1891932 – GSSAPI Proxy Daemon unable to handle renewed /etc/krb5.keytab

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1891932 - GSSAPI Proxy Daemon unable to handle renewed /etc/krb5.keytab

Summary: GSSAPI Proxy Daemon unable to handle renewed /etc/krb5.keytab

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Authentication
Sub Component:
Version:	6.7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Omkar Khatavkar
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-10-27 17:30 UTC by Amar Huchchanavar
Modified:	2022-10-28 18:01 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-10-28 18:01:59 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	31700	0	Normal	New	GSSAPI Proxy Daemon unable to handle renewed /etc/krb5.keytab	2021-02-18 15:35:05 UTC

Description Amar Huchchanavar 2020-10-27 17:30:57 UTC

Description of problem:

Direct Auth configuration with AD stops working after 30 days. 

When the system renews  /etc/krb5.keytab or have new KVNO on the system, GSS-Proxy is unable to detect the new changes.
Due to this issue, AD user authentication does not work after 30dys. 

Version-Release number of selected component (if applicable):
Customer Env:
$ less installed-rpms |egrep "satellite-6|gssproxy"
gssproxy-0.7.0-28.el7.x86_64                                Wed Jun  3 17:42:58 2020
satellite-6.7.0-7.el7sat.noarch                             Wed Jun  3 17:38:40 2020

Test Env:
rpm -qa |egrep "satellite-6|gssproxy"
satellite-6.7.3-1.el7sat.noarch
gssproxy-0.7.0-29.el7.x86_64

How reproducible:
Always (positive results with above mentioned PKGs/version)

Steps to Reproduce:
1.Configure AD direct auth - https://access.redhat.com/documentation/en-us/red_hat_satellite/6.7/html/administering_red_hat_satellite/chap-red_hat_satellite-administering_red_hat_satellite-configuring_external_authentication#gss-proxy_admin

2. To get new KVNO:
   a. #realm leave  REALM-NAME
   b. #realm join 

3. Verify the KVNO numbers:
 
a.klist -kt /etc/httpd/conf/http.keytab 
b.klist -kt /etc/krb5.keytab

Example:
#klist -kt /etc/httpd/conf/http.keytab 
Keytab name: FILE:/etc/httpd/conf/http.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   3 10/16/2020 01:47:13 HTTP/satellite.example.com.COM
   3 10/16/2020 01:47:13 HTTP/SATELLITE-HOST.COM
   3 10/16/2020 01:47:13 HTTP/satellite.example.com.COM
   3 10/16/2020 01:47:13 HTTP/SATELLITE-HOST.COM
   3 10/16/2020 01:47:13 HTTP/satellite.example.com.COM
   3 10/16/2020 01:47:13 HTTP/SATELLITE-HOST.COM
   3 10/16/2020 01:47:13 HTTP/satellite.example.com.COM
   3 10/16/2020 01:47:13 HTTP/SATELLITE-HOST.COM
   3 10/16/2020 01:47:13 HTTP/satellite.example.com.COM
   3 10/16/2020 01:47:13 HTTP/SATELLITE-HOST.COM
 
#klist -kt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   5 10/27/2020 22:19:39 SATELLITE-HOST.COM
   5 10/27/2020 22:19:39 SATELLITE-HOST.COM
   5 10/27/2020 22:19:39 SATELLITE-HOST.COM
   5 10/27/2020 22:19:39 host/SATELLITE-HOST.COM
   5 10/27/2020 22:19:39 host/SATELLITE-HOST.COM
   5 10/27/2020 22:19:39 host/SATELLITE-HOST.COM
   5 10/27/2020 22:19:39 host/satellite.example.com.COM
   5 10/27/2020 22:19:39 host/satellite.example.com.COM
   5 10/27/2020 22:19:39 host/satellite.example.com.COM



4. #systemctl restart gssproxy.service

5. Try to login with AD user on Satellite UI. Results- Fails to login.


Actual results:
AD user authentication on Satellite WeUI fails after 30days.

Why after 30days?
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-auto-keytab-renewal
~~~~
SSSD automatically renews the Kerberos host keytab file in an AD environment if the adcli package is installed. The daemon checks daily if the machine account password is older than the configured value and renews it if necessary.
The default renewal interval is 30 days. To change the default:

    Add the following parameter to the AD provider in your /etc/sssd/sssd.conf file:

    ad_maximum_machine_account_password_age = value_in_days
~~~



Expected results:
gssproxy should take necessay actions to handle the renewed /etc/krb5.keytab.

Additional info:

Logs:
Oct 27 22:19:40 achadha-rhsat sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Oct 27 22:19:40 achadha-rhsat sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.

Comment 6 Ondřej Ezr 2021-01-21 10:05:58 UTC

Created redmine issue https://projects.theforeman.org/issues/31700 from this bug

Comment 13 Brad Buckingham 2022-09-02 20:25:18 UTC

Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team.  Thank you.

Comment 14 Brad Buckingham 2022-09-02 20:31:26 UTC

Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team.  Thank you.

Comment 15 Brad Buckingham 2022-10-28 18:01:59 UTC

Thank you for your interest in Red Hat Satellite. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this feel free to contact your Red Hat Account Team. Thank you.

Note You need to log in before you can comment on or make changes to this bug.