Bug 1184629 – kinit loops on principals on unknown error

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1184629 - kinit loops on principals on unknown error

Summary:	kinit loops on principals on unknown error

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	krb5 (Show other bugs)
Sub Component:
Version:	7.1
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Roland Mainz
QA Contact:	Patrik Kis
Docs Contact:

URL:
Whiteboard:
Keywords:	Regression

Depends On:
Blocks:	1184628
	Show dependency tree / graph

Reported:	2015-01-21 16:00 EST by Martin Kosek
Modified:	2015-09-08 13:27 EDT (History)
CC List:	8 users (show)

See Also:
Fixed In Version:	krb5-1.12.2-14.el7
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:	1184628
Environment:
Last Closed:	2015-03-05 05:01:56 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0439	normal	SHIPPED_LIVE	Moderate: krb5 security, bug fix and enhancement update	2015-03-05 09:38:14 EST

Groups: None (edit)

Description Martin Kosek 2015-01-21 16:00:58 EST

+++ This bug was initially created as a clone of Bug #1184628 +++

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4844

Principal canonicalization does not work for own realm:

{{{
$ KRB5_TRACE=/dev/stderr kinit -C admin@f21.test
[31948] 1421403750.682046: Getting initial credentials for admin@f21.test
[31948] 1421403750.683696: Sending request (157 bytes) to f21.test
[31948] 1421403750.684576: Resolving hostname master.f21.test.
[31948] 1421403750.685294: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.686131: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.686295: Response was from master KDC
[31948] 1421403750.686349: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.686386: Following referral to realm f21.test
[31948] 1421403750.686435: Sending request (157 bytes) to f21.test
[31948] 1421403750.686691: Resolving hostname master.f21.test.
[31948] 1421403750.686929: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.687412: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.687564: Response was from master KDC
[31948] 1421403750.687616: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.687658: Following referral to realm f21.test
[31948] 1421403750.687697: Sending request (157 bytes) to f21.test
[31948] 1421403750.687941: Resolving hostname master.f21.test.
[31948] 1421403750.688136: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.688519: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.688687: Response was from master KDC
[31948] 1421403750.688721: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.688740: Following referral to realm f21.test
[31948] 1421403750.688771: Sending request (157 bytes) to f21.test
[31948] 1421403750.689003: Resolving hostname master.f21.test.
[31948] 1421403750.689176: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.689526: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.689700: Response was from master KDC
[31948] 1421403750.689751: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.689786: Following referral to realm f21.test
[31948] 1421403750.689832: Sending request (157 bytes) to f21.test
[31948] 1421403750.690092: Resolving hostname master.f21.test.
[31948] 1421403750.690280: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.690669: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.690830: Response was from master KDC
[31948] 1421403750.690891: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.690954: Following referral to realm f21.test
[31948] 1421403750.691017: Sending request (157 bytes) to f21.test
[31948] 1421403750.691246: Resolving hostname master.f21.test.
[31948] 1421403750.691420: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.691790: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.691932: Response was from master KDC
[31948] 1421403750.691986: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.692008: Following referral to realm f21.test
[31948] 1421403750.692048: Sending request (157 bytes) to f21.test
[31948] 1421403750.692246: Resolving hostname master.f21.test.
[31948] 1421403750.692414: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.692792: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.692933: Response was from master KDC
[31948] 1421403750.692989: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.693049: Following referral to realm f21.test
[31948] 1421403750.693119: Sending request (157 bytes) to f21.test
[31948] 1421403750.693335: Resolving hostname master.f21.test.
[31948] 1421403750.693524: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.693922: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.694118: Response was from master KDC
[31948] 1421403750.694153: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.694172: Following referral to realm f21.test
[31948] 1421403750.694202: Sending request (157 bytes) to f21.test
[31948] 1421403750.694399: Resolving hostname master.f21.test.
[31948] 1421403750.694567: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.694934: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.695095: Response was from master KDC
[31948] 1421403750.695138: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.695157: Following referral to realm f21.test
[31948] 1421403750.695188: Sending request (157 bytes) to f21.test
[31948] 1421403750.695385: Resolving hostname master.f21.test.
[31948] 1421403750.695553: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.695899: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.696055: Response was from master KDC
[31948] 1421403750.696115: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.696134: Following referral to realm f21.test
[31948] 1421403750.696164: Sending request (157 bytes) to f21.test
[31948] 1421403750.696393: Resolving hostname master.f21.test.
[31948] 1421403750.696563: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.696908: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.697047: Response was from master KDC
[31948] 1421403750.697101: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.697126: Following referral to realm f21.test
[31948] 1421403750.697157: Sending request (157 bytes) to f21.test
[31948] 1421403750.697363: Resolving hostname master.f21.test.
[31948] 1421403750.697544: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.697919: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.698080: Response was from master KDC
[31948] 1421403750.698178: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.698246: Following referral to realm f21.test
[31948] 1421403750.698287: Sending request (157 bytes) to f21.test
[31948] 1421403750.698484: Resolving hostname master.f21.test.
[31948] 1421403750.698673: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.699017: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.699194: Response was from master KDC
[31948] 1421403750.699255: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.699290: Following referral to realm f21.test
[31948] 1421403750.699336: Sending request (157 bytes) to f21.test
[31948] 1421403750.699562: Resolving hostname master.f21.test.
[31948] 1421403750.699781: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.700106: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.700270: Response was from master KDC
[31948] 1421403750.700304: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.700323: Following referral to realm f21.test
[31948] 1421403750.700353: Sending request (157 bytes) to f21.test
[31948] 1421403750.700554: Resolving hostname master.f21.test.
[31948] 1421403750.700747: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.701075: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.701234: Response was from master KDC
[31948] 1421403750.701268: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.701298: Following referral to realm f21.test
[31948] 1421403750.701328: Sending request (157 bytes) to f21.test
[31948] 1421403750.701523: Resolving hostname master.f21.test.
[31948] 1421403750.701767: Sending initial UDP request to dgram 192.168.5.169:88
[31948] 1421403750.702095: Received answer (161 bytes) from dgram 192.168.5.169:88
[31948] 1421403750.702266: Response was from master KDC
[31948] 1421403750.702300: Received error from KDC: -1765328378/Client not found in Kerberos database
[31948] 1421403750.702319: Following referral to realm f21.test
kinit: Looping detected inside krb5_get_in_tkt while getting initial credentials
}}}

