1868207 – krb5-libs-1.18.2-19.fc32.x86_64 breaks FreeIPA replication

Bug 1868207 - krb5-libs-1.18.2-19.fc32.x86_64 breaks FreeIPA replication

Summary: krb5-libs-1.18.2-19.fc32.x86_64 breaks FreeIPA replication

Keywords:
Status:	CLOSED DUPLICATE of bug 1868482
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	krb5
Sub Component:
Version:	32
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Robbie Harwood
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-08-12 02:09 UTC by Anthony Messina
Modified:	2020-08-13 16:20 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2020-08-13 16:20:24 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Anthony Messina 2020-08-12 02:09:00 UTC

After upgrading to krb5-libs-1.18.2-19.fc32.x86_64 on my Fedora 32 FreeIPA instances, replication between masters breaks and the ns-slapd server is missing the REALM in credential selection.

ns-slapd[3778]: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Matching credential not found)

[11/Aug/2020:20:07:42.841467368 -0500] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.example.com@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))

Adding the following from /etc/krb5.conf.rpmnew to /etc/krb5.conf does not work:

qualify_shortname = ""
dns_canonicalize_hostname = fallback

but adding the following works:

dns_canonicalize_hostname = false

and then we get the proper credential selection (the cannot find KDC resolves after the system is fully up and running).

[09/Aug/2020:09:31:11.271124536 -0500] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.example.com] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)

Comment 1 Robbie Harwood 2020-08-12 16:48:01 UTC

Hi Anthony, can you do the following for me:

klist -ekt /etc/dirsrv/ds.keytab
KRB5_TRACE=/dev/stderr kinit -kt /etc/dirsrv/ds.keytab ldap/ipa.example.com
klist -e # unless the previous failed, at which point don't bother

(kinit some other user)
kvno ldap/ipa.example.com

Comment 2 Anthony Messina 2020-08-12 18:13:57 UTC

Sure.  The following works (with or without the upgrade).  The errors with the missing REALM above are from ns-slapd's error log.

[root@ipa ~]# klist -ekt /etc/dirsrv/ds.keytab
Keytab name: FILE:/etc/dirsrv/ds.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 01/18/20 10:59:16 ldap/ipa.example.com (aes256-cts-hmac-sha1-96) 
   1 01/18/20 10:59:16 ldap/ipa.example.com (aes128-cts-hmac-sha1-96) 

