about it did not find a way to make it less confusing.

ipa-client-install --uninstall should be used to uninstall the client. ipa-join -u is a utility function called in this process. If you want to do things manually you need to be aware that ipa-join -u is just a part of the process and does not do everything. 

May be we should have a paragraph about this in the manual.
Comment 5 Jenny Severance 2011-06-10 14:03:06 UTC 
Shall we turn this into a documentation bug?  And the man pages, as we already discussed could use some work.
Comment 7 Deon Ballard 2011-06-10 15:19:03 UTC 
Reopening as a doc bug.
Comment 8 Deon Ballard 2011-08-25 14:26:41 UTC 
I added a section on uninstalling clients:
http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/96.2/html/Enterprise_Identity_Management_Guide/uninstalling-clients.html