Comment 1 Martin Kosek 2015-01-21 16:01:59 EST

See details in
https://fedorahosted.org/freeipa/ticket/4844#comment:2
This is a regression in kinit.

Comment 2 Martin Kosek 2015-01-21 16:03:10 EST

Patch is ready, on review upstream:

https://github.com/krb5/krb5/pull/243

Comment 3 Martin Kosek 2015-01-21 16:07:37 EST

Reproduction/testing should be straightforward:

Instead of proper message:

$ kinit -C admin@F21.TESt
kinit: Client 'admin@F21.TESt' not found in Kerberos database while
getting initial credentials

user gets:

$ kinit -C admin@F21.TESt
kinit: Looping detected inside krb5_get_in_tkt while getting initial
credentials

Comment 6 Roland Mainz 2015-01-26 09:13:14 EST

Changes commited...

$ git push
[snip]
Counting objects: 24, done.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (4/4), 2.54 KiB | 0 bytes/s, done.
Total 4 (delta 2), reused 0 (delta 0)
remote: *** Checking commit 643255762e22c3f899ddcd1a448bc70524c2d7e2
remote: *** Resolves:
remote: ***   Approved:
remote: ***     rhbz#1184629 (blocker+, pm_ack+, rhel-7.1.0+)
remote: *** Commit 643255762e22c3f899ddcd1a448bc70524c2d7e2 allowed
To ssh://rmainz@pkgs.devel.redhat.com/rpms/krb5
   387fac2..6432557  rhel-7.1 -> rhel-7.1

Comment 10 errata-xmlrpc 2015-03-05 05:01:56 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0439.html

Note You need to log in before you can comment on or make changes to this bug.