Bug 970618

Summary: [RFE] pac-type change must be effective immediately without kdc restart
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: mkosek, mnavrati, rmainz, sgoveas
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.0.3-1.el7 Doc Type: Bug Fix
Doc Text:
The following known issue description has been removed from the RHEL 7.0 Release Notes. The Identity Manager (IdM) Kerberos driver does not actively update default PAC types for Kerberos tickets issued by IdM Kerberos key distribution center (KDC). Consequently, if the default list of PAC types is changed in the IdM configuration, the IdM Kerberos KDC does not generate the configured PAC types for the issued tickets until the KDC is restarted. To change the default list, run the "ipa config-mod --pac-type <NEW-PAC-TYPES>" command. To work around this problem, restart the IdM Kerberos KDC service on all IdM servers. As a result, IdM Kerberos KDC generates the configured PAC types as set in the IdM server configuration.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:09:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1168850    

Description Dmitri Pal 2013-06-04 13:11:45 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3626

Global change in pac type requires kdc restart to be effective. Such change must be effective immediately without kdc restart
{{{
* When default pac-type is MS-PAC to start with

[root@gondola ~]# kinit admin
Password for admin: 

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin

Valid starting     Expires            Service principal
05/14/13 00:49:11  05/15/13 00:49:08  krbtgt/TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:49 /tmp/krb5cc_0

* Change PAC type to PAD

[root@gondola ~]# ipa config-mod --pac-type PAD
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: PAD

[root@gondola ~]# kinit admin
Password for admin:

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin

Valid starting     Expires            Service principal
05/14/13 00:51:47  05/15/13 00:51:44  krbtgt/TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:51 /tmp/krb5cc_0  # Size is same as when pac type was MS-PAC

* Restarted ipa

[root@gondola ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
ipa: INFO: The ipactl command was successful

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:53 /tmp/krb5cc_0

[root@gondola ~]# kdestroy 

[root@gondola ~]# kinit admin
Password for admin: 

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin

Valid starting     Expires            Service principal
05/14/13 00:54:04  05/15/13 00:54:01  krbtgt/TESTRELM.COM
[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 707 May 14 00:54 /tmp/krb5cc_0 # Size is much less

* Changed back to MS-PAC

[root@gondola ~]# ipa config-mod --pac-type MS-PAC
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC

[root@gondola ~]# kdestroy 

[root@gondola ~]# kinit admin
Password for admin: 

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin

Valid starting     Expires            Service principal
05/14/13 00:55:24  05/15/13 00:55:21  krbtgt/TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 707 May 14 00:55 /tmp/krb5cc_0  # no change in size

[root@gondola ~]# kvno host/gondola.testrelm.com
host/gondola.testrelm.com: kvno = 2

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1221 May 14 00:56 /tmp/krb5cc_0

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin

Valid starting     Expires            Service principal
05/14/13 00:55:24  05/15/13 00:55:21  krbtgt/TESTRELM.COM
05/14/13 00:56:09  05/15/13 00:55:21  host/gondola.testrelm.com

* Restarted krb5kdc service

[root@gondola ~]# service krb5kdc restart
Redirecting to /bin/systemctl restart  krb5kdc.service

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin

Valid starting     Expires            Service principal
05/14/13 00:55:24  05/15/13 00:55:21  krbtgt/TESTRELM.COM
05/14/13 00:56:09  05/15/13 00:55:21  host/gondola.testrelm.com

[root@gondola ~]# kdestroy 

[root@gondola ~]# kinit admin
Password for admin: 

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin

Valid starting     Expires            Service principal
05/14/13 00:57:24  05/15/13 00:57:21  krbtgt/TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:57 /tmp/krb5cc_0
}}}

Comment 1 Dmitri Pal 2013-06-04 14:28:49 UTC
This is a release note BZ for 7.0.

