Bug 1032787 - On 5.10 client ,kinit as valid ipa user then ssh to Server still requires root password
On 5.10 client ,kinit as valid ipa user then ssh to Server still requires ro...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Martin Kosek
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-20 15:30 EST by Xiyang Dong
Modified: 2013-12-03 15:09 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-20 15:50:04 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Xiyang Dong 2013-11-20 15:30:53 EST
Description of problem:

On 5.10 client ,kinit as valid ipa user then ssh to 7.0 Server still requires root password 

Version-Release number of selected component (if applicable):

[root@ibm-x3650m4-02-vm-05 ~]# rpm -q ipa-server
ipa-server-3.3.3-4.el7.x86_64

[root@client510 ~]# rpm -q ipa-client
ipa-client-2.1.3-7.el5

How reproducible:
Always

Steps to Reproduce:


On server :
1. kinit as admin
2. add testuser 
3.kinit as testuser
[root@ibm-x3650m4-02-vm-05 ~]# kinit admin
Password for admin@TESTRELM.COM: 
[root@ibm-x3650m4-02-vm-05 ~]# ipa user-add testusr --first testusr --last testusr --password 
Password: 
Enter Password again to verify: 
--------------------
Added user "testusr"
--------------------
  User login: testusr
  First name: testusr
  Last name: testusr
  Full name: testusr testusr
  Display name: testusr testusr
  Initials: tt
  Home directory: /home/testusr
  GECOS: testusr testusr
  Login shell: /bin/sh
  Kerberos principal: testusr@TESTRELM.COM
  Email address: testusr@testrelm.com
  UID: 1936000011
  GID: 1936000011
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
[root@ibm-x3650m4-02-vm-05 ~]# kinit testusr
Password for testusr@TESTRELM.COM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[root@ibm-x3650m4-02-vm-05 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_f3Qdb59
Default principal: testusr@TESTRELM.COM

Valid starting       Expires              Service principal
11/20/2013 14:07:04  11/21/2013 14:07:04  krbtgt/TESTRELM.COM@TESTRELM.COM


On client:
1.kinit as testuser
2.ssh $MASTER
[root@client510 ~]# kinit testusr
Password for testusr@TESTRELM.COM: 
[root@client510 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testusr@TESTRELM.COM

Valid starting     Expires            Service principal
11/20/13 14:07:19  11/21/13 14:07:16  krbtgt/TESTRELM.COM@TESTRELM.COM
11/20/13 14:07:33  11/21/13 14:07:16  host/ibm-x3650m4-02-vm-05.testrelm.com@TESTRELM.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

[root@client510 ~]# echo $MASTER
ibm-x3650m4-02-vm-05.testrelm.com
[root@client510 ~]# ssh $MASTER
root@ibm-x3650m4-02-vm-05.testrelm.com's password: 
Last login: Wed Nov 20 13:39:50 2013 from client510.testrelm.com

Actual results:

ssh still requires root password 

Expected results:

ssh without asking password

Additional info:
Comment 1 Dmitri Pal 2013-11-20 15:35:28 EST
Do I read it right that you are sshing using root rather then testusr?
Comment 2 Martin Kosek 2013-11-20 15:50:04 EST
Given the output, it seems that way. ssh does not magically figure out the user from a Kerberos ticket. Closing the bug.

Yi, please try

ssh testusr@$MASTER

instead and see if that works. If not, please feel free to reopen the bug.
Comment 3 Xiyang Dong 2013-11-20 16:09:32 EST
ssh testusr@$MASTER works in this 7.0 server 5.10 client env.

In other envs I've tested such as 7.0 server 7.0 client or 6.5 server 5.10 client, ssh with root does not require a password tho. 

[root@ibm-ls41-02 ~]# echo $MASTER
ibm-x3650m4-01-vm-04.testrelm.com
[root@ibm-ls41-02 ~]# ssh $MASTER
Last login: Wed Nov 20 12:38:09 2013 from ibm-ls41-02.rhts.eng.bos.redhat.com
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
                 This System is reserved by xdong@redhat.com.

 To return this system early. You can run the command: return2beaker.sh
  Ensure you have your logs off the system before returning to Beaker

 To extend your reservation time. You can run the command:
  extendtesttime.sh
 This is an interactive script. You will be prompted for how many
  hours you would like to extend the reservation.

 You should verify the watchdog was updated succesfully after
  you extend your reservation.
  https://beaker.engineering.redhat.com/recipes/1140280

 For ssh, kvm, serial and power control operations please look here:
  https://beaker.engineering.redhat.com/view/ibm-x3650m4-01-vm-04.testrelm.com

      Beaker Test information:
                         HOSTNAME=ibm-x3650m4-01-vm-04.testrelm.com
                            JOBID=547950
                         RECIPEID=1140280
                    RESULT_SERVER=127.0.0.1:7091
                           DISTRO=RedHatEnterpriseLinux-6.5
                     ARCHITECTURE=x86_64

      Job Whiteboard: Client certification :: RHEL 5.10 i386 IPA CLient :: RHEL6.5 IPA SERVER

      Recipe Whiteboard: IPA MASTER
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
[root@ibm-x3650m4-01-vm-04 ~]# logout
Connection to ibm-x3650m4-01-vm-04.testrelm.com closed.
Comment 4 Xiyang Dong 2013-11-20 16:21:38 EST
Forgot to paste the tkt info :

[root@ibm-ls41-02 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: one@TESTRELM.COM

Valid starting     Expires            Service principal
11/20/13 12:35:55  11/21/13 12:35:52  krbtgt/TESTRELM.COM@TESTRELM.COM
11/20/13 12:36:59  11/21/13 12:35:52  host/ibm-x3650m4-01-vm-04.testrelm.com@TESTRELM.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

I do think prompting for root passwd when we kinit as non-root ipa user and ssh to server makes more sense.But somehow it doesn't behave same way in some test envs I mentioned above.
Comment 5 Xiyang Dong 2013-12-03 15:09:34 EST
Ahh after checking with Nalin I found that I checked the ticket in a wrong way.
I ssh to the client and klist in the shell window ,in which $KRB5CCNAME is not set.I did GDM login and check directly instead, it worked fine.
Closing as not a bug.

Note You need to log in before you can comment on or make changes to this bug.