[root@ipa ~]# KRB5_TRACE=/dev/stderr kinit -kt /etc/dirsrv/ds.keytab ldap/ipa.example.com
[1035] 1597255303.196623: Getting initial credentials for ldap/ipa.example.com
[1035] 1597255303.196624: Found entries for ldap/ipa.example.com in keytab: aes256-cts, aes128-cts
[1035] 1597255303.196626: Sending unauthenticated request
[1035] 1597255303.196627: Sending request (200 bytes) to EXAMPLE.COM
[1035] 1597255303.196628: Initiating TCP connection to stream 10.1.1.85:88
[1035] 1597255303.196629: Sending TCP request to stream 10.1.1.85:88
[1035] 1597255303.196630: Received answer (526 bytes) from stream 10.1.1.85:88
[1035] 1597255303.196631: Terminating TCP connection to stream 10.1.1.85:88
[1035] 1597255303.196632: Response was from master KDC
[1035] 1597255303.196633: Received error from KDC: -1765328359/Additional pre-authentication required
[1035] 1597255303.196636: Preauthenticating using KDC method data
[1035] 1597255303.196637: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-SPAKE (151), PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133)
[1035] 1597255303.196638: Selected etype info: etype aes256-cts, salt "q9K>C2V\xE17O[m4", params ""
[1035] 1597255303.196639: Received cookie: MIT1\x00\x00\x00\x01`\xf8\xf4\x03^\xd4x&[\x9c\xfe\x9bLJ\xbe\xff\xd3\xea`\x85\xf4\xf3>u\xbb\xb6\xba(\x1d\x10\xa4\x12\xfb\x8e\xabv\x05\x1a\xf3\x19\xb8R\xae\xab4\x95\xc1\xca\x94 \xf6\xbe&\xb3\x10\x82\x1e{\x85\xa5IIX\x1d\x84\x97:\xe6*q\x1e\xf9b\x15B\x80T\xea/z\xd4\xb2WV7\x97\x9e\x8e\xb8a-\xc08)\xd6\x0bg\xd6\x9dg\xaf>\x0d\x99\xb0\x04\xd9\x0c\xceN\x98a\x93Z\x0fMN\x7ft\xcf\xc2*\xc7\xa90\xd0\x94\x9d\xc8*
[1035] 1597255303.196640: PKINIT client has no configured identity; giving up
[1035] 1597255303.196641: Preauth module pkinit (147) (info) returned: 0/Success
[1035] 1597255303.196642: PKINIT client received freshness token from KDC
[1035] 1597255303.196643: Preauth module pkinit (150) (info) returned: 0/Success
[1035] 1597255303.196644: PKINIT client has no configured identity; giving up
[1035] 1597255303.196645: Preauth module pkinit (16) (real) returned: 22/Invalid argument
[1035] 1597255303.196646: SPAKE challenge received with group 1, pubkey 1A12A8D30A893F126B279968D6F79146A2FF052EC75B57D4E4F28127FA80A743
[1035] 1597255303.196647: Retrieving ldap/ipa.example.com from FILE:/etc/dirsrv/ds.keytab (vno 0, enctype aes256-cts) with result: 0/Success
[1035] 1597255303.196648: SPAKE key generated with pubkey 867D0A72B9E85672EF17C68B85019719A8B5154DB5248565948D74515A4C189B
[1035] 1597255303.196649: SPAKE algorithm result: B044C515A0580719782FD0DDA4FD9A135586ABC33AAC83140D81FF4466800FAC
[1035] 1597255303.196650: SPAKE final transcript hash: 6A1D7067F5B9273FDB2733BAEADDF8A90EF00350E75DA7B9B5182C2D41B004A1
[1035] 1597255303.196651: Sending SPAKE response
[1035] 1597255303.196652: Preauth module spake (151) (real) returned: 0/Success
[1035] 1597255303.196653: Produced preauth for next request: PA-FX-COOKIE (133), PA-SPAKE (151)
[1035] 1597255303.196654: Sending request (459 bytes) to EXAMPLE.COM
[1035] 1597255303.196655: Initiating TCP connection to stream 10.1.1.85:88
[1035] 1597255303.196656: Sending TCP request to stream 10.1.1.85:88
[1035] 1597255303.196657: Received answer (833 bytes) from stream 10.1.1.85:88
[1035] 1597255303.196658: Terminating TCP connection to stream 10.1.1.85:88
[1035] 1597255303.196659: Response was from master KDC
[1035] 1597255303.196660: AS key determined by preauth: aes256-cts/93E8
[1035] 1597255303.196661: Decrypted AS reply; session key is: aes256-cts/4F27
[1035] 1597255303.196662: FAST negotiation: available
[1035] 1597255303.196663: Initializing FILE:/tmp/krb5cc_0 with default princ ldap/ipa.example.com
[1035] 1597255303.196664: Storing ldap/ipa.example.com -> krbtgt/EXAMPLE.COM in FILE:/tmp/krb5cc_0
[1035] 1597255303.196665: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/EXAMPLE.COM: fast_avail: yes
[1035] 1597255303.196666: Storing ldap/ipa.example.com -> krb5_ccache_conf_data/fast_avail/krbtgt\/EXAMPLE.COM\@EXAMPLE.COM@X-CACHECONF: in FILE:/tmp/krb5cc_0
[1035] 1597255303.196667: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/EXAMPLE.COM: pa_type: 151
[1035] 1597255303.196668: Storing ldap/ipa.example.com -> krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.COM\@EXAMPLE.COM@X-CACHECONF: in FILE:/tmp/krb5cc_0

[root@ipa ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ldap/ipa.example.com

Valid starting     Expires            Service principal
08/12/20 13:01:43  08/13/20 13:01:43  krbtgt/EXAMPLE.COM
        Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
        

[root@ipa ~]# kinit admin
Password for admin: 

[root@ipa ~]# kvno ldap/ipa.messinet.com
ldap/ipa.messinet.com: kvno = 1

Comment 3 Robbie Harwood 2020-08-13 16:20:24 UTC

Thanks.  For triage reasons I'm merging this with the other one.

*** This bug has been marked as a duplicate of bug 1868482 ***

Note You need to log in before you can comment on or make changes to this bug.