723620 – Need an arch-specific Requires on cyrus-sasl-gssapi

Bug 723620 - Need an arch-specific Requires on cyrus-sasl-gssapi

Summary: Need an arch-specific Requires on cyrus-sasl-gssapi

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	ipa-client
Sub Component:
Version:	5.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	723622
TreeView+	depends on / blocked

Reported:	2011-07-20 17:45 UTC by Rob Crittenden
Modified:	2012-02-21 05:42 UTC (History)
CC List:	3 users (show)
Fixed In Version:	ipa-client-2.0-16.el5
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	723622 (view as bug list)
Environment:
Last Closed:	2012-02-21 05:42:23 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0190	0	normal	SHIPPED_LIVE	ipa-client bug fix update	2012-02-20 14:54:29 UTC

Description Rob Crittenden 2011-07-20 17:45:48 UTC

Description of problem:

cyrus-sasl-gssapi is a soft dependency needed by some IPA client tools (ipa-getkeytab for one). It is loaded by other packages (ldap, krb5) but if the 32-bit version of ipa-client is installed on a 64-bit platform there is no explicit requirement on the 32-bit version of cyrus-sasl-gssapi. The result is that ipa-getkeytab fails with: SASL Bind failed. This is because the 32-bit GSSAPI SASL mechanism isn't available.

Version-Release number of selected component (if applicable):

ipa-client-2.0-14.el5

Steps to Reproduce:
1. Install 32-bit ipa-client package on 64-bit machine
2. ipa-client-install
  
Actual results:

SASL Bind failed!

Expected results:

Host enrollment with a host service principal in /etc/krb5.keytab.

Comment 1 Rob Crittenden 2011-07-22 13:04:22 UTC

Jan Cholast pointed out that version of rpm in EL5 doesn't support the %{_isa} macro so we'll need to do something like:

%if %{defined _isa}
Requires: cyrus-sasl-gssapi%{_isa}
%else
%ifarch x86_64
Requires: libgssapiv2.so.2()(64bit)
%else
Requires: libgssapiv2.so.2
%endif
%endif

And even more interesting when we add in ppc and s390.

Comment 3 Gowrishankar Rajaiyan 2011-12-13 07:25:11 UTC

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 5.8 Beta (Tikanga)

==================================================================

Installed:
ipa-client.i3860:2.1.3-1.el5                                                                                                                               
Dependency Installed:
  cyrus-sasl-gssapi.i386 0:2.1.22-5.el5_4.3
  xmlrpc-c.i386 0:1.16.24-1206.1840.4.el5
  xmlrpc-c-client.i386 0:1.16.24-1206.1840.4.el5

==================================================================

[root@hp-dl360g5-01 ~]# ipa-client-install 
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): lab.eng.pnq.redhat.com
DNS discovery failed to find the IPA Server
Provide your IPA server name (ex: ipa.example.com): bumblebee.lab.eng.pnq.redhat.com

The failure to use DNS to find your IPA server indicates that your
resolv.conf file is not properly configured.

Autodiscovery of servers for failover cannot work with this configuration.

If you proceed with the installation, services will be configured to always
access the discovered server for all operation and will not fail over to
other servers in case of failure.

Proceed with fixed values and no DNS discovery? [no]: yes
Hostname: hp-dl360g5-01.rhts.eng.bos.redhat.com
Realm: LAB.ENG.PNQ.REDHAT.COM
DNS Domain: lab.eng.pnq.redhat.com
IPA Server: bumblebee.lab.eng.pnq.redhat.com
BaseDN: dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com


Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Password for admin.PNQ.REDHAT.COM: 

Enrolled in IPA realm LAB.ENG.PNQ.REDHAT.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm LAB.ENG.PNQ.REDHAT.COM
SSSD enabled
NTP enabled
Client configuration complete.
[root@hp-dl360g5-01 ~]# 

==================================================================

[root@hp-dl360g5-01 ~]# kinit admin
Password for admin.PNQ.REDHAT.COM: 
[root@hp-dl360g5-01 ~]# 

[root@hp-dl360g5-01 ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin.PNQ.REDHAT.COM

Valid starting     Expires            Service principal
12/13/11 02:23:38  12/14/11 02:23:35  krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@hp-dl360g5-01 ~]#

