2188567 – IPA client Kerberos configuration incompatible with java

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2188567 - IPA client Kerberos configuration incompatible with java

Summary: IPA client Kerberos configuration incompatible with java

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Deadline:	2023-05-22
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	9.1
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Florence Blanc-Renaud
QA Contact:	anuja
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-04-21 08:05 UTC by Mathieu Baudier
Modified:	2023-11-07 09:54 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-4.10.2-1.el9
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-11-07 08:34:04 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-9772	None	None	None	2023-04-21 08:10:50 UTC
Red Hat Issue Tracker	RHELPLAN-155376	None	None	None	2023-04-21 08:10:55 UTC
Red Hat Product Errata	RHBA-2023:6477	None	None	None	2023-11-07 08:34:39 UTC

Description Mathieu Baudier 2023-04-21 08:05:32 UTC

Description of problem:

On a RHEL 9 host enrolled as an IPA client, Kerberos is not usable in Java.

The error message is:
  KrbException: krb5.conf loading failed

Version-Release number of selected component (if applicable):
4.10.0-8

How reproducible:
Always.

Steps to Reproduce:

1. Install IPA client packages
A file /etc/krb5.conf.d/enable_sssd_conf_dir is then indirectly added by the sssd-krb5 package, including the /var/lib/sss/pubconf/krb5.include.d/ directory.

2. Run ipa-client-install
/etc/krb5.conf is modified by the IPA installation and the /var/lib/sss/pubconf/krb5.include.d/ directory gets included again.

3. Run the standard Java JAAS sample code:
https://docs.oracle.com/en/java/javase/17/security/jaas-authentication.html

Actual results:

$ java -Djava.security.auth.login.config=jaas.conf JaasAcn.java
Kerberos username [mbaudier]: 
Authentication failed:
  KrbException: krb5.conf loading failed

Java rejects a Kerberos configuration where the same directory is included multiple times.

Expected results:

$ java -Djava.security.auth.login.config=jaas.conf JaasAcn.java
Kerberos username [mbaudier]: 
Kerberos password for mbaudier: 
Authentication succeeded!

Additional info:

- A workaround is to delete the file:
/etc/krb5.conf.d/enable_sssd_conf_dir
or to comment out the only line in it (starting with includedir)

- The issue is already filed upstream, with a good description of the root cause:
https://pagure.io/freeipa/issue/9267

So, the question is whether it could be patched in RHEL until it is solved upstream, as it prevents to run Java applications using the standard JAAS Kerberos layer.

- I was not aware that the issue was already filed upstream and first raised it to Debian with my own debugging:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034659

Comment 1 Alexander Bokovoy 2023-04-21 08:29:30 UTC

We work by 'upstream first' policy, so RHEL will only get the change once we merged it upstream.

Any upstream contribution is always welcome.

Timo Aaltonen (Debian/Ubuntu maintainer) promised to create a PR too, so we'd wait for that.

Comment 2 Mathieu Baudier 2023-04-21 09:51:56 UTC

Ok, I will be available to test as soon as a fix is available!

Comment 3 Florence Blanc-Renaud 2023-04-27 06:54:00 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/a83ae63578124a6cf101d3609213bedb9a66813d

Comment 4 Mathieu Baudier 2023-04-27 10:05:37 UTC

Many thanks to everyone involved!

I have tested on an up-to-date Fedora 37 (systemd container on my RHEL 9 workstation) and I confirm that this fixes the issue.

The procedure was:
- rebuild the master branch of FreeIPA (following instructions from https://www.freeipa.org/page/Build)
- update the FreeIPA client packages with the locally built packages
- test that the existing IPA client is now working (the Java Kerberos samples do not fail with 'KrbException: krb5.conf loading failed')
- uninstall the IPA client (ipa-client-install --uninstall)
- re-enroll the IPA client
- test that the existing IPA client is now working (the Java Kerberos samples do not fail with 'KrbException: krb5.conf loading failed')

So, it means that both existing and new IPA clients are now working.

