Bug 1470916 - ipa client pointing to replica shows KDC has no support for encryption type
ipa client pointing to replica shows KDC has no support for encryption type
Status: POST
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.4
Unspecified Unspecified
urgent Severity urgent
: rc
: ---
Assigned To: IPA Maintainers
ipa-qe
: ZStream
: 1543464 (view as bug list)
Depends On:
Blocks: 1565520
  Show dependency treegraph
 
Reported: 2017-07-13 21:54 EDT by Scott Poore
Modified: 2018-04-16 09:38 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1565520 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Scott Poore 2017-07-13 21:54:45 EDT
Description of problem:


We are seeing issues again with ipa commands (install and cert related at least)    throwing no support for encryption type errors.

[root@client ~]# ipa cert-request --principal=HTTP/client.testrelm.test /tmp/http-func-services.csr
ipa: ERROR: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529638926): KDC has no support for encryption type

When I switch /etc/ipa/default.conf to point to the IPA Master, it works.

[root@client ~]# vi /etc/ipa/default.conf
[root@client ~]# ipa cert-request --principal=HTTP/client.testrelm.test /tmp/http-func-services.csr
  Issuing CA: ipa
  Certificate: MIIEGjCCAwKgAwIBAgIBDzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNzE0MDEyMDMxWhcNMTkwNzE1MDEyMDMxWjA3MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR0wGwYDVQQDDBRjbGllbnQudGVzdHJlbG0udGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOt/fp2oOdEMOq6X4ZTqeXXrnv32DtPbOTtVbKqKJxsiIN5lXpJHRf3cc7uRy1llChrcgidXz6Jz27n+eLCZDAZd0FmUe3zb2U3OXNPr9cCJ89uAQTcxl7lYierRDOiXM7iEpvL1mZ7nwlbJjvZ4Xg6DFr/2DO5VZWUUcIdtC7FRFSjrauPTw1t9bu2AltNSKlMUF05wWEmvOZFBXi8893cwe0GpcSQbNs2uCdyZkpM2JaH4PA99WZITRnKQCaKB+TFemB5QfI5DPoxw9Pupvnbbi78q9qkN/VEse6g6hMR3DPv5PiVIGVM2U7bSad5Vy9D7FfhcbOHNzhMfSHkdV8sCAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFECRrHwc4Jg3c+9UvPYXCahECDtzMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBTTr3znXEQ2j5MWBmCbOFPo20HlLzANBgkqhkiG9w0BAQsFAAOCAQEATEeSYOQgbfGK+69pqOBeXWn2wPmAPZUY4bVSz0L1Qsal+9OybQGfR4Njr/rIV6/zZbvf/MBqupXmVLg5xT9Ob58hG4y9sxBUBB+v9lvOw8rCXCcd813ZpRtkHRVAuJxwy91a8u+vpBcf8/Rk6rEenTTQh2RIaOnaX6EMnyUz/gNx0pSMASUzhvn3W3EBJW1tLWqA2V5kwFKKhcv/Ypl76Mzm0wOOJ/yimjMJ1YBfcNR53wciaqT2ISv0XboN3NVF06FiA6ruGrmJ0Hqfs79XRDnpnmRLFffisl8oZccABSjh/onthgVqUiZ6tZPiH5NVtfGoUu26A88uFMEPtoV7Qg==
  Subject: CN=client.testrelm.test,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Fri Jul 14 01:20:31 2017 UTC
  Not After: Mon Jul 15 01:20:31 2019 UTC
  Serial number: 15
  Serial number (hex): 0xF


We also saw this during an ipa-client-insta

RUNCMD: /usr/sbin/ipa-client-install -U --principal admin --password Secret123
STDOUT: WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd



STDERR: Discovery was successful!
Client hostname: client.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: replica.testrelm.test
BaseDN: dc=testrelm,dc=test
Skipping synchronizing time with NTP server.
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=TESTRELM.TEST
    Issuer:      CN=Certificate Authority,O=TESTRELM.TEST
    Valid From:  2017-07-13 13:42:10
    Valid Until: 2037-07-13 13:42:10

Enrolled in IPA realm TESTRELM.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.TEST
trying https://replica.testrelm.test/ipa/json
Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529638926): KDC has no support for encryption type
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

TIME: 13:51:38
ipa-client-install failed with error code=1


[root@master ~]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/master.testrelm.test@TESTRELM.TEST (aes256-cts-hmac-sha1-96) 
   2 host/master.testrelm.test@TESTRELM.TEST (aes128-cts-hmac-sha1-96) 
   2 host/master.testrelm.test@TESTRELM.TEST (des3-cbc-sha1) 
   2 host/master.testrelm.test@TESTRELM.TEST (arcfour-hmac) 
   2 host/master.testrelm.test@TESTRELM.TEST (camellia128-cts-cmac) 
   2 host/master.testrelm.test@TESTRELM.TEST (camellia256-cts-cmac) 


