RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2188567 - IPA client Kerberos configuration incompatible with java
Summary: IPA client Kerberos configuration incompatible with java
Alias: None
Deadline: 2023-05-22
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: ipa
Version: 9.1
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: anuja
Depends On:
TreeView+ depends on / blocked
Reported: 2023-04-21 08:05 UTC by Mathieu Baudier
Modified: 2023-11-07 09:54 UTC (History)
6 users (show)

Fixed In Version: ipa-4.10.2-1.el9
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2023-11-07 08:34:04 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-9772 0 None None None 2023-04-21 08:10:50 UTC
Red Hat Issue Tracker RHELPLAN-155376 0 None None None 2023-04-21 08:10:55 UTC
Red Hat Product Errata RHBA-2023:6477 0 None None None 2023-11-07 08:34:39 UTC

Description Mathieu Baudier 2023-04-21 08:05:32 UTC
Description of problem:

On a RHEL 9 host enrolled as an IPA client, Kerberos is not usable in Java.

The error message is:
  KrbException: krb5.conf loading failed

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

1. Install IPA client packages
A file /etc/krb5.conf.d/enable_sssd_conf_dir is then indirectly added by the sssd-krb5 package, including the /var/lib/sss/pubconf/krb5.include.d/ directory.

2. Run ipa-client-install
/etc/krb5.conf is modified by the IPA installation and the /var/lib/sss/pubconf/krb5.include.d/ directory gets included again.

3. Run the standard Java JAAS sample code:

Actual results:

$ java -Djava.security.auth.login.config=jaas.conf JaasAcn.java
Kerberos username [mbaudier]: 
Authentication failed:
  KrbException: krb5.conf loading failed

Java rejects a Kerberos configuration where the same directory is included multiple times.

Expected results:

$ java -Djava.security.auth.login.config=jaas.conf JaasAcn.java
Kerberos username [mbaudier]: 
Kerberos password for mbaudier: 
Authentication succeeded!

Additional info:

- A workaround is to delete the file:
or to comment out the only line in it (starting with includedir)

- The issue is already filed upstream, with a good description of the root cause:

So, the question is whether it could be patched in RHEL until it is solved upstream, as it prevents to run Java applications using the standard JAAS Kerberos layer.

- I was not aware that the issue was already filed upstream and first raised it to Debian with my own debugging:

Comment 1 Alexander Bokovoy 2023-04-21 08:29:30 UTC
We work by 'upstream first' policy, so RHEL will only get the change once we merged it upstream.

Any upstream contribution is always welcome.

Timo Aaltonen (Debian/Ubuntu maintainer) promised to create a PR too, so we'd wait for that.

Comment 2 Mathieu Baudier 2023-04-21 09:51:56 UTC
Ok, I will be available to test as soon as a fix is available!

Comment 3 Florence Blanc-Renaud 2023-04-27 06:54:00 UTC
Fixed upstream

Comment 4 Mathieu Baudier 2023-04-27 10:05:37 UTC
Many thanks to everyone involved!

I have tested on an up-to-date Fedora 37 (systemd container on my RHEL 9 workstation) and I confirm that this fixes the issue.

The procedure was:
- rebuild the master branch of FreeIPA (following instructions from https://www.freeipa.org/page/Build)
- update the FreeIPA client packages with the locally built packages
- test that the existing IPA client is now working (the Java Kerberos samples do not fail with 'KrbException: krb5.conf loading failed')
- uninstall the IPA client (ipa-client-install --uninstall)
- re-enroll the IPA client
- test that the existing IPA client is now working (the Java Kerberos samples do not fail with 'KrbException: krb5.conf loading failed')

So, it means that both existing and new IPA clients are now working.

If this fix get merged in other branches, I am available to test it on CentOS Stream 9 or RHEL 9.

Comment 6 Mathieu Baudier 2023-05-04 06:28:00 UTC
I did not manage to rebuild these branches (neither on RHEL Beta, CentOS Stream, nor Alma Linux) because some build dependencies are missings (e.g. the development files for 389-ds or libsss_idmap, etc.)

If it can be useful, I can invest more time trying to test this fix, but I would need some help.
Or I can simply wait for it to become available in CentOS Stream.

Comment 11 Florence Blanc-Renaud 2023-06-09 08:06:56 UTC
Test added upstream

The new test is in ipatests/test_integration/test_installation_client.py::TestInstallClient::test_client_install_with_krb5

Comment 12 Florence Blanc-Renaud 2023-06-09 15:16:38 UTC
Test added upstream

Comment 13 Rob Crittenden 2023-06-09 20:25:19 UTC
Test added upstream

Comment 16 anuja 2023-06-22 10:02:36 UTC
Verified using nightly build:

2023-06-22T09:43:24+0000   - arch: x86_64
2023-06-22T09:43:24+0000     epoch: null
2023-06-22T09:43:24+0000     name: ipa-server
2023-06-22T09:43:24+0000     release: 1.el9
2023-06-22T09:43:24+0000     source: rpm
2023-06-22T09:43:24+0000     version: 4.10.2

/etc/krb5.conf does _not_ have the line "includedir /var/lib/sss/pubconf/krb5.include.d/".

2023-06-22T09:51:48+0000 + cat /etc/krb5.conf
2023-06-22T09:51:48+0000 #File modified by ipa-client-install
2023-06-22T09:51:48+0000 includedir /etc/krb5.conf.d/
2023-06-22T09:51:48+0000 [libdefaults]
2023-06-22T09:51:48+0000   default_realm = IPA.TEST
2023-06-22T09:51:48+0000   dns_lookup_realm = true
2023-06-22T09:51:48+0000   rdns = false
2023-06-22T09:51:48+0000   dns_canonicalize_hostname = false
2023-06-22T09:51:48+0000   dns_lookup_kdc = true
2023-06-22T09:51:48+0000   ticket_lifetime = 24h
2023-06-22T09:51:48+0000   forwardable = true
2023-06-22T09:51:48+0000   udp_preference_limit = 0
2023-06-22T09:51:48+0000   default_ccache_name = KEYRING:persistent:%{uid}
2023-06-22T09:51:48+0000 [realms]
2023-06-22T09:51:48+0000   IPA.TEST = {
2023-06-22T09:51:48+0000     pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
2023-06-22T09:51:48+0000     pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
2023-06-22T09:51:48+0000   }
2023-06-22T09:51:48+0000 [domain_realm]
2023-06-22T09:51:48+0000   .ipa.test = IPA.TEST
2023-06-22T09:51:48+0000   ipa.test = IPA.TEST
2023-06-22T09:51:48+0000   client.ipa.test = IPA.TEST

Comment 18 errata-xmlrpc 2023-11-07 08:34:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.