Comment 4 Gowrishankar Rajaiyan 2011-12-14 11:16:48 UTC

[root@ibm-squad7-lp1 ~]# arch
ppc64
[root@ibm-squad7-lp1 ~]# 


[root@ibm-squad7-lp1 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 5.8 Beta (Tikanga)
[root@ibm-squad7-lp1 ~]# 


Installed:
ipa-client.ppc0:2.1.3-1.el5   

Dependency Installed:
  c-ares.ppc 0:1.6.0-5.el5                    
  certmonger.ppc 0:0.50-3.el5                        
  cyrus-sasl-gssapi.ppc 0:2.1.22-5.el5_4.3      
  libcollection.ppc 0:0.6.0-10.el5     
  libdhash.ppc 0:0.4.2-10.el5                 
  libini_config.ppc 0:0.6.1-10.el5                   
  libipa_hbac.ppc 0:1.5.1-46.el5                
  libldb.ppc 0:0.9.10-33.el5           
  libpath_utils.ppc 0:0.2.1-10.el5            
  libref_array.ppc 0:0.1.1-10.el5                    
  libtalloc.ppc 0:2.0.1-11.el5                  
  libtdb.ppc 0:1.2.1-6.el5             
  libtevent.ppc 0:0.9.8-10.el5                
  openldap24-libs.ppc 0:2.4.23-5.el5                 
  sssd.ppc 0:1.5.1-46.el5                       
  sssd-client.ppc 0:1.5.1-46.el5       
  xmlrpc-c.ppc 0:1.16.24-1206.1840.4.el5      
  xmlrpc-c-client.ppc 0:1.16.24-1206.1840.4.el5     

[root@ibm-squad7-lp1 ~]# 


[root@ibm-squad7-lp1 ~]# ipa-client-install 
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): lab.eng.pnq.redhat.com
DNS discovery failed to find the IPA Server
Provide your IPA server name (ex: ipa.example.com): bumblebee.lab.eng.pnq.redhat.com

The failure to use DNS to find your IPA server indicates that your
resolv.conf file is not properly configured.

Autodiscovery of servers for failover cannot work with this configuration.

If you proceed with the installation, services will be configured to always
access the discovered server for all operation and will not fail over to
other servers in case of failure.

Proceed with fixed values and no DNS discovery? [no]: yes
Hostname: ibm-squad7-lp1.rhts.eng.bos.redhat.com
Realm: LAB.ENG.PNQ.REDHAT.COM
DNS Domain: lab.eng.pnq.redhat.com
IPA Server: bumblebee.lab.eng.pnq.redhat.com
BaseDN: dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com


Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Password for admin.PNQ.REDHAT.COM: 

Enrolled in IPA realm LAB.ENG.PNQ.REDHAT.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm LAB.ENG.PNQ.REDHAT.COM
Failed to stop the nscd daemon
SSSD enabled
NTP enabled
Client configuration complete

[root@ibm-squad7-lp1 ~]# kinit admin
Password for admin.PNQ.REDHAT.COM: 
[root@ibm-squad7-lp1 ~]# 

[root@ibm-squad7-lp1 ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin.PNQ.REDHAT.COM
Valid starting     Expires            Service principal
12/14/11 06:13:54  12/15/11 06:13:51  krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@ibm-squad7-lp1 ~]# 

[root@ibm-squad7-lp1 ~]# getent -s sss passwd admin
admin:*:715400000:715400000:Administrator:/home/admin:/bin/bash
[root@ibm-squad7-lp1 ~]# 

[root@ibm-squad7-lp1 ~]# getent -s sss passwd shanks
shanks:*:715400003:715400003:s r:/home/shanks:/bin/sh
[root@ibm-squad7-lp1 ~]# 
[root@ibm-squad7-lp1 ~]# ssh -l shanks localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is e0:6b:14:5e:79:83:c3:18:cc:41:75:31:a4:5e:d9:c9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
shanks@localhost's password: 
Warning: Your password will expire in less than one hour.
...
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user shanks.
Current Password: 
New UNIX password: 
Retype new UNIX password: 
Warning: Your password will expire in less than one hour.
passwd: all authentication tokens updated successfully.
Connection to localhost closed.
[root@ibm-squad7-lp1 ~]# 


