Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1437946 - Upgrade to FreeIPA 4.5.0 does not configure anonymous principal for PKINIT
Upgrade to FreeIPA 4.5.0 does not configure anonymous principal for PKINIT
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Nikhil Dehadrai
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-31 10:05 EDT by Petr Vobornik
Modified: 2017-08-01 05:47 EDT (History)
8 users (show)

See Also:
Fixed In Version: ipa-4.5.0-5.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 05:47:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 08:41:35 EDT

  None (edit)
Description Petr Vobornik 2017-03-31 10:05:41 EDT
Cloned from upstream: https://pagure.io/freeipa/issue/6792

When upgrading from FreeIPA 4.4.3 to FreeIPA 4.5.0, the RPM upgrade fails with the following message:

```console
 Cleanup     : freeipa-client-common-4.4.3-2.fc25.noarch                                                     34/39 
  Cleanup     : freeipa-common-4.4.3-2.fc25.noarch                                                            35/39 
  Cleanup     : bind-pkcs11-libs-32:9.10.4-4.P6.fc25.x86_64                                                   36/39 
  Cleanup     : bind-libs-lite-32:9.10.4-4.P6.fc25.x86_64                                                     37/39 
  Cleanup     : bind-libs-32:9.10.4-4.P6.fc25.x86_64                                                          38/39 
  Cleanup     : bind-license-32:9.10.4-4.P6.fc25.noarch                                                       39/39 
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Failed to configure anonymous PKINIT
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
```

When inspecting `/var/log/ipaupgrade.log` we can see that the PKINIT keypair is issued but the anonymous principal is not created by upgrader code:

```console
<SNIP>
2017-03-21T15:51:07Z DEBUG stderr=
2017-03-21T15:51:07Z DEBUG Starting external process
2017-03-21T15:51:07Z DEBUG args=/usr/bin/kinit -n -c /tmp/krbccMLh35h/ccache
2017-03-21T15:51:07Z DEBUG Process finished, return code=1
2017-03-21T15:51:07Z DEBUG stdout=
2017-03-21T15:51:07Z DEBUG stderr=kinit: Client 'WELLKNOWN/ANONYMOUS@IPA.TEST' not found in Kerberos database while getting initial credentials

2017-03-21T15:51:07Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-03-21T15:51:07Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 48, in run
    raise admintool.ScriptError(str(e))

2017-03-21T15:51:07Z DEBUG The ipa-server-upgrade command failed, exception: ScriptError: Failed to configure anonymous PKINIT
2017-03-21T15:51:07Z ERROR Failed to configure anonymous PKINIT
```

This causes the password auth to IPA server (via JSON-RPC API or WebUI) to fail after upgrade and thus breaks the core functionality.

Steps to reproduce:

1.) Install FreeIPA 4.4.3 or older
2.) Upgrade to FreeIPA 4.5.0

Actual results:

Upgrade fails and WebUI logins on updated master do not work

Expected results:

Upgrade finishes without errors and WebUI works.
Comment 2 Petr Vobornik 2017-03-31 10:06:02 EDT
Upstream ticket:
https://pagure.io/freeipa/issue/6792
Comment 3 Petr Vobornik 2017-03-31 10:06:44 EDT
master:

    c2d95d3962d525017732618e66b39b099235d43e Upgrade: configure PKINIT after adding anonymous principal
    1fc48cd0af3b19272fcfe25235e55eae249bb6c9 Remove unused variable from failed anonymous PKINIT handling
    17aa51ef0291b9c6174509f52913076ae599357f Split out anonymous PKINIT test to a separate method
    5c22f905d48d3d8dd50e394290e1feb8f6dedcaa Ensure KDC is propery configured after upgrade

ipa-4-5:

    b9002bf6273151cb480dfba7ffa7480d037984ee Upgrade: configure PKINIT after adding anonymous principal
    4b2b1d33157963a8b3d8229d1edd573dcbb93fb5 Remove unused variable from failed anonymous PKINIT handling
    c1393029b6a853cc2cb874f4f93706368627d7c4 Split out anonymous PKINIT test to a separate method
    89fc0a126be67755d4a687b427a6c67b3cbc4337 Ensure KDC is propery configured after upgrade
Comment 10 Martin Babinsky 2017-05-05 07:17:45 EDT
Hmmm, it looks like you have an old version of python-cryptography installed, can you please check that you have at least python-cryptography > 1.4? there were some incompatible API changes that can break older versions.
Comment 12 Martin Babinsky 2017-05-09 07:47:19 EDT
Great, after succesful upgrade check that `kinit -n` gets you a valid TGT and if yes, you can mark the BZ as verified. The issue with broken python2-cryptography is unrelated to this BZ and you may file a separate bug for it.
Comment 15 Nikhil Dehadrai 2017-05-22 06:51:38 EDT
IPA server version: ipa-server-4.5.0-13.el7.x86_64
Python2-cryptography version: python2-cryptography-1.7.2-1.el7.x86_64

Tested the bug with following observations:

1) Verified that upgrade of IPA server to latest version is successful.
2) No errors/ failures are observed during upgrade process.
3) The said "PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE) Failed to configure PKINIT" message is not observed during upgrade process on using latest version of 'python2-cryptography' package during upgrade.
4) All the basic commands work successfully after upgrade.
5) Verified the same for other upgrade paths:
  - RHEL 7.1.z > Rhel 7.4
  - RHEL 7.2.z > Rhel 7.4
  - RHEL 7.3 > Rhel 7.4
  - RHEL 7.3.z > Rhel 7.4
6) For log through UI after upgrade we are unable to login for which a separate bug is logged BZ#1451733

Thus on the basis of above observations, marking status of bug to "VERIFIED"
Comment 17 errata-xmlrpc 2017-08-01 05:47:49 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304

Note You need to log in before you can comment on or make changes to this bug.