Bug 924004

Summary: ipa-client-install cannot obtain CA certificate
Product: Red Hat Enterprise Linux 6 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 6.4CC: ksiddiqu, lnovich, mkosek, pasteur
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.0.0-31.el6 Doc Type: Bug Fix
Doc Text:
Cause: When Identity Management client installer was downloading a CA certificate from Identity Management Server via LDAP protocol, it did not fallback to HTTP protocol in some cases. Consequence: Identity Management client installation failed due to inability to download CA certificate via LDAP even though the certificate was accessible via HTTP protocol. Fix: Improve Identity Management client CA retrieval fallback mechanism. Result: Identity Management client installation can properly fallback between different protocols when downloading CA certificate and thus is able to complete the installation even when the download via one protocol fails.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-21 20:52:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitri Pal 2013-03-20 22:15:42 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3512

Ticket was cloned from Red Hat Bugzilla (product ''Fedora''): [https://bugzilla.redhat.com/show_bug.cgi?id=920716 Bug 920716]

{{{
Description of problem:

Cannot obtain CA certificate
'ldap://ipa.hunter.org' doesn't have a certificate.


Version-Release number of selected component (if applicable):

Installed Packages
freeipa-client.x86_64                   3.1.2-1.fc18
@updates
freeipa-python.x86_64                   3.1.2-1.fc18
@updates


How reproducible: Consistent


Steps to Reproduce:

1. Build a new virtual machine with dynamic IP address assignment

2. yum install --assumeyes freeipa-client

3. ipa-client-install


Actual results:

[root@fedora18 ~]#   ipa-client-install \
>     --domain=hunter.org \
>     --enable-dns-updates \
>     --force-ntp \
>     --password=adminpassword \
>     --principal=admin \
>     --realm=HUNTER.ORG \
>     --ssh-trust-dns \
>     --unattended
Discovery was successful!
Hostname: fedora18.hunter.org
Realm: HUNTER.ORG
DNS Domain: hunter.org
IPA Server: ipa.hunter.org
BaseDN: dc=hunter,dc=org

Synchronizing time with KDC...
Cannot obtain CA certificate
'ldap://ipa.hunter.org' doesn't have a certificate.
Installation failed. Rolling back changes.
IPA client is not configured on this system.
[root@fedora18 ~]#

Expected results:

I expected successful completion of the IPA client.


