Bug 1165674 - getkeytab control implementation uses incorrect asn1 encoding
Summary: getkeytab control implementation uses incorrect asn1 encoding
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: freeipa
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: IPA Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedFreezeException
Depends On:
Blocks: F21FinalFreezeException
TreeView+ depends on / blocked
 
Reported: 2014-11-19 13:23 UTC by Martin Kosek
Modified: 2014-11-25 03:06 UTC (History)
8 users (show)

Fixed In Version: freeipa-4.1.1-2.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-11-25 03:06:53 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Martin Kosek 2014-11-19 13:23:30 UTC 
Description of problem:
Both in the client and in the server the getkeytab control implementation uses an incorrect sequence number for the service principal name tag.

Given errors already exist in the same code and the fact that clients can safely fallback to the old setkeytab for common operations, this mistake should be fixed in newer clients/servers.

Also, even when des-cbc-crc is allowed in krbsupportedencsalttypes and in krb5.conf/kdc.conf, one cannot generate keytab using this encryption type. In fact, specifying '-e' option to 'ipa-getkeytab' does not limit encryption types at all, even for strong cryptography.

Version-Release number of selected component (if applicable):
freeipa-server-4.1.1.fc21

How reproducible:
Always

Steps to Reproduce:
1. [root@cc21 ~]# ipa service-del afs/afs-host.ipacloud.test
----------------------------------------------------------
Deleted service "afs/afs-host.ipacloud.test"
----------------------------------------------------------


2. [root@cc21 ~]# ipa service-add afs/afs-host.ipacloud.test --force
--------------------------------------------------------
Added service "afs/afs-host.ipacloud.test"
--------------------------------------------------------
  Principal: afs/afs-host.ipacloud.test
  Managed by: afs-host.ipacloud.test

3. [root@cc21 ~]# ipa-getkeytab -s `hostname` -p afs/afs-host.ipacloud.test -P  -k /tmp/afs.keytab -e des-cbc-crc:v4
New Principal Password: 
Verify Principal Password: 
Keytab successfully retrieved and stored in: /tmp/afs.keytab

4. [root@cc21 ~]# klist -k /tmp/afs.keytab -Kte
Keytab name: FILE:/tmp/afs.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 11/12/2014 19:38:44 afs/afs-host.ipacloud.test (aes256-cts-hmac-sha1-96)  (0xe2142f9365ef689b130ad4b8b51fa3467380a869d5367f04f12242e4769e3a0c)
   1 11/12/2014 19:38:44 afs/afs-host.ipacloud.test (aes128-cts-hmac-sha1-96)  (0xaf6964c2084719218b64d95e5ba7e850)
   1 11/12/2014 19:38:44 afs/afs-host.ipacloud.test (des3-cbc-sha1)  (0x38049202542c4a3e6bd525a8452f15a185c12cec7ad6136b)
   1 11/12/2014 19:38:44 afs/afs-host.ipacloud.test (arcfour-hmac)  (0xf8e4df028cd34224ff0d0195cd3b5669)


Actual results:
Keytab with specified enctype is not retrieved.

Expected results:
Keytab with specified enctype is retrieved.

Additional info:
http://www.freeipa.org/page/V4/Keytab_Retrieval
https://fedorahosted.org/freeipa/ticket/3859
Comment 1 Martin Kosek 2014-11-19 13:24:16 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4728
Comment 2 Martin Kosek 2014-11-19 13:24:38 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4718
Comment 3 Simo Sorce 2014-11-19 14:00:13 UTC 
Note that additional ancoding issues were found during investigation of this bug that warrant a change _before_ a release hits any stable distribution such to not cause issues to people.
Comment 4 Fedora Blocker Bugs Application 2014-11-19 14:01:51 UTC 
Proposed as a Freeze Exception for 21-final by Fedora user simo using the blocker tracking app because:

 The current code will not be interoperable with the new code, this is not a blocker bug because it does not prevent basic blocker criteria as the client can recover for common operations, however we(freeipa team)'d prefer not to release incompatible code in a stable distribution.
Comment 5 Mike Ruckman 2014-11-19 18:02:32 UTC 
Discussed in 2014-11-19 blocker review meeting. We will consider a fix for this if the updated package is available by Monday 2014-11-24. If not, we can revisit at the next meeting.
Comment 6 Petr Vobornik 2014-11-21 11:57:49 UTC 
Fixed upstream

master:
* b170851058d6712442d553ef3d11ecd21b282443
* c6afc489a1c9d86fd593bd47c4a8dae6d9a008d2
* b1a30bff04fe9763b8b270590ec37084fd19b4e0

ipa-4-1:
* f065cec8a58bf4fee0334afdfb63db02f76c1ff7
* 45ceef14f9ffa5f3abf19088e991f427b7c5bd92
* dd3e91639bc3e87b5a95e344b7d190136ad30de0

ipa-4-0:
* 55578e9cb33924085969102186250ee60c0a9d85
* 598b54716c6e177a6b5bfdbccf483d28bf40e0b8
* aa988311d1b5eefe16eb60c04227900814468e9f
Comment 7 Fedora Update System 2014-11-21 13:55:44 UTC 
freeipa-4.1.1-2.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/freeipa-4.1.1-2.fc21
Comment 8 Fedora Update System 2014-11-22 20:21:30 UTC 
Package freeipa-4.1.1-2.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing freeipa-4.1.1-2.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-15601/freeipa-4.1.1-2.fc21
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2014-11-25 03:06:53 UTC 
freeipa-4.1.1-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.