Red Hat Bugzilla – Bug 1441160
FreeIPA client <= 4.4 fail to parse 4.5 cookies
Last modified: 2017-08-01 05:48:56 EDT
ipa-4-4: 40f3b8f8a3d33864528138e517ce3240da6c9a4a Fix cookie with Max-Age processing 5caade99127ff46141d2f6b7137f7aa62c0ff3bc Add debug log in case cookie retrieval went wrong ipa-4-3: 0d66046e501a4a1a09a0a74a96a499cb88ffb03b Fix cookie with Max-Age processing 71475e3153117e554d22a2a27d7882ba4f890be8 Add debug log in case cookie retrieval went wrong ipa-4-5: c59729d783993f60582f5cc6ca018545231df22b Add debug log in case cookie retrieval went wrong master: 0bb858ea770e081817dc243579d08ad1f113e825 Add debug log in case cookie retrieval went wrong
Marking the bug as FAILEDQA, since the below messages is still seen, when connecting ipa-client-4.4 to ipa-server-4.5 "unable to parse cookie header ... unsupported operand type(s) for +: 'NoneType' and 'datetime.timedelta' " Tested using RHEL7.4 IPA-server ipa-server-4.5.0-11.el7.x86_64 389-ds-base-1.3.6.1-13.el7.x86_64 pki-ca-10.4.1-4.el7.noarch krb5-server-1.15.1-8.el7.x86_64 sssd-1.15.2-29.el7.x86_64 selinux-policy-3.13.1-148.el7.noarch RHEL7.3.z IPA-Client ipa-client-4.4.0-14.el7_3.7.x86_64 sssd-1.14.0-43.el7_3.14.x86_64 selinux-policy-3.13.1-102.el7_3.16.noarch === Obseravtions on ipa-client === [root@client73 ~]# ipa-client-install WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd Discovery was successful! Client hostname: client73.testrelm.test Realm: TESTRELM.TEST DNS Domain: testrelm.test IPA Server: master.testrelm.test BaseDN: dc=testrelm,dc=test Continue to configure the system with these values? [no]: yes Skipping synchronizing time with NTP server. User authorized to enroll computers: admin Password for admin@TESTRELM.TEST: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Valid From: Tue May 16 06:49:31 2017 UTC Valid Until: Sat May 16 06:49:31 2037 UTC Enrolled in IPA realm TESTRELM.TEST Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TESTRELM.TEST trying https://master.testrelm.test/ipa/json Forwarding 'schema' to json server 'https://master.testrelm.test/ipa/json' unable to parse cookie header 'ipa_session=MagBearerToken=EjDTpG5%2fLnopi8uTdpAOWSKXHBSub4dBqQhEr%2fBONqSa6U6WVZDcx9VyxqrSCQ6SZ2UeDwRpDXz1L6MnEdBIf4DNdmAHxHyphWfgLoHS741wxd0VGcbtz161QeMZHQ2XZU7kpU0nE503sUFRRn9EuNTsxgIJnR0I3w%2fqFykCfGG6mDCk1Xt9fUe5y0z1G1Sih9IbjSquiMjrfHd%2fgYyDA0MqXpHIrj8kjz7448x59YNJyVgnFfgOmIuwAZDzup6hJnjPdXG9%2f6CmzykQ25MN6H8lGFmPRNHTEez%2ba1mZ3dI%3d&expiry=1494924963942583;Max-Age=1800;path=/ipa;httponly;secure;': unsupported operand type(s) for +: 'NoneType' and 'datetime.timedelta' trying https://master.testrelm.test/ipa/json Forwarding 'ping' to json server 'https://master.testrelm.test/ipa/json' unable to parse cookie header 'ipa_session=MagBearerToken=vOmf81%2bfP277AfbAjwIKhhiqqOM9RO%2b5P%2fPM%2fstWN6Bx8owfXNcY4Ye6UynxEiSN2ahHkMHjChxyOb2QTCPkQu71N%2bG6SEBnJZBhDe0xTtO%2bsrkrhpYf1UtMf6pdWIetBzNlULBnWjdIf2S83SlUUo4kTT9JdWyPJkLUsOLJRpERWe4BTeqq7urAAuj%2bqCbO9jd3flPbdkiRDNFmxVjHbylgLkJggb535E4wGP9ZAanuDB6u8SqELZfYta4WGeCPe9uXJ96lRCOpeNGzL1MZJsCRHU0yghmbFqT2aVJpRs4%3d&expiry=1494924966937939;Max-Age=1800;path=/ipa;httponly;secure;': unsupported operand type(s) for +: 'NoneType' and 'datetime.timedelta' Forwarding 'ca_is_enabled' to json server 'https://master.testrelm.test/ipa/json' unable to parse cookie header 'ipa_session=MagBearerToken=R52XuhW4S%2bmurTK3iU9QzF4sXF6kb%2beHFR2yJ82yS%2fTRTgu9MfzZ6E%2fiK9LoOEqpPyNBUTHFQYMPbzUSSJGsZgnd1msOtu9wEtaqDqyJu%2bLRR7XSxYA%2bpEhkY3L4NSf1eW72xcrFxLZzGPHQdpkH9T90lHYIZei5CVPHJOUUeUq5DybtfYkB2pDtgGricc49hZp3ciPyXydmksOCNjd4G1S%2fgbV9oTZqmu7UXbrr1Hyob5igk9SOZPj%2b3w3DQd4UunoroQCg%2fTwxD1p9CCgQigicGTo0Z4HSKpBOK4wSd4c%3d&expiry=1494924966991859;Max-Age=1800;path=/ipa;httponly;secure;': unsupported operand type(s) for +: 'NoneType' and 'datetime.timedelta' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Forwarding 'host_mod' to json server 'https://master.testrelm.test/ipa/json' unable to parse cookie header 