1812871 – Intermittent IdM Client Registration Failures

Bug 1812871 - Intermittent IdM Client Registration Failures

Summary: Intermittent IdM Client Registration Failures

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	---
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Thomas Woerner
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1894575
TreeView+	depends on / blocked

Reported:	2020-03-12 12:06 UTC by Randy Rubins
Modified:	2021-05-18 15:48 UTC (History)
CC List:	16 users (show)
Fixed In Version:	ipa-4.9.0-0.2.rc2
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-18 15:47:50 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Randy Rubins 2020-03-12 12:06:02 UTC

Description of problem:
While performing daily CI runs, we observe IdM client registration problems. Approximately once every 4/5 CI runs. The environment consists of 2 IdM servers (master and replica) and ~ 30 Idm clients.  All RHEL 7.7 systems.

Version-Release number of selected component (if applicable):
IdM server:  RHEL 7.7, rhel7/ipa-server:4.6.5-40
IdM clients: ipa-client-4.6.5-11.el7_7.3.x86_64
 
How reproducible:
The ansible based workflow configured IdM master, then IdM replica, and then 30 clients are being joined via Ansible task


Steps to Reproduce:
1. Complete IdM master and replica setup
2. Run ipa-client-install via ansible playbook targeting about 30 IdM RHEL 7.7 clients
3. 

Actual results:
Observe some clients failing the ipa-join step due to authentication issue (ACIError in HTTPD error_log, and code=17 error in client's ipaclient-install.log)

Expected results:
All clients join IdM master or replica successfully

Additional info:

Comment 3 Florence Blanc-Renaud 2020-03-20 09:18:51 UTC

The LDAP logs for the failing enrollment show that the principal trying to add the host entry is krbprincipalname=http/<server>@<domain>,cn=services,cn=accounts,<basedn>, and the ADD fails with err=50. The LDAP server refuses to add the entry because of ACI issue. This is normal on LDAP server side as http/<server> is not allowed to create host entries.

The issue is that I would expect the admin principal to perform this operation (the client is installed with admin principal). I suspect that something went wrong related to privilege separation.

In order to troubleshoot, could the customer enable debug logs for gssproxy:
- in /etc/gssproxy/gssproxy.conf:
[gssproxy]
debug = true
debug_level = 2

- restart gssproxy.service

and also enable debug log for httpd:
- in /etc/ipa/server.conf
[global]
debug = true

- restart httpd

Then try to reproduce the issue and provides sos report from the server. The gssproxy logs will be stored in the journal, and httpd in /var/log/httpd/

Comment 27 PALLAVI 2020-06-25 09:12:02 UTC

Removing the needinfo flag as the logs were provided, I can see in Comment #30 to #34

Comment 32 Rob Crittenden 2020-11-19 15:11:19 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/8589

Comment 33 Rob Crittenden 2020-12-03 21:58:41 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/83813cf8f7260d4a367d129e7f6ffeb41efb51d3
https://pagure.io/freeipa/c/c6644b8566f747fa80e2c1925b79bad9f8c92bd7
https://pagure.io/freeipa/c/865c0762aeb1ef0f237a36ea5266208bda8e22bb
https://pagure.io/freeipa/c/469274fafaac2a34463c3fe0d056f8111b97e614
https://pagure.io/freeipa/c/d460f02a0ca67af18b8c448531f02e830ffe286f

Comment 34 Rob Crittenden 2020-12-04 00:47:40 UTC

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/848dffb59273493ef3abde2a86864e85c8d19eff
https://pagure.io/freeipa/c/51b186b6033bafaa39a2b0544b5cdc9c0298208c
https://pagure.io/freeipa/c/22fa1a7e5c49a677b55f71d95d47cc58e0f29c57
https://pagure.io/freeipa/c/068d08577d97258267917f81363a1a033a681803
https://pagure.io/freeipa/c/28ed75ca0251724e34a447174ae775edca9763e2