Comment 2 Douglas Silas 2013-11-11 18:55:37 UTC
If this feature or issue should be documented in the Release or Technical Notes for RHEL 7.0 Beta, please select the correct Doc Type from the drop-down menu and enter a description in Doc Text.

For info about the differences between known issues, driver updates, deprecated functionality, release notes and Technology Previews, see:

https://engineering.redhat.com/docs/en-US/Policy/70.ecs/html-single/Describing_Errata_Release_and_Technical_Notes_for_Engineers/index.html#bh-known_issue

If you have questions, please email rhel-notes.

Comment 3 Martin Kosek 2013-11-28 13:34:21 UTC
Filling Known Issue doc text for 7.0

Comment 4 Martin Kosek 2014-02-07 17:18:50 UTC
Upstream ticket:

https://fedorahosted.org/freeipa/ticket/4153

Comment 5 Martin Kosek 2014-02-07 17:19:45 UTC
*** Bug 970620 has been marked as a duplicate of this bug. ***

Comment 6 Martin Kosek 2014-06-19 12:53:36 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/8b2f4443dcf61e1edf59ef0812ed05e1fa93f8fc

Comment 8 Steeve Goveas 2015-01-27 20:38:46 UTC
Verified in version

[root@vm-idm-019 ~]# rpm -q ipa-server 
ipa-server-4.1.0-16.el7.x86_64

[root@vm-idm-019 ~]# kdestroy 

[root@vm-idm-019 ~]# echo Secret123 | kinit admin
Password for admin: 

[root@vm-idm-019 ~]# ipa config-show | grep PAC
  Default PAC types: nfs:NONE, MS-PAC

[root@vm-idm-019 ~]# klist
Ticket cache: DIR::/tmp/krb5cc_0.d/tkt
Default principal: admin

Valid starting       Expires              Service principal
01/28/2015 02:01:00  01/29/2015 02:01:00  krbtgt/IPAVIEWS.TEST

[root@vm-idm-019 ~]# ll /tmp/krb5cc_0.d/tkt 
-rw-------. 1 root root 1453 Jan 28 02:01 /tmp/krb5cc_0.d/tkt

[root@vm-idm-019 ~]# ipa config-mod --pac-type PAD
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: ipaviews.test
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=IPAVIEWS.TEST
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default PAC types: PAD

[root@vm-idm-019 ~]# kdestroy 

[root@vm-idm-019 ~]# sleep 30

[root@vm-idm-019 ~]# echo Secret123 | kinit admin
Password for admin: 

[root@vm-idm-019 ~]# klist
Ticket cache: DIR::/tmp/krb5cc_0.d/tkt
Default principal: admin

Valid starting       Expires              Service principal
01/28/2015 02:02:30  01/29/2015 02:02:30  krbtgt/IPAVIEWS.TEST

[root@vm-idm-019 ~]# ll /tmp/krb5cc_0.d/tkt 
-rw-------. 1 root root 894 Jan 28 02:02 /tmp/krb5cc_0.d/tkt

[root@vm-idm-019 ~]# ipa config-mod --pac-type "nfs:NONE" --pac-type  "MS-PAC"
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: ipaviews.test
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=IPAVIEWS.TEST
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default PAC types: nfs:NONE, MS-PAC

[root@vm-idm-019 ~]# kdestroy 

[root@vm-idm-019 ~]# sleep 30

[root@vm-idm-019 ~]# echo Secret123 | kinit admin
Password for admin: 

[root@vm-idm-019 ~]# klist
Ticket cache: DIR::/tmp/krb5cc_0.d/tkt
Default principal: admin

Valid starting       Expires              Service principal
01/28/2015 02:04:44  01/29/2015 02:04:44  krbtgt/IPAVIEWS.TEST

[root@vm-idm-019 ~]# ll /tmp/krb5cc_0.d/tkt 
-rw-------. 1 root root 1453 Jan 28 02:04 /tmp/krb5cc_0.d/tkt

Comment 10 errata-xmlrpc 2015-03-05 10:09:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html