Bug 1441160 - FreeIPA client <= 4.4 fail to parse 4.5 cookies
Summary: FreeIPA client <= 4.4 fail to parse 4.5 cookies
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Sudhir Menon
URL:
Whiteboard:
Depends On: 1434845
Blocks: 1442038
TreeView+ depends on / blocked
 
Reported: 2017-04-11 11:07 UTC by Petr Vobornik
Modified: 2017-08-01 09:48 UTC (History)
10 users (show)

Fixed In Version: ipa-4.5.0-7.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1434845
: 1442038 (view as bug list)
Environment:
Last Closed: 2017-08-01 09:48:56 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Comment 1 Petr Vobornik 2017-04-11 11:08:37 UTC
ipa-4-4:
    40f3b8f8a3d33864528138e517ce3240da6c9a4a Fix cookie with Max-Age processing
    5caade99127ff46141d2f6b7137f7aa62c0ff3bc Add debug log in case cookie retrieval went wrong

ipa-4-3:
    0d66046e501a4a1a09a0a74a96a499cb88ffb03b Fix cookie with Max-Age processing
    71475e3153117e554d22a2a27d7882ba4f890be8 Add debug log in case cookie retrieval went wrong

ipa-4-5:
    c59729d783993f60582f5cc6ca018545231df22b Add debug log in case cookie retrieval went wrong

master:
    0bb858ea770e081817dc243579d08ad1f113e825 Add debug log in case cookie retrieval went wrong

Comment 6 Sudhir Menon 2017-05-16 08:37:36 UTC
Marking the bug as FAILEDQA, since the below messages is still seen, when connecting ipa-client-4.4 to ipa-server-4.5

"unable to parse cookie header ...  unsupported operand type(s) for +: 'NoneType' and 'datetime.timedelta' "

Tested using 
RHEL7.4 IPA-server
ipa-server-4.5.0-11.el7.x86_64
389-ds-base-1.3.6.1-13.el7.x86_64
pki-ca-10.4.1-4.el7.noarch
krb5-server-1.15.1-8.el7.x86_64
sssd-1.15.2-29.el7.x86_64
selinux-policy-3.13.1-148.el7.noarch

RHEL7.3.z IPA-Client 
ipa-client-4.4.0-14.el7_3.7.x86_64
sssd-1.14.0-43.el7_3.14.x86_64
selinux-policy-3.13.1-102.el7_3.16.noarch

=== Obseravtions on ipa-client ===

[root@client73 ~]# ipa-client-install 
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Client hostname: client73.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: master.testrelm.test
BaseDN: dc=testrelm,dc=test

Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin@TESTRELM.TEST: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=TESTRELM.TEST
    Issuer:      CN=Certificate Authority,O=TESTRELM.TEST
    Valid From:  Tue May 16 06:49:31 2017 UTC
    Valid Until: Sat May 16 06:49:31 2037 UTC

Enrolled in IPA realm TESTRELM.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.TEST
trying https://master.testrelm.test/ipa/json
Forwarding 'schema' to json server 'https://master.testrelm.test/ipa/json'
unable to parse cookie header 'ipa_session=MagBearerToken=EjDTpG5%2fLnopi8uTdpAOWSKXHBSub4dBqQhEr%2fBONqSa6U6WVZDcx9VyxqrSCQ6SZ2UeDwRpDXz1L6MnEdBIf4DNdmAHxHyphWfgLoHS741wxd0VGcbtz161QeMZHQ2XZU7kpU0nE503sUFRRn9EuNTsxgIJnR0I3w%2fqFykCfGG6mDCk1Xt9fUe5y0z1G1Sih9IbjSquiMjrfHd%2fgYyDA0MqXpHIrj8kjz7448x59YNJyVgnFfgOmIuwAZDzup6hJnjPdXG9%2f6CmzykQ25MN6H8lGFmPRNHTEez%2ba1mZ3dI%3d&expiry=1494924963942583;Max-Age=1800;path=/ipa;httponly;secure;': unsupported operand type(s) for +: 'NoneType' and 'datetime.timedelta'
trying https://master.testrelm.test/ipa/json
Forwarding 'ping' to json server 'https://master.testrelm.test/ipa/json'
unable to parse cookie header 'ipa_session=MagBearerToken=vOmf81%2bfP277AfbAjwIKhhiqqOM9RO%2b5P%2fPM%2fstWN6Bx8owfXNcY4Ye6UynxEiSN2ahHkMHjChxyOb2QTCPkQu71N%2bG6SEBnJZBhDe0xTtO%2bsrkrhpYf1UtMf6pdWIetBzNlULBnWjdIf2S83SlUUo4kTT9JdWyPJkLUsOLJRpERWe4BTeqq7urAAuj%2bqCbO9jd3flPbdkiRDNFmxVjHbylgLkJggb535E4wGP9ZAanuDB6u8SqELZfYta4WGeCPe9uXJ96lRCOpeNGzL1MZJsCRHU0yghmbFqT2aVJpRs4%3d&expiry=1494924966937939;Max-Age=1800;path=/ipa;httponly;secure;': unsupported operand type(s) for +: 'NoneType' and 'datetime.timedelta'
Forwarding 'ca_is_enabled' to json server 'https://master.testrelm.test/ipa/json'
unable to parse cookie header 'ipa_session=MagBearerToken=R52XuhW4S%2bmurTK3iU9QzF4sXF6kb%2beHFR2yJ82yS%2fTRTgu9MfzZ6E%2fiK9LoOEqpPyNBUTHFQYMPbzUSSJGsZgnd1msOtu9wEtaqDqyJu%2bLRR7XSxYA%2bpEhkY3L4NSf1eW72xcrFxLZzGPHQdpkH9T90lHYIZei5CVPHJOUUeUq5DybtfYkB2pDtgGricc49hZp3ciPyXydmksOCNjd4G1S%2fgbV9oTZqmu7UXbrr1Hyob5igk9SOZPj%2b3w3DQd4UunoroQCg%2fTwxD1p9CCgQigicGTo0Z4HSKpBOK4wSd4c%3d&expiry=1494924966991859;Max-Age=1800;path=/ipa;httponly;secure;': unsupported operand type(s) for +: 'NoneType' and 'datetime.timedelta'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://master.testrelm.test/ipa/json'
unable to parse cookie header 'ipa_session=MagBearerToken=ibQbVCHEmyPOiVTGFzfob1YkhS1H8MTWp%2bvQzO3aN%2bsoyc8Y1C%2bWARIC%2fblyTcvJy14zBB4fgOLyzGxr%2b3WtMwl5fliUXj4k8LXfVKJdO7Jtf63sQk4z%2bD5hLZcroZ26F5L1m4tDalSk2SeCptiMvRu5St3yDdlcLcMX%2fPNXHXS1QzaRdI5dLYgGbOk9q7VOLK7NXDtPrF9oPrIPM6wXy%2finEpFd0x4CAt2jjikfDLOq3KXYe9Y6SJfu5tLTjzPM1fmEMoEsAaLx%2bZKmG6yCOJBPCqXGdVnHuBhkdEb6l1U%3d&expiry=1494924969939644;Max-Age=1800;path=/ipa;httponly;secure;': unsupported operand type(s) for +: 'NoneType' and 'datetime.timedelta'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring testrelm.test as NIS domain.
Client configuration complete.

