Bug 732468 - ipa-client-install should set LDAPSASL_NOCANON when calling ipa-getkeytab
Summary: ipa-client-install should set LDAPSASL_NOCANON when calling ipa-getkeytab
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On: 732935 748866
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-22 14:51 UTC by Marko Myllynen
Modified: 2015-01-04 23:50 UTC (History)
7 users (show)

Fixed In Version: ipa-2.1.1-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: When IPA client A/PTR DNS records does not match, /usr/sbin/ipa-getkeytab and /usr/sbin/ipa-join refuses to operate. Consequence: If the client A/PTR records does not match, the client cannot be enrolled to IPA server and installation always fails. This is too strict requirement for client machine. Fix: Do not require A/PTR match in /usr/sbin/ipa-getkeytab and /usr/sbin/ipa-join. Result: IPA client can be enrolled to IPA server and ipa-client-install should succeed even when its A/PTR DNS records does not match.
Clone Of:
Environment:
Last Closed: 2011-12-06 18:30:14 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Marko Myllynen 2011-08-22 14:51:02 UTC
Description of problem:
ipa-client-install fails when A/PTR names do not match. It turned out that the fix is easy, just set an environment variable to disable reverse lookup when calling ipa-getkeytab. From bug 719060:

"When testing IPA on a network where A/PTR names do not match it turned out that
OpenLDAP/cyrus-sasl fail when using GSSAPI.

Reverse lookup can be disabled by enabling SASL_NOCANON in ldap.conf or by
setting LDAPSASL_NOCANON environmental variable."

Version-Release number of selected component (if applicable):
RHEL 6.1

Comment 2 Simo Sorce 2011-08-22 14:53:57 UTC
We better change our binaries to set LDAP_OPT_X_SASL_NOCANON with ldap_set_option()

Comment 3 Rob Crittenden 2011-08-22 15:02:23 UTC
With a flag, right? This is probably not a good default is it?

Comment 4 Dmitri Pal 2011-08-22 17:58:43 UTC
(In reply to comment #3)
> With a flag, right? This is probably not a good default is it?

makes sense to do it with a flag.

Comment 5 Dmitri Pal 2011-08-22 20:08:40 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1693

Comment 6 Rob Crittenden 2011-08-23 22:08:52 UTC
Was this failing in ipa-join or just ipa-getkeytab?

Comment 7 Dmitri Pal 2011-08-23 22:50:58 UTC
I think it was the ipa-getkeytab based on the mail thread but it might make sense to check both.

Comment 8 Marko Myllynen 2011-08-24 07:42:34 UTC
> Was this failing in ipa-join or just ipa-getkeytab?

Yes, there was an issue also with ipa-join, I can check the details later when connected to my test network.

However, if this to be fixed with a flag as suggested in comment 4 then the flag should be used for SSSD configuration as well, see https://fedorahosted.org/sssd/ticket/978, otherwise this won't be very helpful.

Thanks.

Comment 9 Rob Crittenden 2011-08-24 11:37:25 UTC
The SSSD changes are independent of our setting an environment variable during the installer. Or in other words, we are going to need to modify the SSSD configuration regardless of how we fix this in IPA.

Comment 10 Marko Myllynen 2011-08-25 22:28:45 UTC
> Yes, there was an issue also with ipa-join, I can check the details later when
> connected to my test network.

This was caused by an issue in current xmlrpc-c packages. With latest packages from Brew ipa-join works all ok.

Comment 11 Rob Crittenden 2011-08-26 17:53:53 UTC
Fixed upstream.

master: a750ccb5a2c525e9c117f6139583a710ec4fb656

ipa-2-1: aad2aecb34b723cd322f46ea4aa7c349e9f5f465

To test:

Set the IPA server's reverse DNS to a different host then try to enroll a client. Make sure the client doesn't have a host entry for the server in /etc/hosts. If the enrollment is successful then the bug is fixed.

Comment 14 Namita Soman 2011-10-10 15:39:39 UTC
When starting:
Server IP: 10.16.18.99
Client IP: 10.16.18.91

server has reverse zone:
Zone name: 18.16.10.in-addr.arpa.

Based on instructions above, tested following steps below:
deleted - Zone name: 18.16.10.in-addr.arpa.
added - Zone name: 19.16.10.in-addr.arpa.
client doesn't have a host entry for the server in /etc/hosts
Install was successful, was able to kinit.
Verified forward record for this host is present


To continue on:
deleted - Zone name: 19.16.10.in-addr.arpa.
added - Zone name: 18.16.10.in-addr.arpa.
..to come back to original install.
Changed Client IP to be - 10.16.19.91
...to put client in a different zone than ipa server.
Install was successful, was able to kinit.
But forward record for this host is not present in server.
Unable to ssh client from ipa server.

NeedInfo - 
is the behaviour in second scenario correct? 
are the first and second tests valid to verify this bug?

Comment 15 Rob Crittenden 2011-10-10 15:50:00 UTC
Not sure I understand what you're testing here. The problem is when the A and PTR records do not match. The zone doesn't really matter.

Comment 16 Namita Soman 2011-10-10 18:13:02 UTC
Verified using:
ipa-server-2.1.2-2.el6.x86_64

Added a host with mismatched A/PTR records. Installed ipa-client....and was successful.

Comment 17 Martin Kosek 2011-11-01 14:00:30 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: When IPA client A/PTR DNS records does not match, /usr/sbin/ipa-getkeytab and /usr/sbin/ipa-join refuses to operate.
Consequence: If the client A/PTR records does not match, the client cannot be enrolled to IPA server and installation always fails. This is too strict requirement for client machine.
Fix: Do not require A/PTR match in /usr/sbin/ipa-getkeytab and /usr/sbin/ipa-join.
Result: IPA client can be enrolled to IPA server and ipa-client-install should succeed even when its A/PTR DNS records does not match.

Comment 18 errata-xmlrpc 2011-12-06 18:30:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html


Note You need to log in before you can comment on or make changes to this bug.