Bug 1437946 - Upgrade to FreeIPA 4.5.0 does not configure anonymous principal for PKINIT
Summary: Upgrade to FreeIPA 4.5.0 does not configure anonymous principal for PKINIT
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Nikhil Dehadrai
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-31 14:05 UTC by Petr Vobornik
Modified: 2017-08-01 09:47 UTC (History)
8 users (show)

Fixed In Version: ipa-4.5.0-5.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:47:49 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-03-31 14:05:41 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/6792

When upgrading from FreeIPA 4.4.3 to FreeIPA 4.5.0, the RPM upgrade fails with the following message:

```console
 Cleanup     : freeipa-client-common-4.4.3-2.fc25.noarch                                                     34/39 
  Cleanup     : freeipa-common-4.4.3-2.fc25.noarch                                                            35/39 
  Cleanup     : bind-pkcs11-libs-32:9.10.4-4.P6.fc25.x86_64                                                   36/39 
  Cleanup     : bind-libs-lite-32:9.10.4-4.P6.fc25.x86_64                                                     37/39 
  Cleanup     : bind-libs-32:9.10.4-4.P6.fc25.x86_64                                                          38/39 
  Cleanup     : bind-license-32:9.10.4-4.P6.fc25.noarch                                                       39/39 
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Failed to configure anonymous PKINIT
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
```

When inspecting `/var/log/ipaupgrade.log` we can see that the PKINIT keypair is issued but the anonymous principal is not created by upgrader code:

```console
<SNIP>
2017-03-21T15:51:07Z DEBUG stderr=
2017-03-21T15:51:07Z DEBUG Starting external process
2017-03-21T15:51:07Z DEBUG args=/usr/bin/kinit -n -c /tmp/krbccMLh35h/ccache
2017-03-21T15:51:07Z DEBUG Process finished, return code=1
2017-03-21T15:51:07Z DEBUG stdout=
2017-03-21T15:51:07Z DEBUG stderr=kinit: Client 'WELLKNOWN/ANONYMOUS@IPA.TEST' not found in Kerberos database while getting initial credentials

2017-03-21T15:51:07Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-03-21T15:51:07Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 48, in run
    raise admintool.ScriptError(str(e))

2017-03-21T15:51:07Z DEBUG The ipa-server-upgrade command failed, exception: ScriptError: Failed to configure anonymous PKINIT
2017-03-21T15:51:07Z ERROR Failed to configure anonymous PKINIT
```

This causes the password auth to IPA server (via JSON-RPC API or WebUI) to fail after upgrade and thus breaks the core functionality.

Steps to reproduce:

1.) Install FreeIPA 4.4.3 or older
2.) Upgrade to FreeIPA 4.5.0

Actual results:

Upgrade fails and WebUI logins on updated master do not work

Expected results:

Upgrade finishes without errors and WebUI works.
Comment 2 Petr Vobornik 2017-03-31 14:06:02 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6792
Comment 3 Petr Vobornik 2017-03-31 14:06:44 UTC 
master:

    c2d95d3962d525017732618e66b39b099235d43e Upgrade: configure PKINIT after adding anonymous principal
    1fc48cd0af3b19272fcfe25235e55eae249bb6c9 Remove unused variable from failed anonymous PKINIT handling
    17aa51ef0291b9c6174509f52913076ae599357f Split out anonymous PKINIT test to a separate method
    5c22f905d48d3d8dd50e394290e1feb8f6dedcaa Ensure KDC is propery configured after upgrade

ipa-4-5:

    b9002bf6273151cb480dfba7ffa7480d037984ee Upgrade: configure PKINIT after adding anonymous principal
    4b2b1d33157963a8b3d8229d1edd573dcbb93fb5 Remove unused variable from failed anonymous PKINIT handling
    c1393029b6a853cc2cb874f4f93706368627d7c4 Split out anonymous PKINIT test to a separate method
    89fc0a126be67755d4a687b427a6c67b3cbc4337 Ensure KDC is propery configured after upgrade
Comment 10 Martin Babinsky 2017-05-05 11:17:45 UTC 
Hmmm, it looks like you have an old version of python-cryptography installed, can you please check that you have at least python-cryptography > 1.4? there were some incompatible API changes that can break older versions.
Comment 12 Martin Babinsky 2017-05-09 11:47:19 UTC 
Great, after succesful upgrade check that `kinit -n` gets you a valid TGT and if yes, you can mark the BZ as verified. The issue with broken python2-cryptography is unrelated to this BZ and you may file a separate bug for it.
Comment 15 Nikhil Dehadrai 2017-05-22 10:51:38 UTC 
IPA server version: ipa-server-4.5.0-13.el7.x86_64
Python2-cryptography version: python2-cryptography-1.7.2-1.el7.x86_64

Tested the bug with following observations:

1) Verified that upgrade of IPA server to latest version is successful.
2) No errors/ failures are observed during upgrade process.
3) The said "PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE) Failed to configure PKINIT" message is not observed during upgrade process on using latest version of 'python2-cryptography' package during upgrade.
4) All the basic commands work successfully after upgrade.
5) Verified the same for other upgrade paths:
  - RHEL 7.1.z > Rhel 7.4
  - RHEL 7.2.z > Rhel 7.4
  - RHEL 7.3 > Rhel 7.4
  - RHEL 7.3.z > Rhel 7.4
6) For log through UI after upgrade we are unable to login for which a separate bug is logged BZ#1451733

Thus on the basis of above observations, marking status of bug to "VERIFIED"
Comment 17 errata-xmlrpc 2017-08-01 09:47:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304
Note You need to log in before you can comment on or make changes to this bug.