Additional info: /var/log/ipaclient-install.log

2013-03-12T14:16:01Z DEBUG /usr/sbin/ipa-client-install was invoked with
options: {'domain': 'hunter.org', 'force': False, 'krb5_offline_passwords':
True, 'primary': False, 'realm_name': 'HUNTER.ORG', 'force_ntpd': True,
'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp': True,
'ca_cert_file': None, 'ntp_server': None, 'principal': 'admin', 'hostname':
None, 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': True,
'dns_updates': True, 'mkhomedir': False, 'conf_ssh': True, 'server': None,
'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd':
False, 'uninstall': False}
2013-03-12T14:16:01Z DEBUG missing options might be asked for interactively
later
2013-03-12T14:16:01Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2013-03-12T14:16:01Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2013-03-12T14:16:01Z DEBUG [IPA Discovery]
2013-03-12T14:16:01Z DEBUG Starting IPA discovery with domain=hunter.org,
server=None, hostname=fedora18.hunter.org
2013-03-12T14:16:01Z DEBUG Search for LDAP SRV record in hunter.org
2013-03-12T14:16:01Z DEBUG Search DNS for SRV record of _ldap._tcp.hunter.org
2013-03-12T14:16:01Z DEBUG DNS record found: 0 100 389 ipa.hunter.org.
2013-03-12T14:16:01Z DEBUG [Kerberos realm search]
2013-03-12T14:16:01Z DEBUG Search DNS for TXT record of _kerberos.hunter.org
2013-03-12T14:16:01Z DEBUG DNS record found: "HUNTER.ORG"
2013-03-12T14:16:01Z DEBUG Search DNS for SRV record of
_kerberos._udp.hunter.org
2013-03-12T14:16:01Z DEBUG DNS record found: 0 100 88 ipa.hunter.org.
2013-03-12T14:16:01Z DEBUG [LDAP server check]
2013-03-12T14:16:01Z DEBUG Verifying that ipa.hunter.org (realm HUNTER.ORG) is
an IPA server
2013-03-12T14:16:01Z DEBUG Init LDAP connection with: ldap://ipa.hunter.org:389
2013-03-12T14:16:01Z DEBUG Search LDAP server for IPA base DN
2013-03-12T14:16:01Z DEBUG Check if naming context 'dc=hunter,dc=org' is for
IPA
2013-03-12T14:16:01Z DEBUG Naming context 'dc=hunter,dc=org' is a valid IPA
context
2013-03-12T14:16:01Z DEBUG Search for (objectClass=krbRealmContainer) in
dc=hunter,dc=org (sub)
2013-03-12T14:16:01Z DEBUG Found: cn=HUNTER.ORG,cn=kerberos,dc=hunter,dc=org
2013-03-12T14:16:01Z DEBUG Discovery result: Success; server=ipa.hunter.org,
domain=hunter.org, kdc=ipa.hunter.org, basedn=dc=hunter,dc=org
2013-03-12T14:16:01Z DEBUG will use discovered domain: hunter.org
2013-03-12T14:16:01Z DEBUG Start searching for LDAP SRV record in "hunter.org"
(Validating DNS Discovery) and its sub-domains
2013-03-12T14:16:01Z DEBUG Search DNS for SRV record of _ldap._tcp.hunter.org
2013-03-12T14:16:01Z DEBUG DNS record found: 0 100 389 ipa.hunter.org.
2013-03-12T14:16:01Z DEBUG DNS validated, enabling discovery
2013-03-12T14:16:01Z DEBUG will use discovered server: ipa.hunter.org
2013-03-12T14:16:01Z INFO Discovery was successful!
2013-03-12T14:16:01Z DEBUG will use discovered realm: HUNTER.ORG
2013-03-12T14:16:01Z DEBUG will use discovered basedn: dc=hunter,dc=org
2013-03-12T14:16:01Z INFO Hostname: fedora18.hunter.org
2013-03-12T14:16:01Z DEBUG Hostname source: Machine's FQDN
2013-03-12T14:16:01Z INFO Realm: HUNTER.ORG
2013-03-12T14:16:01Z DEBUG Realm source: Discovered from LDAP DNS records in
ipa.hunter.org
2013-03-12T14:16:01Z INFO DNS Domain: hunter.org
2013-03-12T14:16:01Z DEBUG DNS Domain source: Discovered LDAP SRV records from
hunter.org
2013-03-12T14:16:01Z INFO IPA Server: ipa.hunter.org
2013-03-12T14:16:01Z DEBUG IPA Server source: Discovered from LDAP DNS records
in ipa.hunter.org
2013-03-12T14:16:01Z INFO BaseDN: dc=hunter,dc=org
2013-03-12T14:16:01Z DEBUG BaseDN source: From IPA server
ldap://ipa.hunter.org:389
2013-03-12T14:16:01Z DEBUG Starting external process
2013-03-12T14:16:01Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r
HUNTER.ORG
2013-03-12T14:16:01Z DEBUG Process finished, return code=3
2013-03-12T14:16:01Z DEBUG stdout=
2013-03-12T14:16:01Z DEBUG stderr=Failed to open keytab '/etc/krb5.keytab': No
such file or directory

2013-03-12T14:16:01Z INFO Synchronizing time with KDC...
2013-03-12T14:16:01Z DEBUG Search DNS for SRV record of _ntp._udp.hunter.org
2013-03-12T14:16:01Z DEBUG DNS record found: 0 100 123 ipa.hunter.org.
2013-03-12T14:16:01Z DEBUG Starting external process
2013-03-12T14:16:01Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v
ipa.hunter.org
2013-03-12T14:16:08Z DEBUG Process finished, return code=0
2013-03-12T14:16:08Z DEBUG stdout=
2013-03-12T14:16:08Z DEBUG stderr=
2013-03-12T14:16:08Z DEBUG Writing Kerberos configuration to /tmp/tmpGow23H:
2013-03-12T14:16:08Z DEBUG #File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = HUNTER.ORG
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  HUNTER.ORG = {
    kdc = ipa.hunter.org:88
    master_kdc = ipa.hunter.org:88
    admin_server = ipa.hunter.org:749
    default_domain = hunter.org
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .hunter.org = HUNTER.ORG
  hunter.org = HUNTER.ORG

2013-03-12T14:16:08Z DEBUG Starting external process
2013-03-12T14:16:08Z DEBUG args=kinit admin
2013-03-12T14:16:09Z DEBUG Process finished, return code=0
2013-03-12T14:16:09Z DEBUG stdout=Password for admin:

