Bug 1565520 - ipa client pointing to replica shows KDC has no support for encryption type [rhel-7.5.z]
Summary: ipa client pointing to replica shows KDC has no support for encryption type [...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On: 1470916
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-10 08:19 UTC by Oneata Mircea Teodor
Modified: 2018-05-14 16:11 UTC (History)
18 users (show)

Fixed In Version: ipa-4.5.4-10.el7_5.1
Doc Type: Bug Fix
Doc Text:
Previously, a replication conflict could happen when running the ipa-replica-install utility in specific timing conditions. Due to the conflict, two service principals were created for the http/replica service. As a consequence, ipa-replica-install failed with the "KDC has no support for encryption type." error message. With this update, ipa-replica-install consistently communicates with a single master to create the service principal and the service keytab, which prevents potential replication conflicts. As a result, ipa-replica-install succeeds.
Clone Of: 1470916
Environment:
Last Closed: 2018-05-14 16:11:15 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:1395 None None None 2018-05-14 16:11:38 UTC

Description Oneata Mircea Teodor 2018-04-10 08:19:57 UTC
This bug has been copied from bug #1470916 and has been proposed to be backported to 7.5 z-stream (EUS).

Comment 3 Mohammad Rizwan 2018-04-16 09:31:45 UTC
Version:
ipa-client-4.5.4-10.el7_5.1.x86_64
ipa-server-4.5.4-10.el7_5.1.x86_64
ipa-server-dns-4.5.4-10.el7_5.1.noarch

Steps:
1.  install ipa master with dns
2.  install ipa replica with dns
3.  point client to replica for dns
    $ echo "nameserver <replica-ip>" >> /etc/resolve.conf  (on client)

4.  stop ipa on master to make sure it's not used
5.  install ipa client
6.  run ipa cert-request

Actual result:

[root@client ~]# ipa cert-request --principal=HTTP/client.testrelm.test http-func-services.csr
  Issuing CA: ipa
  Certificate: MIIEPjCCAyagAwIBAgIED/8AAjANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTgwNDE2MDkyMDU4WhcNMjAwNDE2MDkyMDU4WjA3MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR0wGwYDVQQDDBRjbGllbnQudGVzdHJlbG0udGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOKNt4LfiWswOh4CPfYpQ9v3kFUI8t8wwfN9hQlH6PHJeNj6tsweqFG88FZYLblACgOZ2Ctyq0lK1rBXYdrWHSevzJzzaDBhpPvE0N8S1pHi0IbdxV3ux2NFOMv+M0dohRjJ7luV+XIpPwr9Z1uA7jfPfRgDBLNM1n2ibA+75h8rNcMXPF/fc50wES4lwHArf6eeWE/HlWdo9QsRSxgtqwDOGVuJqOgGMS6tY/ue4d30eOBUgX8H0qszegCT0Xou7TdmXcK/F2jziF1wliTzSKUMBh6I6Dm0dVLZPUukg2iumY8SzYvIy4ryTLflPcXpIkL0htmf63V0TvjfkmvKDlMCAwEAAaOCAU8wggFLMB8GA1UdIwQYMBaAFE/53SjSGlYK5GW87xs9/K7vc3X3MD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBTdOgg5Zfa2KHlEyk7NGEMEh2uFszAfBgNVHREEGDAWghRjbGllbnQudGVzdHJlbG0udGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAUTT3DWQf+2+q+/jSWs5vfa7yjQWLUa0s0g9BQwEvTqiZECguJXL4ruK2BHeosoACgITwHTURL9F46trf0a5Qs7l+hpstFSjxrOQFOIQRrcLmyO+SufbTW1hMG+xwpwzI3ERK6I6DcdHtkgMXO+OxOrM+WWCGEv0T9So2GYIZ7valraIH0f2YyxTxjc80cz/oC0iLNhSSe+k02pv3Yx8TcR6oyY9rDyBbO37SXfT2GSAF21BWKvLvaI6052rlii97OyHAX7l5gTmG9SXh+ZyyQiLeBgpL5v9kZtjUZpLqUVMZe7EqNovcwcGRFh6fkI8j5UyyssqfvDaMTO+8oeyALw==
  Subject: CN=client.testrelm.test,O=TESTRELM.TEST
  Subject DNS name: client.testrelm.test
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Mon Apr 16 09:20:58 2018 UTC
  Not After: Thu Apr 16 09:20:58 2020 UTC
  Serial number: 268369922
  Serial number (hex): 0xFFF0002


Expected result:
no failures. cert-request success

Comment 8 Mohammad Rizwan 2018-04-18 15:14:37 UTC
Based on comment#3, Marking the bug as verified.

Comment 11 errata-xmlrpc 2018-05-14 16:11:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1395


Note You need to log in before you can comment on or make changes to this bug.