RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2234711 - ipa should require krb5 1.18.2-25 or newer [rhel-8]
Summary: ipa should require krb5 1.18.2-25 or newer [rhel-8]
Keywords:
Status: CLOSED ERRATA
Alias: None
Deadline: 2023-09-04
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: CentOS Stream
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rafael Jeffman
QA Contact: Michal Polovka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-08-25 08:22 UTC by Jan Pazdziora
Modified: 2023-11-14 16:50 UTC (History)
13 users (show)

Fixed In Version: ipa-4.9.12-8.module+el8.9.0+19821+643911d0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-11-14 15:32:53 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-10309 0 None None None 2023-08-25 08:23:50 UTC
Red Hat Issue Tracker RHELPLAN-166562 0 None None None 2023-08-25 08:26:42 UTC
Red Hat Product Errata RHBA-2023:6977 0 None None None 2023-11-14 15:33:01 UTC

Description Jan Pazdziora 2023-08-25 08:22:06 UTC 
Description of problem:

When installing krb5-server on CentOS 8 Stream container, krb5-libs gets downgraded. That means that the CentOS 8 Stream repos do not have content from which the base container image was built.

The net result is that ipa-server-install fails with

Configuring Kerberos KDC (krb5kdc)
  [1/10]: adding kerberos container to the directory
  [2/10]: configuring KDC
  [3/10]: initialize kerberos container
  [error] RuntimeError: Failed to initialize kerberos container
Failed to initialize kerberos container

due to

2023-08-25T07:58:24Z DEBUG stderr=kdb5_util: Unable to load requested database module 'ipadb.so': plugin symbol 'kdb_function_table' not found while creating database '/var/kerberos/krb5kdc/principal'

Version-Release number of selected component (if applicable):

krb5-libs-1.18.2-25.el8

How reproducible:

Deterministic.

Steps to Reproduce:
1. podman pull quay.io/centos/centos:stream8
2. podman run --rm quay.io/centos/centos:stream8 rpm -q krb5-libs
3. podman run --rm quay.io/centos/centos:stream8 dnf install -y krb5-server

Actual results:

Step 2 shows

krb5-libs-1.18.2-25.el8.x86_64

Step 3 shows

CentOS Stream 8 - AppStream                     7.6 MB/s |  33 MB     00:04    
CentOS Stream 8 - BaseOS                        4.7 MB/s |  41 MB     00:08    
CentOS Stream 8 - Extras                         60 kB/s |  18 kB     00:00    
CentOS Stream 8 - Extras common packages         23 kB/s | 6.8 kB     00:00    
Dependencies resolved.
================================================================================
 Package              Architecture Version                Repository       Size
================================================================================
Installing:
 krb5-server          x86_64       1.18.2-22.el8          baseos          1.1 M
Installing dependencies:
 libev                x86_64       4.24-6.el8             appstream        52 k
 libkadm5             x86_64       1.18.2-22.el8          baseos          187 k
 libss                x86_64       1.45.6-5.el8           baseos           54 k
 libverto-libev       x86_64       0.3.2-2.el8            appstream        16 k
 logrotate            x86_64       3.14.0-6.el8           baseos           86 k
 words                noarch       3.0-28.el8             baseos          1.4 M
Downgrading:
 krb5-libs            x86_64       1.18.2-22.el8          baseos          841 k

Transaction Summary
================================================================================
Install    7 Packages
Downgrade  1 Package

Total download size: 3.7 M
Downloading Packages:
(1/8): libverto-libev-0.3.2-2.el8.x86_64.rpm    463 kB/s |  16 kB     00:00    
(2/8): libev-4.24-6.el8.x86_64.rpm              1.1 MB/s |  52 kB     00:00    
(3/8): libkadm5-1.18.2-22.el8.x86_64.rpm        626 kB/s | 187 kB     00:00    
(4/8): libss-1.45.6-5.el8.x86_64.rpm            237 kB/s |  54 kB     00:00    
(5/8): krb5-libs-1.18.2-22.el8.x86_64.rpm       1.4 MB/s | 841 kB     00:00    
(6/8): krb5-server-1.18.2-22.el8.x86_64.rpm     1.9 MB/s | 1.1 MB     00:00    
(7/8): logrotate-3.14.0-6.el8.x86_64.rpm        416 kB/s |  86 kB     00:00    
(8/8): words-3.0-28.el8.noarch.rpm              1.9 MB/s | 1.4 MB     00:00    
--------------------------------------------------------------------------------
Total                                           2.2 MB/s | 3.7 MB     00:01     
CentOS Stream 8 - BaseOS                        1.6 MB/s | 1.6 kB     00:00    
Importing GPG key 0x8483C65D:
 Userid     : "CentOS (CentOS Official Signing Key) <security>"
 Fingerprint: 99DB 70FA E1D7 CE22 7FB6 4882 05B5 55B3 8483 C65D
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Downgrading      : krb5-libs-1.18.2-22.el8.x86_64                         1/9 
  Installing       : libkadm5-1.18.2-22.el8.x86_64                          2/9 
  Installing       : words-3.0-28.el8.noarch                                3/9 
  Running scriptlet: logrotate-3.14.0-6.el8.x86_64                          4/9 
  Installing       : logrotate-3.14.0-6.el8.x86_64                          4/9 
  Installing       : libss-1.45.6-5.el8.x86_64                              5/9 
  Running scriptlet: libss-1.45.6-5.el8.x86_64                              5/9 
  Installing       : libev-4.24-6.el8.x86_64                                6/9 
  Installing       : libverto-libev-0.3.2-2.el8.x86_64                      7/9 
  Installing       : krb5-server-1.18.2-22.el8.x86_64                       8/9 
  Running scriptlet: krb5-server-1.18.2-22.el8.x86_64                       8/9 
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down