'ipa_session=MagBearerToken=ibQbVCHEmyPOiVTGFzfob1YkhS1H8MTWp%2bvQzO3aN%2bsoyc8Y1C%2bWARIC%2fblyTcvJy14zBB4fgOLyzGxr%2b3WtMwl5fliUXj4k8LXfVKJdO7Jtf63sQk4z%2bD5hLZcroZ26F5L1m4tDalSk2SeCptiMvRu5St3yDdlcLcMX%2fPNXHXS1QzaRdI5dLYgGbOk9q7VOLK7NXDtPrF9oPrIPM6wXy%2finEpFd0x4CAt2jjikfDLOq3KXYe9Y6SJfu5tLTjzPM1fmEMoEsAaLx%2bZKmG6yCOJBPCqXGdVnHuBhkdEb6l1U%3d&expiry=1494924969939644;Max-Age=1800;path=/ipa;httponly;secure;': unsupported operand type(s) for +: 'NoneType' and 'datetime.timedelta' SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring testrelm.test as NIS domain. Client configuration complete. [root@master ~]# ipa host-find --------------- 3 hosts matched --------------- Host name: client73.testrelm.test Principal name: host/client73.testrelm.test@TESTRELM.TEST Principal alias: host/client73.testrelm.test@TESTRELM.TEST SSH public key fingerprint: SHA256:d/R5xAbwyc4QotgPUhO3ao3YkYcep4ZM/U8ePL7PYp8 (ssh-rsa), SHA256:Aq91XJQBiyR69NvxzVzntFdz07BGs336GO9sp7Pj+0g (ecdsa-sha2-nistp256), SHA256:deUr46U1wRRFnRxzK4BhkLr2gYtcy5vuns+Q5pSa/iE (ssh-ed25519)
This bz covers only 4.5 clients, 4.4 clients are handled in bug 1442038 - which was not yet fixed.
Marking this bug as VERIFIED since the 7.5 client is no more affected with the original issue. Tested on RHEL7.4 ipa-client-4.5.0-11.el7.x86_64 ipa-server-4.5.0-11.el7.x86_64 389-ds-base-1.3.6.1-13.el7.x86_64 pki-ca-10.4.1-4.el7.noarch krb5-server-1.15.1-8.el7.x86_64 sssd-1.15.2-29.el7.x86_64 selinux-policy-3.13.1-148.el7.noarch [root@client74 ~]# ipa-client-install WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd Discovery was successful! Client hostname: client74.testrelm.test Realm: TESTRELM.TEST DNS Domain: testrelm.test IPA Server: master.testrelm.test BaseDN: dc=testrelm,dc=test Continue to configure the system with these values? [no]: yes Skipping synchronizing time with NTP server. User authorized to enroll computers: admin Password for admin@TESTRELM.TEST: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Valid From: 2017-05-16 06:49:31 Valid Until: 2037-05-16 06:49:31 Enrolled in IPA realm TESTRELM.TEST Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TESTRELM.TEST trying https://master.testrelm.test/ipa/json Forwarding 'schema' to json server 'https://master.testrelm.test/ipa/json' trying https://master.testrelm.test/ipa/session/json Forwarding 'ping' to json server 'https://master.testrelm.test/ipa/session/json' Forwarding 'ca_is_enabled' to json server 'https://master.testrelm.test/ipa/session/json' Systemwide CA database updated. Hostname (client74.testrelm.test) does not have A/AAAA record. Incorrect reverse record(s): Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Forwarding 'host_mod' to json server 'https://master.testrelm.test/ipa/session/json' SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring testrelm.test as NIS domain. Client configuration complete. The ipa-client-install command was successful [root@master log]# ipa vault-add Vault name: test-vault New password: Enter New password again to verify: ------------------------ Added vault "test-vault" ------------------------ Vault name: test-vault Type: symmetric Salt: 72/IgkQx+mcv4LbvIszz5A== Owner users: admin Vault user: admin [root@client74 ~]# ipa vault-find --------------- 1 vault matched --------------- Vault name: test-vault Type: symmetric Vault user: admin ---------------------------- Number of entries returned 1 ---------------------------- [root@client74 ~]# ipa vault-find --all --------------- 1 vault matched --------------- dn: cn=test-vault,cn=admin,cn=users,cn=vaults,cn=kra,dc=testrelm,dc=test Vault name: test-vault Type: symmetric Salt: 72/IgkQx+mcv4LbvIszz5A== Owner users: admin Vault user: admin objectclass: ipaVault, top ---------------------------- Number of entries returned 1 ----------------------------
Correction: Marking this bug as VERIFIED since the 4.5 client is no more affected with the original issue.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304