712162 – Re-joining a host appends the keytab with an existing KVNO.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 712162 - Re-joining a host appends the keytab with an existing KVNO.

Summary: Re-joining a host appends the keytab with an existing KVNO.

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	doc-Identity_Management_Guide
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Deon Ballard
QA Contact:	ecs-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-06-09 16:34 UTC by Gowrishankar Rajaiyan
Modified:	2011-12-12 19:15 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-12 19:15:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Gowrishankar Rajaiyan 2011-06-09 16:34:43 UTC

Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.0.0-25.el6.x86_64
ipa-client-2.0.0-25.el6.x86_64

How reproducible:
Always

Steps to Reproduce:

On client:
1. Install ipa-client
# klist -ekt /etc/krb5.keytab 
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (aes256-cts-hmac-sha1-96) 
   1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (aes128-cts-hmac-sha1-96) 
   1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (des3-cbc-sha1) 
   1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (arcfour-hmac) 

2. # ipa-join -u
Unenrollment successful.

3. # ipa-join 
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=LAB.ENG.PNQ.REDHAT.COM

4. # klist -ekt /etc/krb5.keytab (Observe the KVNO)
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (aes256-cts-hmac-sha1-96) 
   1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (aes128-cts-hmac-sha1-96) 
   1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (des3-cbc-sha1) 
   1 06/09/11 05:58:47 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (arcfour-hmac) 
   1 06/09/11 06:00:42 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (aes256-cts-hmac-sha1-96) 
   1 06/09/11 06:00:42 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (aes128-cts-hmac-sha1-96) 
   1 06/09/11 06:00:42 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (des3-cbc-sha1) 
   1 06/09/11 06:00:42 host/mudflap.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM (arcfour-hmac) 

5. # ipa-join -u
Error obtaining initial credentials: Decrypt integrity check failed.


Actual results:
1. IPA client fails to unenroll the second time. 
2. The keytab is appended with the same KVNO for the host principal.
3. SSSD auth fails since it is unable to bind using this keytab
(Thu Jun  9 06:40:57 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_get_tgt_recv] (6): Child responded: 14 [Decrypt integrity check failed], expired on [0]
(Thu Jun  9 06:40:57 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_kinit_done] (4): Could not get TGT: 14 [Bad address]
(Thu Jun  9 06:40:57 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [fo_set_port_status] (4): Marking port 0 of server 'bumblebee.lab.eng.pnq.redhat.com' as 'not working'
(Thu Jun  9 06:40:57 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_handle_release] (8): Trace: sh[0x16c1030], connected[1], ops[(nil)], ldap[0x16c1710], destructor_lock[0], release_memory[0]


Expected results:
- Should remove the keytab when unenrolled.
OR
- Should check if the host principal already exists in the keytab and do a ipa-rmkeytab the host principal and then re-add.

Additional info:

Comment 2 Rob Crittenden 2011-06-09 17:13:39 UTC

This is not a valid test. ipa-join does not claim to remove keytab entries (in fact ipa-rmkeytab does).

ipa-client-install should be used to unenroll a client, not ipa-join -u.

Comment 3 Gowrishankar Rajaiyan 2011-06-10 06:15:04 UTC

Then it doesn't make any sense to me of having this confusing option (-u) for ipa-join.

# ipa-join --help
Usage: ipa-join [OPTION...]
  -d, --debug                 Print the raw XML-RPC output in GSSAPI mode
  -q, --quiet                 Quiet mode. Only errors are displayed.
  -u, --unenroll              Unenroll this host from IPA server
  -h, --hostname=hostname     Hostname of this server
  -s, --server=hostname       IPA Server to use
  -k, --keytab=filename       Specifies where to store keytab information.
  -w, --bindpw=password       LDAP password (if not using Kerberos)




I don't see this option in 5.7 client:

[root@drifter ~]# ipa-join --help
Usage: ipa-join [OPTION...]
  -d, --debug                                            Print the raw XML-RPC
                                                         output
  -q, --quiet                                            Print as little as
                                                         possible
  -h, --hostname=Host Name                               Use this hostname
                                                         instead of the node
                                                         name
  -s, --server=IPA Server Name                           IPA Server to use
  -k, --keytab=Keytab File Name                          File were to store
                                                         the keytab information
  -w, --bindpw=password to use if not using kerberos     LDAP password

Help options:
  -?, --help                                             Show this help message
  --usage                                                Display brief usage
                                                         message

[root@drifter ~]# rpm -qf `which ipa-join`
ipa-client-2.0-10.el5_6.1

Comment 4 Dmitri Pal 2011-06-10 13:57:18 UTC

The functionality is correct. IMO it is not a bug. Yes it is a bit confusing but AFAIR we already talked about it did not find a way to make it less confusing.

ipa-client-install --uninstall should be used to uninstall the client. ipa-join -u is a utility function called in this process. If you want to do things manually you need to be aware that ipa-join -u is just a part of the process and does not do everything. 

May be we should have a paragraph about this in the manual.

Comment 5 Jenny Severance 2011-06-10 14:03:06 UTC

Shall we turn this into a documentation bug?  And the man pages, as we already discussed could use some work.

Comment 7 Deon Ballard 2011-06-10 15:19:03 UTC

Reopening as a doc bug.

Comment 8 Deon Ballard 2011-08-25 14:26:41 UTC

I added a section on uninstalling clients:
http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/96.2/html/Enterprise_Identity_Management_Guide/uninstalling-clients.html

Note You need to log in before you can comment on or make changes to this bug.