Bug 2188567
| Summary: | IPA client Kerberos configuration incompatible with java | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Mathieu Baudier <mbaudier> |
| Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> |
| Status: | CLOSED ERRATA | QA Contact: | anuja <amore> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.1 | CC: | abokovoy, amore, frenaud, rcritten, sumenon, tscherf |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.10.2-1.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-11-07 08:34:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Deadline: | 2023-05-22 | ||
|
Description
Mathieu Baudier
2023-04-21 08:05:32 UTC
We work by 'upstream first' policy, so RHEL will only get the change once we merged it upstream. Any upstream contribution is always welcome. Timo Aaltonen (Debian/Ubuntu maintainer) promised to create a PR too, so we'd wait for that. Ok, I will be available to test as soon as a fix is available! Fixed upstream master: https://pagure.io/freeipa/c/a83ae63578124a6cf101d3609213bedb9a66813d Many thanks to everyone involved! I have tested on an up-to-date Fedora 37 (systemd container on my RHEL 9 workstation) and I confirm that this fixes the issue. The procedure was: - rebuild the master branch of FreeIPA (following instructions from https://www.freeipa.org/page/Build) - update the FreeIPA client packages with the locally built packages - test that the existing IPA client is now working (the Java Kerberos samples do not fail with 'KrbException: krb5.conf loading failed') - uninstall the IPA client (ipa-client-install --uninstall) - re-enroll the IPA client - test that the existing IPA client is now working (the Java Kerberos samples do not fail with 'KrbException: krb5.conf loading failed') So, it means that both existing and new IPA clients are now working. If this fix get merged in other branches, I am available to test it on CentOS Stream 9 or RHEL 9. Fixed upstream ipa-4-9: https://pagure.io/freeipa/c/fe22e7d5cfa380e563a37e45cfd7dae75dde79b3 ipa-4-10: https://pagure.io/freeipa/c/bdb77a3d810837e3e349ce6b5625662be281f2cd I did not manage to rebuild these branches (neither on RHEL Beta, CentOS Stream, nor Alma Linux) because some build dependencies are missings (e.g. the development files for 389-ds or libsss_idmap, etc.) If it can be useful, I can invest more time trying to test this fix, but I would need some help. Or I can simply wait for it to become available in CentOS Stream. Test added upstream master: https://pagure.io/freeipa/c/d7a27a24b92b85afde0bccbaaa09a3191c91c8c2 The new test is in ipatests/test_integration/test_installation_client.py::TestInstallClient::test_client_install_with_krb5 Test added upstream ipa-4-9: https://pagure.io/freeipa/c/1b51fa4cb07380d1102891233e85a7940f804c72 Test added upstream ipa-4-10: https://pagure.io/freeipa/c/8d34f453fb139c4cef055a4963f307a760316a73 Verified using nightly build:
2023-06-22T09:43:24+0000 - arch: x86_64
2023-06-22T09:43:24+0000 epoch: null
2023-06-22T09:43:24+0000 name: ipa-server
2023-06-22T09:43:24+0000 release: 1.el9
2023-06-22T09:43:24+0000 source: rpm
2023-06-22T09:43:24+0000 version: 4.10.2
/etc/krb5.conf does _not_ have the line "includedir /var/lib/sss/pubconf/krb5.include.d/".
2023-06-22T09:51:48+0000 + cat /etc/krb5.conf
2023-06-22T09:51:48+0000 #File modified by ipa-client-install
2023-06-22T09:51:48+0000
2023-06-22T09:51:48+0000 includedir /etc/krb5.conf.d/
2023-06-22T09:51:48+0000 [libdefaults]
2023-06-22T09:51:48+0000 default_realm = IPA.TEST
2023-06-22T09:51:48+0000 dns_lookup_realm = true
2023-06-22T09:51:48+0000 rdns = false
2023-06-22T09:51:48+0000 dns_canonicalize_hostname = false
2023-06-22T09:51:48+0000 dns_lookup_kdc = true
2023-06-22T09:51:48+0000 ticket_lifetime = 24h
2023-06-22T09:51:48+0000 forwardable = true
2023-06-22T09:51:48+0000 udp_preference_limit = 0
2023-06-22T09:51:48+0000 default_ccache_name = KEYRING:persistent:%{uid}
2023-06-22T09:51:48+0000
2023-06-22T09:51:48+0000
2023-06-22T09:51:48+0000 [realms]
2023-06-22T09:51:48+0000 IPA.TEST = {
2023-06-22T09:51:48+0000 pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
2023-06-22T09:51:48+0000 pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
2023-06-22T09:51:48+0000
2023-06-22T09:51:48+0000 }
2023-06-22T09:51:48+0000
2023-06-22T09:51:48+0000
2023-06-22T09:51:48+0000 [domain_realm]
2023-06-22T09:51:48+0000 .ipa.test = IPA.TEST
2023-06-22T09:51:48+0000 ipa.test = IPA.TEST
2023-06-22T09:51:48+0000 client.ipa.test = IPA.TEST
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ipa bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:6477 |