[root@master ~]# ipa host-find
---------------
3 hosts matched
---------------
  Host name: client73.testrelm.test
  Principal name: host/client73.testrelm.test@TESTRELM.TEST
  Principal alias: host/client73.testrelm.test@TESTRELM.TEST
  SSH public key fingerprint: SHA256:d/R5xAbwyc4QotgPUhO3ao3YkYcep4ZM/U8ePL7PYp8 (ssh-rsa), SHA256:Aq91XJQBiyR69NvxzVzntFdz07BGs336GO9sp7Pj+0g (ecdsa-sha2-nistp256),
                              SHA256:deUr46U1wRRFnRxzK4BhkLr2gYtcy5vuns+Q5pSa/iE (ssh-ed25519)

Comment 8 Petr Vobornik 2017-05-16 08:43:06 UTC
This bz covers only 4.5 clients, 4.4 clients are handled in bug 1442038 - which was not yet fixed.

Comment 9 Sudhir Menon 2017-05-16 08:58:49 UTC
Marking this bug as VERIFIED since the 7.5 client is no more affected with the original issue.

Tested on RHEL7.4

ipa-client-4.5.0-11.el7.x86_64
ipa-server-4.5.0-11.el7.x86_64
389-ds-base-1.3.6.1-13.el7.x86_64
pki-ca-10.4.1-4.el7.noarch
krb5-server-1.15.1-8.el7.x86_64
sssd-1.15.2-29.el7.x86_64
selinux-policy-3.13.1-148.el7.noarch

[root@client74 ~]# ipa-client-install 
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Client hostname: client74.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: master.testrelm.test
BaseDN: dc=testrelm,dc=test

Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin@TESTRELM.TEST: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=TESTRELM.TEST
    Issuer:      CN=Certificate Authority,O=TESTRELM.TEST
    Valid From:  2017-05-16 06:49:31
    Valid Until: 2037-05-16 06:49:31

Enrolled in IPA realm TESTRELM.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.TEST
trying https://master.testrelm.test/ipa/json
Forwarding 'schema' to json server 'https://master.testrelm.test/ipa/json'
trying https://master.testrelm.test/ipa/session/json
Forwarding 'ping' to json server 'https://master.testrelm.test/ipa/session/json'
Forwarding 'ca_is_enabled' to json server 'https://master.testrelm.test/ipa/session/json'
Systemwide CA database updated.
Hostname (client74.testrelm.test) does not have A/AAAA record.
Incorrect reverse record(s):
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://master.testrelm.test/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring testrelm.test as NIS domain.
Client configuration complete.
The ipa-client-install command was successful


[root@master log]# ipa vault-add
Vault name: test-vault
New password: 
Enter New password again to verify: 
------------------------
Added vault "test-vault"
------------------------
  Vault name: test-vault
  Type: symmetric
  Salt: 72/IgkQx+mcv4LbvIszz5A==
  Owner users: admin
  Vault user: admin

[root@client74 ~]# ipa vault-find
---------------
1 vault matched
---------------
  Vault name: test-vault
  Type: symmetric
  Vault user: admin
----------------------------
Number of entries returned 1
----------------------------

[root@client74 ~]# ipa vault-find --all
---------------
1 vault matched
---------------
  dn: cn=test-vault,cn=admin,cn=users,cn=vaults,cn=kra,dc=testrelm,dc=test
  Vault name: test-vault
  Type: symmetric
  Salt: 72/IgkQx+mcv4LbvIszz5A==
  Owner users: admin
  Vault user: admin
  objectclass: ipaVault, top
----------------------------
Number of entries returned 1
----------------------------

Comment 10 Sudhir Menon 2017-05-16 08:59:41 UTC
Correction: Marking this bug as VERIFIED since the 4.5 client is no more affected with the original issue.

Comment 11 errata-xmlrpc 2017-08-01 09:48:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.