  Cleanup          : krb5-libs-1.18.2-25.el8.x86_64                         9/9 
  Running scriptlet: krb5-libs-1.18.2-25.el8.x86_64                         9/9 
  Verifying        : krb5-libs-1.18.2-22.el8.x86_64                         1/9 
  Verifying        : krb5-libs-1.18.2-25.el8.x86_64                         2/9 
  Verifying        : libev-4.24-6.el8.x86_64                                3/9 
  Verifying        : libverto-libev-0.3.2-2.el8.x86_64                      4/9 
  Verifying        : krb5-server-1.18.2-22.el8.x86_64                       5/9 
  Verifying        : libkadm5-1.18.2-22.el8.x86_64                          6/9 
  Verifying        : libss-1.45.6-5.el8.x86_64                              7/9 
  Verifying        : logrotate-3.14.0-6.el8.x86_64                          8/9 
  Verifying        : words-3.0-28.el8.noarch                                9/9 

Downgraded:
  krb5-libs-1.18.2-22.el8.x86_64                                                
Installed:
  krb5-server-1.18.2-22.el8.x86_64         libev-4.24-6.el8.x86_64             
  libkadm5-1.18.2-22.el8.x86_64            libss-1.45.6-5.el8.x86_64           
  libverto-libev-0.3.2-2.el8.x86_64        logrotate-3.14.0-6.el8.x86_64       
  words-3.0-28.el8.noarch                 

Complete!

Expected results:

krb5-server at least version 1.18.2-25 gets installed.

Additional info:
Comment 1 Jan Pazdziora 2023-08-25 08:32:29 UTC 
We saw something very similar on AlmaLinux earlier: https://bugs.almalinux.org/view.php?id=411
Comment 2 Jan Pazdziora 2023-08-25 09:36:56 UTC 
The effect on FreeIPA is this: take CentOS 8 Stream. If you don't have it, start with RHEL 8 and turn it into CentOS 8 Stream with

dnf install -y http://mirror.centos.org/centos/8-stream/BaseOS/$(uname -m)/os/Packages/centos-stream-repos-8-6.el8.noarch.rpm http://mirror.centos.org/centos/8-stream/BaseOS/$(uname -m)/os/Packages/centos-gpg-keys-8-6.el8.noarch.rpm
rpm -e redhat-release-eula
rmdir /usr/share/redhat-release
sed -i 's/^/# /' /etc/yum/protected.d/redhat-release.conf
dnf swap -y redhat-release centos-stream-release

Remove any RHEL repos that might be configured in /etc/yum.repos.d.

yum upgrade -y
yum -y module enable idm:DL1
yum install -y --setopt=install_weak_deps=False ipa-server
ipa-server-install -U -r EXAMPLE.TEST -n example.test -p Secret123 -a Secret123

That will fail with

  [42/43]: configuring directory to start on boot
  [43/43]: restarting directory server
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/10]: adding kerberos container to the directory
  [2/10]: configuring KDC
  [3/10]: initialize kerberos container
  [error] RuntimeError: Failed to initialize kerberos container
Failed to initialize kerberos container
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Maybe the issue is also in the ipa packages that they rely on some newer krb5* packages and should have a versioned dependency to force their installation (or fail during installation)?
Comment 4 Alexander Bokovoy 2023-08-25 09:47:45 UTC 
1.18.2-25.el8 is there: http://mirror.centos.org/centos/8-stream/BaseOS/x86_64/os/Packages/krb5-server-1.18.2-25.el8.x86_64.rpm

