Description of problem: Both in the client and in the server the getkeytab control implementation uses an incorrect sequence number for the service principal name tag. Given errors already exist in the same code and the fact that clients can safely fallback to the old setkeytab for common operations, this mistake should be fixed in newer clients/servers. Also, even when des-cbc-crc is allowed in krbsupportedencsalttypes and in krb5.conf/kdc.conf, one cannot generate keytab using this encryption type. In fact, specifying '-e' option to 'ipa-getkeytab' does not limit encryption types at all, even for strong cryptography. Version-Release number of selected component (if applicable): freeipa-server-4.1.1.fc21 How reproducible: Always Steps to Reproduce: 1. [root@cc21 ~]# ipa service-del afs/afs-host.ipacloud.test ---------------------------------------------------------- Deleted service "afs/afs-host.ipacloud.test" ---------------------------------------------------------- 2. [root@cc21 ~]# ipa service-add afs/afs-host.ipacloud.test --force -------------------------------------------------------- Added service "afs/afs-host.ipacloud.test" -------------------------------------------------------- Principal: afs/afs-host.ipacloud.test Managed by: afs-host.ipacloud.test 3. [root@cc21 ~]# ipa-getkeytab -s `hostname` -p afs/afs-host.ipacloud.test -P -k /tmp/afs.keytab -e des-cbc-crc:v4 New Principal Password: Verify Principal Password: Keytab successfully retrieved and stored in: /tmp/afs.keytab 4. [root@cc21 ~]# klist -k /tmp/afs.keytab -Kte Keytab name: FILE:/tmp/afs.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 11/12/2014 19:38:44 afs/afs-host.ipacloud.test (aes256-cts-hmac-sha1-96) (0xe2142f9365ef689b130ad4b8b51fa3467380a869d5367f04f12242e4769e3a0c) 1 11/12/2014 19:38:44 afs/afs-host.ipacloud.test (aes128-cts-hmac-sha1-96) (0xaf6964c2084719218b64d95e5ba7e850) 1 11/12/2014 19:38:44 afs/afs-host.ipacloud.test (des3-cbc-sha1) (0x38049202542c4a3e6bd525a8452f15a185c12cec7ad6136b) 1 11/12/2014 19:38:44 afs/afs-host.ipacloud.test (arcfour-hmac) (0xf8e4df028cd34224ff0d0195cd3b5669) Actual results: Keytab with specified enctype is not retrieved. Expected results: Keytab with specified enctype is retrieved. Additional info: http://www.freeipa.org/page/V4/Keytab_Retrieval https://fedorahosted.org/freeipa/ticket/3859
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4728
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4718
Note that additional ancoding issues were found during investigation of this bug that warrant a change _before_ a release hits any stable distribution such to not cause issues to people.
Proposed as a Freeze Exception for 21-final by Fedora user simo using the blocker tracking app because: The current code will not be interoperable with the new code, this is not a blocker bug because it does not prevent basic blocker criteria as the client can recover for common operations, however we(freeipa team)'d prefer not to release incompatible code in a stable distribution.
Discussed in 2014-11-19 blocker review meeting. We will consider a fix for this if the updated package is available by Monday 2014-11-24. If not, we can revisit at the next meeting.
Fixed upstream master: * b170851058d6712442d553ef3d11ecd21b282443 * c6afc489a1c9d86fd593bd47c4a8dae6d9a008d2 * b1a30bff04fe9763b8b270590ec37084fd19b4e0 ipa-4-1: * f065cec8a58bf4fee0334afdfb63db02f76c1ff7 * 45ceef14f9ffa5f3abf19088e991f427b7c5bd92 * dd3e91639bc3e87b5a95e344b7d190136ad30de0 ipa-4-0: * 55578e9cb33924085969102186250ee60c0a9d85 * 598b54716c6e177a6b5bfdbccf483d28bf40e0b8 * aa988311d1b5eefe16eb60c04227900814468e9f
freeipa-4.1.1-2.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/freeipa-4.1.1-2.fc21
Package freeipa-4.1.1-2.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-4.1.1-2.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-15601/freeipa-4.1.1-2.fc21 then log in and leave karma (feedback).
freeipa-4.1.1-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.