[root@replica ~]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 host/replica.testrelm.test@TESTRELM.TEST (aes256-cts-hmac-sha1-96) 
   1 host/replica.testrelm.test@TESTRELM.TEST (aes128-cts-hmac-sha1-96) 


Version-Release number of selected component (if applicable):
ipa-server-4.5.0-21.el7.x86_64


How reproducible:
Unknown.  This has been seen in automated tests but, I'm unsure we have reproduced it manually.

Steps to Reproduce:
1.  install ipa master with dns
2.  install ipa replica with dns
3.  point client to replica for dns
4.  stop ipa on master to make sure it's not used
5.  install ipa client 
6.  run ipa cert-request

Actual results:

ipa-client-install fails or cert-request fails

Expected results:

no failures

Additional info:
Comment 5 Scott Poore 2017-07-14 12:23:45 EDT
A little more information, 

More ipa commands than just cert-request are failing here.

It seems that on the client that's failing, if I set krb5.conf to point directly to the replica and get a new ticket, ipa commands work again.  So, it "seems" like when kerberos gets master as KDC (via DNS) and ipa client is pointed to replica, it's failing.  however, when I try to manually reproduce that on local VM's it's not failing.
Comment 7 Scott Poore 2017-07-14 14:30:04 EDT
Interesting...I see two services for replica on the broken env:

[root@master log]# ipa service-find HTTP/replica.testrelm.test@TESTRELM.TEST
------------------
2 services matched
------------------
  Principal name: HTTP/replica.testrelm.test@TESTRELM.TEST
  Principal alias: HTTP/replica.testrelm.test@TESTRELM.TEST
  Certificate: MII...
  Subject: CN=replica.testrelm.test,O=TESTRELM.TEST
  Serial Number: 12
  Serial Number (hex): 0xC
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Fri Jul 14 02:50:02 2017 UTC
  Not After: Mon Jul 15 02:50:02 2019 UTC
  Fingerprint (SHA1): 0a:7f:cc:c8:6e:05:13:2c:8a:7d:c7:89:be:ae:a0:18:89:ce:53:bd
  Fingerprint (SHA256): 17:36:1b:75:26:d2:c6:e4:8a:f5:79:31:ff:5e:ea:67:e5:49:6e:39:f5:d0:c4:63:88:af:b5:55:52:22:e0:0d
  Keytab: False

  Principal name: HTTP/replica.testrelm.test@TESTRELM.TEST
  Principal alias: HTTP/replica.testrelm.test@TESTRELM.TEST
  Keytab: True
----------------------------
Number of entries returned 2
----------------------------
[root@master log]#
Comment 9 Martin Babinsky 2017-07-18 06:53:59 EDT
We already investigated this with Michal Reznik and opened an upstream issue https://pagure.io/freeipa/issue/7041. I our case this occured in more complex multi-replica deployment. The root cause remains the same, HTTP/ principal is added multiple times (once when requesting keytab, once during cert-request) during replica install breaking framework on the replica.

However this should not happen anymore when deploying first replica. I will investigate this further but not this week as I am already tied up in other things.

Keeping needinfo flag set on this BZ so that I do not forget to return to it.
Comment 11 Petr Vobornik 2017-07-28 12:51:01 EDT
Upstream ticket:
https://pagure.io/freeipa/issue/7041
Comment 13 Praveen Varma 2018-02-08 04:08:15 EST
Nokia stated that this has become critical for them and suggested that this bz is causing issues on their installations.

Thanks,
Praveen
Escalation Manager
Comment 14 Florence Blanc-Renaud 2018-03-15 12:12:37 EDT
*** Bug 1543464 has been marked as a duplicate of this bug. ***
Comment 15 Florence Blanc-Renaud 2018-03-21 04:38:22 EDT
Fixed upstream
master:
https://pagure.io/freeipa/c/0f31564b35aac250456233f98730811560eda664
Comment 16 Florence Blanc-Renaud 2018-03-22 05:08:00 EDT
Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/75d8ba8e4c9dbdec6b2a0de2a58b763e31198f04
Comment 17 Florence Blanc-Renaud 2018-03-22 06:04:54 EDT
Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/490ebcea522ef12920d81dc9405c8a62ae5dcb6e

Note You need to log in before you can comment on or make changes to this bug.