Bug 1445397 – GET in KerberosSession.finalize_kerberos_acquisition() must use FreeIPA CA

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1445397 - GET in KerberosSession.finalize_kerberos_acquisition() must use FreeIPA CA

Summary:	GET in KerberosSession.finalize_kerberos_acquisition() must use FreeIPA CA

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	7.4
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	IPA Maintainers
QA Contact:	Ganna Kaihorodova
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2017-04-25 11:02 EDT by Petr Vobornik
Modified:	2017-08-01 05:50 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:	ipa-4.5.0-10.el7
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-08-01 05:50:15 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
FreeIPA installation with external CA (14.88 KB, text/plain) 2017-06-05 09:26 EDT, Ganna Kaihorodova	no flags	Details
screenshot for webUI (82.51 KB, image/png) 2017-06-05 09:28 EDT, Ganna Kaihorodova	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2304	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2017-08-01 08:41:35 EDT

Groups: None (edit)

Description Petr Vobornik 2017-04-25 11:02:12 EDT

Cloned from upstream: https://pagure.io/freeipa/issue/6876

```KerberosSession.finalize_kerberos_acquisition()``` uses ```requests``` to interact with IPA. The ```request.get()``` call performs a HTTP GET over HTTPS but fails to use FreeIPA's private CA file.

Comment 2 Petr Vobornik 2017-04-25 11:02:29 EDT

Upstream ticket:
https://pagure.io/freeipa/issue/6876

Comment 3 Petr Vobornik 2017-04-25 11:11:44 EDT

Http code performed by this call doesn't use CA certificate/certificate store with full certificate chain of IPA server. So it might happen that in case that IPA is installed with externally signed CA certificate, the call can fail because of certificate validation and e.g. prevent session acquisition. 

If it will fail for sure is not known - the use case was not discovered, but it is faster and safer to fix preemptively.

Comment 4 Martin Bašti 2017-05-02 07:44:30 EDT

Fixed upstream
master:
https://pagure.io/freeipa/c/c19196a0d3fc0a38c4c83cb8a7fde56e6bc310af
ipa-4-5:
https://pagure.io/freeipa/c/82679c11f1fc0701d753433d1f2d14c3ee0279af

Comment 8 Ganna Kaihorodova 2017-06-05 09:26 EDT

Created attachment 1285053 [details]
FreeIPA installation with external CA

Comment 9 Ganna Kaihorodova 2017-06-05 09:28 EDT

Created attachment 1285054 [details]
screenshot for webUI

Comment 10 errata-xmlrpc 2017-08-01 05:50:15 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304

Note You need to log in before you can comment on or make changes to this bug.