I cannot reproduce your behavior:

$ podman run --rm -ti quay.io/centos/centos:stream8 /bin/bash
[root@222a4c047e39 /]# rpm -qa|grep krb5
krb5-libs-1.18.2-25.el8.x86_64
[root@222a4c047e39 /]# dnf -y install krb5-server
Failed to set locale, defaulting to C.UTF-8
CentOS Stream 8 - AppStream                                                                                                                                                                             11 MB/s |  33 MB     00:02    
CentOS Stream 8 - BaseOS                                                                                                                                                                                11 MB/s |  44 MB     00:03    
CentOS Stream 8 - Extras                                                                                                                                                                                59 kB/s |  18 kB     00:00    
CentOS Stream 8 - Extras common packages                                                                                                                                                                23 kB/s | 6.8 kB     00:00    
Dependencies resolved.
=======================================================================================================================================================================================================================================
 Package                                                    Architecture                                       Version                                                     Repository                                             Size
=======================================================================================================================================================================================================================================
Installing:
 krb5-server                                                x86_64                                             1.18.2-25.el8                                               baseos                                                1.1 M
Installing dependencies:
 libev                                                      x86_64                                             4.24-6.el8                                                  appstream                                              52 k
 libkadm5                                                   x86_64                                             1.18.2-25.el8                                               baseos                                                188 k
 libss                                                      x86_64                                             1.45.6-5.el8                                                baseos                                                 54 k
 libverto-libev                                             x86_64                                             0.3.2-2.el8                                                 appstream                                              16 k
 logrotate                                                  x86_64                                             3.14.0-6.el8                                                baseos                                                 86 k
 words                                                      noarch                                             3.0-28.el8                                                  baseos                                                1.4 M

Transaction Summary
=======================================================================================================================================================================================================================================
Install  7 Packages

Total download size: 2.8 M
Installed size: 6.7 M
Downloading Packages:
CentOS Stream 8 - AppStream                                                                     206% [=================================================================================================================================(1/7): libverto-libev-0.3.2-2.el8.x86_64.rpm                                                                                                                                                           624 kB/s |  16 kB     00:00    
(2/7): libev-4.24-6.el8.x86_64.rpm                                                                                                                                                                     1.0 MB/s |  52 kB     00:00    
(3/7): libss-1.45.6-5.el8.x86_64.rpm                                                                                                                                                                   357 kB/s |  54 kB     00:00    
(4/7): libkadm5-1.18.2-25.el8.x86_64.rpm                                                                                                                                                               850 kB/s | 188 kB     00:00    
(5/7): logrotate-3.14.0-6.el8.x86_64.rpm                                                                                                                                                               446 kB/s |  86 kB     00:00    
(6/7): krb5-server-1.18.2-25.el8.x86_64.rpm                                                                                                                                                            2.3 MB/s | 1.1 MB     00:00    
(7/7): words-3.0-28.el8.noarch.rpm                                                                                                                                                                     2.5 MB/s | 1.4 MB     00:00    
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                  2.4 MB/s | 2.8 MB     00:01     
CentOS Stream 8 - AppStream                                                                                                                                                                            1.6 MB/s | 1.6 kB     00:00    
Importing GPG key 0x8483C65D:
 Userid     : "CentOS (CentOS Official Signing Key) <security>"
 Fingerprint: 99DB 70FA E1D7 CE22 7FB6 4882 05B5 55B3 8483 C65D
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                                               1/1 
  Installing       : words-3.0-28.el8.noarch                                                                                                                                                                                       1/7 
  Running scriptlet: logrotate-3.14.0-6.el8.x86_64                                                                                                                                                                                 2/7 
  Installing       : logrotate-3.14.0-6.el8.x86_64                                                                                                                                                                                 2/7 
  Installing       : libss-1.45.6-5.el8.x86_64                                                                                                                                                                                     3/7 
  Running scriptlet: libss-1.45.6-5.el8.x86_64                                                                                                                                                                                     3/7 
  Installing       : libkadm5-1.18.2-25.el8.x86_64                                                                                                                                                                                 4/7 
  Installing       : libev-4.24-6.el8.x86_64                                                                                                                                                                                       5/7 
  Installing       : libverto-libev-0.3.2-2.el8.x86_64                                                                                                                                                                             6/7 
  Installing       : krb5-server-1.18.2-25.el8.x86_64                                                                                                                                                                              7/7 
  Running scriptlet: krb5-server-1.18.2-25.el8.x86_64                                                                                                                                                                              7/7 
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down