2013-03-12T14:16:09Z DEBUG stderr=
2013-03-12T14:16:09Z DEBUG trying to retrieve CA cert via LDAP from
ldap://ipa.hunter.org
2013-03-12T14:16:09Z DEBUG get_ca_cert_from_ldap() error: Local error SASL(-1):
generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide
more information (Credentials cache file
'/run/user/0/krb5cc_c7425795554d90f87ddd1bf2513f37ab/tkt' not found)
2013-03-12T14:16:09Z DEBUG {'info': "SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information (Credentials
cache file '/run/user/0/krb5cc_c7425795554d90f87ddd1bf2513f37ab/tkt' not
found)", 'desc': 'Local error'}
2013-03-12T14:16:09Z ERROR Cannot obtain CA certificate
'ldap://ipa.hunter.org' doesn't have a certificate.
2013-03-12T14:16:09Z ERROR Installation failed. Rolling back changes.
2013-03-12T14:16:09Z ERROR IPA client is not configured on this system.
}}}
Comment 1 Martin Kosek 2013-03-21 15:22:04 UTC 
Fixed upstream:

master:
1336b399065ff47477029ba487f1d392f1ce6ac8 Improve client install LDAP cert retrieval fallback
6540eff4687bbc400e285a68936d8edf1895168e Use temporary CCACHE in ipa-client-install

ipa-3-1:
fdfcd2cf2456fce303553d88cbf53067c975d2f3 Improve client install LDAP cert retrieval fallback
07755e815e09ef722fc1fdb6715fd538aa2d08d4 Use temporary CCACHE in ipa-client-install
Comment 7 Martin Kosek 2013-10-14 19:47:01 UTC 
Reproduction:

I was pondering how to recreate the GSSAPI failure given we already fixed the root cause, but I did not find an easy way.

Therefore, I would propose to verify this bug as Sanity Only, with checking that the fallback from LDAP to HTTP functionality stays intact. For example with this scenario:

SERVER:

Rename CAcert on server:

dn: cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com
changetype: moddn
newrdn: cn=CAcert-renamed
deleteoldrdn: 1
newsuperior: cn=ipa,cn=etc,dc=example,dc=com


CLIENT:
# rm -f /etc/ipa/ca.crt 

# ipa-client-install -p admin -w Secret123
Discovery was successful!
Hostname: vm-086.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: vm-119.example.com
BaseDN: dc=example,dc=com

Continue to configure the system with these values? [no]: y
Synchronizing time with KDC...
Unable to download CA cert from LDAP.
Do you want to download the CA cert from http://vm-119.example.com/ipa/config/ca.crt?
(this is INSECURE) [no]: y
Downloading the CA certificate via HTTP, this is INSECURE
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
    Valid From:  Fri Oct 11 07:28:43 2013 UTC
    Valid Until: Tue Oct 11 07:28:43 2033 UTC

Enrolled in IPA realm EXAMPLE.COM
...
Client configuration complete.
Comment 8 Kaleem 2013-10-15 10:21:42 UTC 
Verified.

We tried CA retrieval fallback from ldap to http only as suggested.

ipa version:
============
[root@rhel65-client ~]# rpm -q ipa-client
ipa-client-3.0.0-37.el6.x86_64
[root@rhel65-client ~]#

Verification steps:

(1)Rename CA ldap entry on Master

[root@rhel65-client ~]# cat rename-ca.ldif 
dn: cn=CAcert,cn=ipa,cn=etc,dc=testrelm,dc=com
changetype: moddn
newrdn: cn=CAcert-foo
deleteoldrdn: 1
newsuperior: cn=ipa,cn=etc,dc=testrelm,dc=com
[root@rhel65-client ~]#

[root@rhel65-client ~]# ldapadd -h rhel65-master.testrelm.com -p 389 -D "cn=Directory Manager" -w Secret123 -f /root/rename-ca.ldif 
modifying rdn of entry "cn=CAcert,cn=ipa,cn=etc,dc=testrelm,dc=com"

[root@rhel65-client ~]#

(2)Install ipa client

[root@rhel65-client ~]# ipa-client-install --domain=testrelm.com --realm=TESTRELM.COM -p admin -w xxxxxxxx --server=rhel65-master.testrelm.comAutodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Hostname: rhel65-client.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: rhel65-master.testrelm.com
BaseDN: dc=testrelm,dc=com

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Unable to download CA cert from LDAP.
Do you want to download the CA cert from http://rhel65-master.testrelm.com/ipa/config/ca.crt?
(this is INSECURE) [no]: yes
Downloading the CA certificate via HTTP, this is INSECURE
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=TESTRELM.COM
    Issuer:      CN=Certificate Authority,O=TESTRELM.COM
    Valid From:  Tue Oct 15 05:26:16 2013 UTC
    Valid Until: Sat Oct 15 05:26:16 2033 UTC

Enrolled in IPA realm TESTRELM.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.COM
trying https://rhel65-master.testrelm.com/ipa/xml
Forwarding 'env' to server u'https://rhel65-master.testrelm.com/ipa/xml'
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server u'https://rhel65-master.testrelm.com/ipa/xml'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
[root@rhel65-client ~]#
Comment 10 errata-xmlrpc 2013-11-21 20:52:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1651.html