Comment 37 anuja 2020-12-09 08:35:37 UTC

Using :
2020-12-09T08:12:29+0000 ok: [master.testrelm.test] => (item=ipa-server) => 
2020-12-09T08:12:29+0000   msg:
2020-12-09T08:12:29+0000   - arch: x86_64
2020-12-09T08:12:29+0000     epoch: null
2020-12-09T08:12:29+0000     name: ipa-server
2020-12-09T08:12:29+0000     release: 0.3.rc2.module+el8.4.0+9015+e4c6695a
2020-12-09T08:12:29+0000     source: rpm
2020-12-09T08:12:29+0000     version: 4.9.0

test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_default PASSED [ 12%]
test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_hardended PASSED [ 25%]
test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_password PASSED [ 37%]
test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_reset PASSED [ 50%]
test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_otp PASSED [ 62%]
test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_jitter PASSED [ 75%]
test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_jitter_otp PASSED [ 87%]
test_integration/test_krbtpolicy.py::TestPWPolicy::test_ccache_sweep PASSED [100%]

--------------------- generated xml file: /root/junit.xml ----------------------
---------------- generated html file: file:///root/report.html -----------------
========================== 8 passed in 551.62 seconds ==========================

Test ipatests/test_integration/test_krbtpolicy.py::test_ccache_sweep is passing.
Attached the logs for the reference.
Marking verified:tested

Comment 41 Nikhil Dehadrai 2020-12-21 08:41:24 UTC

Tested the bug on the basis of below observations:

IPA version: ipa-server-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.x86_64
Compose Nightly:


NON-FIPS:
----------
[GCC 8.4.1 20200928 (Red Hat 8.4.1-1)]
============================= test session starts ==============================
platform linux -- Python 3.6.8, pytest-3.10.1, py-1.10.0, pluggy-0.13.1 -- /usr/libexec/platform-python
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-262.el8.x86_64-x86_64-with-redhat-8.4-Ootpa', 'Packages': {'pytest': '3.10.1', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.11.0', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.5'}}
rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile:
plugins: metadata-1.11.0, html-1.22.1, multihost-3.0, sourceorder-0.5
collecting ... collected 8 items

test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_default PASSED [ 12%]
test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_hardended PASSED [ 25%]
test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_password PASSED [ 37%]
test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_reset PASSED [ 50%]
test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_otp PASSED [ 62%]
test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_jitter PASSED [ 75%]
test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_jitter_otp PASSED [ 87%]
test_integration/test_krbtpolicy.py::TestPWPolicy::test_ccache_sweep PASSED [100%]

---------------- generated xml file: /home/cloud-user/junit.xml ----------------
----------- generated html file: file:///home/cloud-user/report.html -----------
========================== 8 passed in 493.86 seconds ==========================


FIPS:
-------
[GCC 8.4.1 20200928 (Red Hat 8.4.1-1)]
============================= test session starts ==============================
platform linux -- Python 3.6.8, pytest-3.10.1, py-1.10.0, pluggy-0.13.1 -- /usr/libexec/platform-python
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-262.el8.x86_64-x86_64-with-redhat-8.4-Ootpa', 'Packages': {'pytest': '3.10.1', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.11.0', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.5'}}
rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile:
plugins: metadata-1.11.0, html-1.22.1, multihost-3.0, sourceorder-0.5
collecting ... collected 8 items

test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_default PASSED [ 12%]
test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_hardended FAILED [ 25%]
test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_password PASSED [ 37%]
test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_reset PASSED [ 50%]
test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_otp PASSED [ 62%]
test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_jitter PASSED [ 75%]
test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_jitter_otp PASSED [ 87%]
test_integration/test_krbtpolicy.py::TestPWPolicy::test_ccache_sweep PASSED [100%]

---------------- generated xml file: /home/cloud-user/junit.xml ----------------
=========================== short test summary info ============================
FAIL test_integration/test_krbtpolicy.py::TestPWPolicy::()::test_krbtpolicy_hardended
===================== 1 failed, 7 passed in 525.75 seconds =====================

For above FAILURE, a separate bug is FILED: bz1909630

Thus on the absis of above observations, marking the status of bug to "VERIFIED"

Comment 49 errata-xmlrpc 2021-05-18 15:47:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846

Note You need to log in before you can comment on or make changes to this bug.