  Verifying        : libev-4.24-6.el8.x86_64                                                                                                                                                                                       1/7 
  Verifying        : libverto-libev-0.3.2-2.el8.x86_64                                                                                                                                                                             2/7 
  Verifying        : krb5-server-1.18.2-25.el8.x86_64                                                                                                                                                                              3/7 
  Verifying        : libkadm5-1.18.2-25.el8.x86_64                                                                                                                                                                                 4/7 
  Verifying        : libss-1.45.6-5.el8.x86_64                                                                                                                                                                                     5/7 
  Verifying        : logrotate-3.14.0-6.el8.x86_64                                                                                                                                                                                 6/7 
  Verifying        : words-3.0-28.el8.noarch                                                                                                                                                                                       7/7 

Installed:
  krb5-server-1.18.2-25.el8.x86_64     libev-4.24-6.el8.x86_64     libkadm5-1.18.2-25.el8.x86_64     libss-1.45.6-5.el8.x86_64     libverto-libev-0.3.2-2.el8.x86_64     logrotate-3.14.0-6.el8.x86_64     words-3.0-28.el8.noarch    

Complete!
[root@222a4c047e39 /]#
Comment 5 Alexander Bokovoy 2023-08-25 09:55:50 UTC 
This is probably a side-effect of using CentOS mirrors. If some of them aren't fully synced up, they might have incomplete data and you get to use what is available at the install time.

I cannot reproduce this in my case, even when attempting to install IPA packages from the modular stream.
Comment 6 Jan Pazdziora 2023-08-25 11:04:35 UTC 
You are right that some mirrors have the latest version and some don't. I thought it was a general "build not pushed to repos" because I consistently got the same faulty behaviour on GitHub Actions runners, from internal Red Hat network, as well as from my home machine.

Running tail -f /var/log/dnf.librepo.log & I can see that at least http://centos2.hti.pl/8-stream/BaseOS/x86_64/os/repodata/ and http://centos.anexia.at/centos/8-stream/BaseOS/x86_64/os/repodata/ have repomd.xml from July 10, so over a month and half old.

Would you know the best place to report infrastructure issues ... CentOS mirrors advertizing mirrors with ancient content?
Comment 7 Jan Pazdziora 2023-08-25 11:17:50 UTC 
I filed https://pagure.io/centos-infra/issue/1248 now.
Comment 8 Jan Pazdziora 2023-08-25 11:24:56 UTC 
Was that krb5-*-1.18.2-22.el8 faulty in some way, or does FreeIPA (any of its component) now require a newer version?

It seems for some reason we only get the list of stale mirrors for BaseOS, but for AppStream we get the fresh mirrors. So we are getting latest FreeIPA bits but old Kerberos. If FreeIPA requires some specific newer version, should it version-require it?
Comment 25 Michal Polovka 2023-09-12 08:27:28 UTC 
Pre-verified manually using RHEL8.9 machine with test compose enabled with ipa-4.9.12-8.module+el8.9.0+19821+643911d0

ipa.spec

     67 %global krb5_version 1.18.2-25
     68 %global krb5_kdb_version 8.0

    245 BuildRequires:  krb5-kdb-version = %{krb5_kdb_version}
    246 BuildRequires:  krb5-kdb-devel-version = %{krb5_kdb_version}
    247 BuildRequires:  krb5-devel >= %{krb5_version}

    431 Requires(post): krb5-server >= %{krb5_version}

    661 Requires: krb5-workstation >= %{krb5_version}

Specfile update to reflect required change, marking as pre-verified: tested.
Comment 28 Michal Polovka 2023-09-15 07:41:34 UTC 
Verified manually with nightly compose and package ipa-4.9.12-8.module+el8.9.0+19821+643911d0.src.rpm

Relevant content of ipa.spec:


  67 %global krb5_version 1.18.2-25                                                  
  68 %global krb5_kdb_version 8.0   

 245 BuildRequires:  krb5-kdb-version = %{krb5_kdb_version}                          
 246 BuildRequires:  krb5-kdb-devel-version = %{krb5_kdb_version} 
 247 BuildRequires:  krb5-devel >= %{krb5_version}    

 431 Requires(post): krb5-server >= %{krb5_version}                                  
 432 Requires(post): krb5-server >= %{krb5_base_version}  

 661 Requires: krb5-workstation >= %{krb5_version}                                   
 662 # Support pkinit with client install                                            
 663 Requires: krb5-pkinit-openssl >= %{krb5_version} 

Spec file updated, marking as Verified.
Comment 30 errata-xmlrpc 2023-11-14 15:32:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6977
Note You need to log in before you can comment on or make changes to this bug.