If this fix get merged in other branches, I am available to test it on CentOS Stream 9 or RHEL 9.

Comment 5 Florence Blanc-Renaud 2023-04-28 07:53:03 UTC

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/fe22e7d5cfa380e563a37e45cfd7dae75dde79b3

ipa-4-10:
https://pagure.io/freeipa/c/bdb77a3d810837e3e349ce6b5625662be281f2cd

Comment 6 Mathieu Baudier 2023-05-04 06:28:00 UTC

I did not manage to rebuild these branches (neither on RHEL Beta, CentOS Stream, nor Alma Linux) because some build dependencies are missings (e.g. the development files for 389-ds or libsss_idmap, etc.)

If it can be useful, I can invest more time trying to test this fix, but I would need some help.
Or I can simply wait for it to become available in CentOS Stream.

Comment 11 Florence Blanc-Renaud 2023-06-09 08:06:56 UTC

Test added upstream
master:
https://pagure.io/freeipa/c/d7a27a24b92b85afde0bccbaaa09a3191c91c8c2

The new test is in ipatests/test_integration/test_installation_client.py::TestInstallClient::test_client_install_with_krb5

Comment 12 Florence Blanc-Renaud 2023-06-09 15:16:38 UTC

Test added upstream
ipa-4-9:
https://pagure.io/freeipa/c/1b51fa4cb07380d1102891233e85a7940f804c72

Comment 13 Rob Crittenden 2023-06-09 20:25:19 UTC

Test added upstream
ipa-4-10:
https://pagure.io/freeipa/c/8d34f453fb139c4cef055a4963f307a760316a73

Comment 16 anuja 2023-06-22 10:02:36 UTC

Verified using nightly build:

2023-06-22T09:43:24+0000   - arch: x86_64
2023-06-22T09:43:24+0000     epoch: null
2023-06-22T09:43:24+0000     name: ipa-server
2023-06-22T09:43:24+0000     release: 1.el9
2023-06-22T09:43:24+0000     source: rpm
2023-06-22T09:43:24+0000     version: 4.10.2


/etc/krb5.conf does _not_ have the line "includedir /var/lib/sss/pubconf/krb5.include.d/".

2023-06-22T09:51:48+0000 + cat /etc/krb5.conf
2023-06-22T09:51:48+0000 #File modified by ipa-client-install
2023-06-22T09:51:48+0000 
2023-06-22T09:51:48+0000 includedir /etc/krb5.conf.d/
2023-06-22T09:51:48+0000 [libdefaults]
2023-06-22T09:51:48+0000   default_realm = IPA.TEST
2023-06-22T09:51:48+0000   dns_lookup_realm = true
2023-06-22T09:51:48+0000   rdns = false
2023-06-22T09:51:48+0000   dns_canonicalize_hostname = false
2023-06-22T09:51:48+0000   dns_lookup_kdc = true
2023-06-22T09:51:48+0000   ticket_lifetime = 24h
2023-06-22T09:51:48+0000   forwardable = true
2023-06-22T09:51:48+0000   udp_preference_limit = 0
2023-06-22T09:51:48+0000   default_ccache_name = KEYRING:persistent:%{uid}
2023-06-22T09:51:48+0000 
2023-06-22T09:51:48+0000 
2023-06-22T09:51:48+0000 [realms]
2023-06-22T09:51:48+0000   IPA.TEST = {
2023-06-22T09:51:48+0000     pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
2023-06-22T09:51:48+0000     pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
2023-06-22T09:51:48+0000 
2023-06-22T09:51:48+0000   }
2023-06-22T09:51:48+0000 
2023-06-22T09:51:48+0000 
2023-06-22T09:51:48+0000 [domain_realm]
2023-06-22T09:51:48+0000   .ipa.test = IPA.TEST
2023-06-22T09:51:48+0000   ipa.test = IPA.TEST
2023-06-22T09:51:48+0000   client.ipa.test = IPA.TEST

Comment 18 errata-xmlrpc 2023-11-07 08:34:04 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6477

Note You need to log in before you can comment on or make changes to this bug.