Bug 1447375 - ipa-client-install: extra space in pkinit_anchors definition
Summary: ipa-client-install: extra space in pkinit_anchors definition
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Varun Mylaraiah
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-02 14:28 UTC by Petr Vobornik
Modified: 2017-08-01 09:50 UTC (History)
4 users (show)

Fixed In Version: ipa-4.5.0-10.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:50:15 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-05-02 14:28:14 UTC
Cloned from upstream: https://pagure.io/freeipa/issue/6916

When performing ipa-client-install, the following section is added in /etc/krb5.conf:

    [realms]
      DOM-IPA.COM = {
        pkinit_anchors = FILE: /etc/ipa/ca.crt
    
      }

Note that the param pkinit_anchors contains an extra space between FILE: and /etc/ipa/ca.crt.

This causes kerberos client to fail when trying pkinit because the ca.crt file is not read:

    $ export KRB5_TRACE=/dev/stderr
    $ kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' demosc1
    [78677] 1493711847.77746: Getting initial credentials for demosc1@DOM-IPA.COM
    [78677] 1493711847.78070: Sending request (235 bytes) to DOM-IPA.COM
    [78677] 1493711847.78488: Initiating TCP connection to stream 10.34.58.20:88
    [78677] 1493711847.79255: Sending TCP request to stream 10.34.58.20:88
    [78677] 1493711847.85644: Received answer (394 bytes) from stream 10.34.58.20:88
    [78677] 1493711847.85673: Terminating TCP connection to stream 10.34.58.20:88
    [78677] 1493711847.85834: Response was from master KDC
    [78677] 1493711847.85879: Received error from KDC: -1765328359/Additional pre-authentication required
    [78677] 1493711847.85974: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133
    [78677] 1493711847.85993: Selected etype info: etype aes256-cts, salt "rOG^ Fx(s%85k-GC", params ""
    [78677] 1493711847.86006: Received cookie: MIT
    [78677] 1493711853.360097: Preauth module pkinit (147) (info) returned: 0/Success
    PIV Card Holder pin (PIV_II)     PIN: 
    [78677] 1493711860.808408: PKINIT OpenSSL error: Cannot open file ' /etc/ipa/ca.crt'
    [78677] 1493711860.808483: PKINIT OpenSSL error: error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library
    [78677] 1493711860.808500: PKINIT OpenSSL error: error:25070067:DSO support routines:DSO_load:could not load the shared library
    [78677] 1493711860.808514: PKINIT OpenSSL error: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found
    [78677] 1493711860.808521: PKINIT OpenSSL error: error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library
    [78677] 1493711860.808527: PKINIT OpenSSL error: error:25070067:DSO support routines:DSO_load:could not load the shared library
    [78677] 1493711860.808533: PKINIT OpenSSL error: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found
    [78677] 1493711860.808545: PKINIT OpenSSL error: error:2606A074:engine routines:ENGINE_by_id:no such engine
    [78677] 1493711860.808552: PKINIT OpenSSL error: error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library
    [78677] 1493711860.808558: PKINIT OpenSSL error: error:25070067:DSO support routines:DSO_load:could not load the shared library
    [78677] 1493711860.808568: PKINIT OpenSSL error: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found
    [78677] 1493711860.808575: PKINIT OpenSSL error: error:02001002:system library:fopen:No such file or directory
    [78677] 1493711860.808583: PKINIT OpenSSL error: error:2006D080:BIO routines:BIO_new_file:no such file
    [78677] 1493711860.808589: PKINIT client has no configured identity; giving up
    [78677] 1493711860.808613: Preauth module pkinit (16) (real) returned: -1765328360/Cannot open file ' /etc/ipa/ca.crt': could not load the shared library
    [78677] 1493711860.808643: PKINIT client has no configured identity; giving up
    [78677] 1493711860.808655: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed
    [78677] 1493711860.808665: PKINIT client has no configured identity; giving up
    [78677] 1493711860.808677: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed
    Password for demosc1@DOM-IPA.COM:

Comment 2 Petr Vobornik 2017-05-02 14:29:33 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/6916

Comment 3 Petr Vobornik 2017-05-02 14:32:47 UTC
master:

    26dbab1fd4384b8f3999b153c2d94220cf541ad2 ipa-client-install: remove extra space in pkinit_anchors definition

ipa-4-5:

    a3c4e70650dbcd5dd3f00a7b2fecc051afeebec0 ipa-client-install: remove extra space in pkinit_anchors definition

Comment 6 Varun Mylaraiah 2017-05-16 10:23:47 UTC
Verified
ipa-client-4.5.0-11.el7.x86_64

No extra space in pkinit_anchors definition.

