RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1043488 - 'Ticket expired' message lost by the FreeIPA RPC client fallback code
Summary: 'Ticket expired' message lost by the FreeIPA RPC client fallback code
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: All
OS: Linux
medium
low
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-12-16 12:56 UTC by Javier Ramirez
Modified: 2019-04-16 14:06 UTC (History)
5 users (show)

Fixed In Version: ipa-4.2.0-3.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-07 09:04:36 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Javier Ramirez 2013-12-16 12:56:12 UTC 
Description of problem:
ipa cert-show $id shows only the ERROR field of the output and at some cases, this info is not clear enough.

Version-Release number of selected component (if applicable):
ipa-admintools-3.0.0-26.el6_4.2.x86_64

How reproducible:
always

Steps to Reproduce:
1. ipa environment with some cert issue (expireds)
2. ipa cert-show 1
3.

Actual results:
ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://hostname/ipa/xml, https://hostname/ipa/xml

Expected results:

ipa: INFO: Connection to https://hostname/ipa/xml failed with Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Ticket not yet valid)
ipa: INFO: trying https://hostname/ipa/xml
ipa: INFO: Connection to https://hostname2/ipa/xml failed with [Errno -5985] Could not connect to hostname2 using any address
ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://hostname1/ipa/xml, https://hostname2/ipa/xml

Additional info:
In this particular case the problem was a bad kerberos ticket at /tmp/krb5cc_xx and the helpful info was the "Ticket not yet valid" message from the verbose output.
Comment 1 Rob Crittenden 2013-12-16 13:50:54 UTC 
During the CA renewal the trust on the audit certificate wasn't set properly resulting in the CA shutting down right after starting. This caused the LDAP and Apache server certs to not renew and expire.

To reproduce this bug, have at least 2 masters. Expired certificates should not be necessary:

- kinit admin
- ipa cert-show 1
- set date back to when SSL certs still valid
- ipa cert-show 1 (or any IPA command, really)
- fail

There are two problems:

1) The 'Ticket expired' message got lost by the XML-RPC client fallback code.

2) The mod_auth_kerb code to manage the Apache cert for S4U2proxy apparently doesn't consider not-valid-yet to be a reason to get a new ticket.
Comment 2 Pablo Iranzo Gómez 2013-12-17 11:23:12 UTC 
(In reply to Rob Crittenden from comment #1)
> During the CA renewal the trust on the audit certificate wasn't set properly
> resulting in the CA shutting down right after starting. This caused the LDAP
> and Apache server certs to not renew and expire.


Should we spawn another BZ for that?

Thanks,
Pablo
Comment 3 Rob Crittenden 2014-01-02 14:42:32 UTC 
Yes, please open a second bug against mod_auth_kerb to investigate its ticket handling code.
Comment 4 Martin Kosek 2014-01-03 13:35:09 UTC 
Rob, what is then the target of this Bugzilla? Just fixing this bug:

> 1) The 'Ticket expired' message got lost by the XML-RPC client fallback code.

? If yes, I will open an upstream ticket. If you also know the place where the message was lost or even have a patch, it is very welcome.
Comment 5 Rob Crittenden 2014-01-03 14:03:08 UTC 
The message was lost in the fallback code. The user has 2 masters and the SRV records configured in DNS, so it tried each one and ate the ticket not yet valid message each time.

I suspect that what we want to do is ignore any connection errors due to the remote master being down and report everything else (and still fail over).
Comment 6 Martin Kosek 2014-01-08 12:11:56 UTC 
Ok, I will change then the title of the bug and create an upstream ticket.
Comment 7 Martin Kosek 2014-01-08 12:14:19 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4100
Comment 8 Martin Kosek 2015-07-30 08:09:02 UTC 
According to

https://fedorahosted.org/freeipa/ticket/4100#comment:4
and
https://fedorahosted.org/freeipa/ticket/4100#comment:5

this is very likely to be fixed in FreeIPA 4.2.0 release which is planned for RHEL-7.2. Moving to POST.
Comment 9 Martin Kosek 2015-08-07 09:04:36 UTC 
Due to the nature of the bug, it is hard to test. But based on the investigation done upstream mentioned in Comment 8 it should be fixed in FreeIPA 4.2.0+ which is being rebased for RHEL-7.2.

I will thus close this bug as CURRENTRELEASE. Please reopen the bug if the issue reoccurs with FreeIPA 4.2.0 or older (in RHEL-7.2 Beta or later).
Comment 10 Scott Poore 2015-09-29 18:28:00 UTC 
Yes this does appear fixed.

Version ::

ipa-server-4.2.0-11.el7.x86_64

Results ::

[root@rhel7-1 ~]# kdestroy -A

[root@rhel7-1 ~]# kinit admin
Password for admin: 

[root@rhel7-1 ~]# ipa cert-show 1
  Certificate: MIID...truncated...
  Subject: CN=Certificate Authority,O=EXAMPLE.COM
  Issuer: CN=Certificate Authority,O=EXAMPLE.COM
  Not Before: Wed Sep 23 22:11:33 2015 UTC
  Not After: Sun Sep 23 22:11:33 2035 UTC
  Fingerprint (MD5): 94:75:09:bb:68:26:9a:37:2d:90:23:9a:70:20:80:36
  Fingerprint (SHA1): de:0e:81:fa:2d:c8:13:f7:67:21:f0:c6:d3:8b:1d:95:8f:2e:9b:07
  Serial number (hex): 0x1
  Serial number: 1

[root@rhel7-1 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_cNjEZJU
Default principal: admin

Valid starting       Expires              Service principal
09/29/2015 13:05:54  09/30/2015 13:05:44  HTTP/rhel7-1.example.com
09/29/2015 13:05:46  09/30/2015 13:05:44  krbtgt/EXAMPLE.COM

[root@rhel7-1 ~]# date 09291200
Tue Sep 29 12:00:00 CDT 2015

[root@rhel7-1 ~]# ipa cert-show 1
ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('Ticket not yet valid', -1765328351)/
Note You need to log in before you can comment on or make changes to this bug.