[root@ibm-squad7-lp1 ~]# ssh -l shanks localhost
shanks@localhost's password: 
Last login: Wed Dec 14 06:15:48 2011 from localhost.localdomain

-sh-3.2$ klist 
Ticket cache: FILE:/tmp/krb5cc_715400003_GawCqg
Default principal: shanks.PNQ.REDHAT.COM
Valid starting     Expires            Service principal
12/14/11 06:17:29  12/15/11 06:17:28  krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM
Kerberos 4 ticket cache: /tmp/tkt715400003
klist: You have no tickets cached
-sh-3.2$

Comment 5 Gowrishankar Rajaiyan 2011-12-15 05:57:52 UTC

[root@ibm-z10-36 ~]# arch
s390x
[root@ibm-z10-36 ~]# 

Installed:
  ipa-client.s390 0:2.1.3-1.el5

Dependency Installed:
  c-ares.s390x 0:1.6.0-5.el5               
  certmonger.s390x 0:0.50-3.el5             
  cyrus-sasl-gssapi.s390 0:2.1.22-5.el5_4.3       
  libcollection.s390x 0:0.6.0-10.el5              
  libdhash.s390x 0:0.4.2-10.el5            
  libini_config.s390x 0:0.6.1-10.el5        
  libipa_hbac.s390x 0:1.5.1-46.el5                
  libldb.s390x 0:0.9.10-33.el5                    
  libpath_utils.s390x 0:0.2.1-10.el5       
  libref_array.s390x 0:0.1.1-10.el5         
  libtalloc.s390x 0:2.0.1-11.el5                  
  libtdb.s390x 0:1.2.1-6.el5                      
  libtevent.s390x 0:0.9.8-10.el5           
  openldap24-libs.s390x 0:2.4.23-5.el5      
  sssd.s390x 0:1.5.1-46.el5                       
  sssd-client.s390x 0:1.5.1-46.el5                
  xmlrpc-c.s390 0:1.16.24-1206.1840.4.el5  
  xmlrpc-c.s390x 0:1.16.24-1206.1840.4.el5  
  xmlrpc-c-client.s390 0:1.16.24-1206.1840.4.el5  
  xmlrpc-c-client.s390x 0:1.16.24-1206.1840.4.el5 

[root@ibm-z10-36 ~]# 


[root@ibm-z10-36 ~]# ipa-client-install 
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): lab.eng.pnq.redhat.com
DNS discovery failed to find the IPA Server
Provide your IPA server name (ex: ipa.example.com): bumblebee.lab.eng.pnq.redhat.com

The failure to use DNS to find your IPA server indicates that your
resolv.conf file is not properly configured.

Autodiscovery of servers for failover cannot work with this configuration.

If you proceed with the installation, services will be configured to always
access the discovered server for all operation and will not fail over to
other servers in case of failure.

Proceed with fixed values and no DNS discovery? [no]: yes
Hostname: ibm-z10-36.rhts.eng.bos.redhat.com
Realm: LAB.ENG.PNQ.REDHAT.COM
DNS Domain: lab.eng.pnq.redhat.com
IPA Server: bumblebee.lab.eng.pnq.redhat.com
BaseDN: dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com


Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Password for admin.PNQ.REDHAT.COM: 

Enrolled in IPA realm LAB.ENG.PNQ.REDHAT.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm LAB.ENG.PNQ.REDHAT.COM
Failed to stop the nscd daemon
SSSD enabled
Unable to find 'admin' user with 'getent passwd admin'!
Recognized configuration: SSSD
Changed configuration of /etc/ldap.conf to use hardcoded server name: bumblebee.lab.eng.pnq.redhat.com
NTP enabled
Client configuration complete.
[root@ibm-z10-36 ~]# 



[root@ibm-z10-36 ~]# kinit admin
Password for admin.PNQ.REDHAT.COM: 
[root@ibm-z10-36 ~]# 


[root@ibm-z10-36 ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin.PNQ.REDHAT.COM
Valid starting     Expires            Service principal
12/15/11 00:58:29  12/16/11 00:58:17  krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@ibm-z10-36 ~]#

Comment 6 errata-xmlrpc 2012-02-21 05:42:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0190.html

Note You need to log in before you can comment on or make changes to this bug.