/etc/krb5.conf.d/
[realms]
 TESTRELM.TEST = {
  kdc = mgmt9.testrelm.test:88
  master_kdc = mgmt9.testrelm.test:88
  admin_server = mgmt9.testrelm.test:749
  default_domain = testrelm.test
  pkinit_anchors = FILE:/etc/ipa/ca.crt
}

# kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' tuser1
[29484] 1494930126.449771: Resolving unique ccache of type KEYRING
[29484] 1494930126.454008: Getting initial credentials for tuser1@TESTRELM.TEST
[29484] 1494930126.454403: Sending request (176 bytes) to TESTRELM.TEST
[29484] 1494930126.454673: Initiating TCP connection to stream 10.16.4.19:88
[29484] 1494930126.455035: Sending TCP request to stream 10.16.4.19:88
[29484] 1494930126.457447: Received answer (306 bytes) from stream 10.16.4.19:88
[29484] 1494930126.457468: Terminating TCP connection to stream 10.16.4.19:88
[29484] 1494930126.457606: Response was from master KDC
[29484] 1494930126.457644: Received error from KDC: -1765328359/Additional pre-authentication required
[29484] 1494930126.457719: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133
[29484] 1494930126.457739: Selected etype info: etype aes256-cts, salt "{`]l&bq""C&Yz_r{", params ""
[29484] 1494930126.457747: Received cookie: MIT
[29484] 1494930126.457935: Preauth module pkinit (147) (info) returned: 0/Success
[29484] 1494930126.457995: PKINIT client has no configured identity; giving up
[29484] 1494930126.458008: Preauth module pkinit (16) (real) returned: -1765328360/Preauthentication failed
[29484] 1494930126.458024: PKINIT client has no configured identity; giving up
[29484] 1494930126.458032: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed
[29484] 1494930126.458047: PKINIT client has no configured identity; giving up
[29484] 1494930126.458054: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed
Password for tuser1@TESTRELM.TEST: 
[29484] 1494930132.913136: AS key obtained for encrypted timestamp: aes256-cts/03D5
[29484] 1494930132.913242: Encrypted timestamp (for 1494930132.912765): plain 301AA011180F32303137303531363130323231325AA10502030DED7D, encrypted D88CEF5A33F84226067B23FCF9F7267C84C56B46441995FFDAD98A9204A72B9241313574786B634D96CEA2171FE6F2636BC297EC566A6825
[29484] 1494930132.913272: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[29484] 1494930132.913279: Produced preauth for next request: 133, 2
[29484] 1494930132.913305: Sending request (271 bytes) to TESTRELM.TEST
[29484] 1494930132.913424: Initiating TCP connection to stream 10.16.4.19:88
[29484] 1494930132.913530: Sending TCP request to stream 10.16.4.19:88
[29484] 1494930132.917454: Received answer (740 bytes) from stream 10.16.4.19:88
[29484] 1494930132.917489: Terminating TCP connection to stream 10.16.4.19:88
[29484] 1494930132.917698: Response was from master KDC
[29484] 1494930132.917766: Processing preauth types: 19
[29484] 1494930132.917781: Selected etype info: etype aes256-cts, salt "{`]l&bq""C&Yz_r{", params ""
[29484] 1494930132.917795: Produced preauth for next request: (empty)
[29484] 1494930132.917815: AS key determined by preauth: aes256-cts/03D5
[29484] 1494930132.917934: Decrypted AS reply; session key is: aes256-cts/3030
[29484] 1494930132.917968: FAST negotiation: available
[29484] 1494930132.918011: Initializing KEYRING:persistent:0:krb_ccache_DWX3YLN with default princ tuser1@TESTRELM.TEST
[29484] 1494930132.918151: Storing tuser1@TESTRELM.TEST -> krbtgt/TESTRELM.TEST@TESTRELM.TEST in KEYRING:persistent:0:krb_ccache_DWX3YLN
[29484] 1494930132.918231: Storing config in KEYRING:persistent:0:krb_ccache_DWX3YLN for krbtgt/TESTRELM.TEST@TESTRELM.TEST: fast_avail: yes
[29484] 1494930132.918256: Storing tuser1@TESTRELM.TEST -> krb5_ccache_conf_data/fast_avail/krbtgt\/TESTRELM.TEST\@TESTRELM.TEST@X-CACHECONF: in KEYRING:persistent:0:krb_ccache_DWX3YLN
[29484] 1494930132.918313: Storing config in KEYRING:persistent:0:krb_ccache_DWX3YLN for krbtgt/TESTRELM.TEST@TESTRELM.TEST: pa_type: 2
[29484] 1494930132.918330: Storing tuser1@TESTRELM.TEST -> krb5_ccache_conf_data/pa_type/krbtgt\/TESTRELM.TEST\@TESTRELM.TEST@X-CACHECONF: in KEYRING:persistent:0:krb_ccache_DWX3YLN
[root@mgmt9 ~]# 
[root@mgmt9 ~]# 
[root@mgmt9 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_DWX3YLN
Default principal: tuser1@TESTRELM.TEST

Valid starting       Expires              Service principal
2017-05-16T06:22:12  2017-05-17T06:22:06  krbtgt/TESTRELM.TEST@TESTRELM.TEST

Comment 7 errata-xmlrpc 2017-08-01 09:50:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.