747443 – Certmonger fail to issue host certificate when IPA client is outside of the IPA domain.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 747443 - Certmonger fail to issue host certificate when IPA client is outside of the IPA domain.

Summary: Certmonger fail to issue host certificate when IPA client is outside of the I...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.2
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	750914
TreeView+	depends on / blocked

Reported:	2011-10-19 20:08 UTC by Lars Sjöström
Modified:	2011-12-06 18:43 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ipa-2.1.3-3.el6
Doc Type:	Bug Fix
Doc Text:	Cause: Realm-Domain mapping is not specified in client Kerberos configuration when client is outside of the IPA domain Consequence: certmonger will fail to issue host certificate Fix: Realm-Domain mapping is properly configured when client is outside of the IPA domain Result: certmonger correctly issues the host certificate
Clone Of:
Environment:
Last Closed:	2011-12-06 18:43:20 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1533	0	normal	SHIPPED_LIVE	Moderate: ipa security and bug fix update	2011-12-06 01:23:31 UTC

Description Lars Sjöström 2011-10-19 20:08:13 UTC

Description of problem:
Certmonger will fail to issue host certificate when IPA client is outside of the IPA domain.

Version-Release number of selected component (if applicable):
IPA Server RHEL 6.2beta
ipa-server-2.1.1-4.el6.x86_64

IPA Client RHEL 6.1:
ipa-client-2.0.0-23.el6.x86_64

How reproducible:
Setup a IPA client outside the IPA domain. i.e:
IPA server (ix.example.com)
IPA Client (test.example.com)

Steps to Reproduce:
1. add "search ix.example.com" to clients resolv.conf.

2. # ipa-client-install
ipa-client-install will fail to find SRV records for test.example.com
and continue to look for search/domain in resolv.conf and prompt you to confirm
the findings. installation will successfully finish without errors.

3. # ipa-getcert list
Number of certificates and requests being tracked: 1.
Request ID '20111019195147':
status: CA_UNCONFIGURED
ca-error: Error setting up ccache for local "host" service using default keytab.
stuck: yes
...

Actual results:
host certificate will not be issued, but host will successfully be authenticated to the kerberos realm.

klist -kt /etc/krb5.keytab will show you the host tickets.

Expected results:

Host certificate should successfully be issued.

Additional info:

Workaround:

Manually mapping the IPA client domain to IPA domain in /etc/krb5.conf and restart of certmonger will solve the issue.

add this to krb5.conf under [domain_realm]
---
.test.example.com = IX.EXAMPLE.COM
test.example.com = IX.EXAMPLE.COM
----

ipa-client-install should be able to add this mapping by default.

Comment 2 RHEL Program Management 2011-10-19 20:28:38 UTC

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.

Comment 3 Dmitri Pal 2011-10-19 20:50:09 UTC

This use case is not supported via configuration tools right now but we will evaluate what we can do for the next release.

Comment 4 Dmitri Pal 2011-10-19 20:51:53 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2006

Comment 5 Martin Kosek 2011-10-21 12:56:39 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/bb6e720393d9060bfcc0161853b94b0d5f15a2d5
ipa-2-1: https://fedorahosted.org/freeipa/changeset/a2d0ca279441c669ee0dbd6469c546c371a5c925

Comment 9 Jenny Severance 2011-10-26 15:30:45 UTC

Please add steps to verify/reproduce what was fixed?  Is this deployment with or without integrated DNS ?

Comment 10 Rob Crittenden 2011-10-26 15:42:29 UTC

This isn't dependent on the integrated DNS.

Prior to the fix you'd see this if the client is in a different sub-domain than than the IPA server.

With the fix additional mappings should be added to /etc/krb5.conf from the client subdomain to the IPA realm.

Comment 11 Martin Kosek 2011-10-31 16:00:58 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Realm-Domain mapping is not specified in client Kerberos configuration when client is outside of the IPA domain
Consequence: certmonger will fail to issue host certificate
Fix: Realm-Domain mapping is properly configured when client is outside of the IPA domain
Result: certmonger correctly issues the host certificate

Comment 12 Gowrishankar Rajaiyan 2011-11-07 06:21:19 UTC

Server: ipa-server.rhts.eng.bos.redhat.com

Client: 
[root@sideswipe ~]# hostname 
sideswipe.lab.eng.pnq.redhat.com
[root@sideswipe ~]#

1. ipa-client-install with all the required server details. 
2. client installation was successful. 

[root@sideswipe ~]# ipa-getcert list
Number of certificates and requests being tracked: 1.
Request ID '20111107061016':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - sideswipe.lab.eng.pnq.redhat.com',token='NSS Certificate DB'
	certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - sideswipe.lab.eng.pnq.redhat.com',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=RHTS.ENG.BOS.REDHAT.COM
	subject: CN=sideswipe.lab.eng.pnq.redhat.com,O=RHTS.ENG.BOS.REDHAT.COM
	expires: 2013-11-07 06:10:21 UTC
	eku: id-kp-serverAuth,id-kp-clientAuth
	track: yes
	auto-renew: yes
[root@sideswipe ~]# 



[root@sideswipe ~]# 
[root@sideswipe ~]# cat /etc/krb5.conf
#File modified by ipa-client-install

[libdefaults]
  default_realm = RHTS.ENG.BOS.REDHAT.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  RHTS.ENG.BOS.REDHAT.COM = {
    kdc = hp-dl580g5-01.rhts.eng.bos.redhat.com:88
    admin_server = hp-dl580g5-01.rhts.eng.bos.redhat.com:749
    default_domain = rhts.eng.bos.redhat.com
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .rhts.eng.bos.redhat.com = RHTS.ENG.BOS.REDHAT.COM
  rhts.eng.bos.redhat.com = RHTS.ENG.BOS.REDHAT.COM
  .lab.eng.pnq.redhat.com = RHTS.ENG.BOS.REDHAT.COM
  lab.eng.pnq.redhat.com = RHTS.ENG.BOS.REDHAT.COM

[root@sideswipe ~]# 


[root@sideswipe ~]# kinit admin
Password for admin.BOS.REDHAT.COM: 
[root@sideswipe ~]# ipa user-add shanks
First name: shanks
Last name: r
-------------------
Added user "shanks"
-------------------
  User login: shanks
  First name: shanks
  Last name: r
  Full name: shanks r
  Display name: shanks r
  Initials: sr
  Home directory: /home/shanks
  GECOS field: shanks r
  Login shell: /bin/sh
  Kerberos principal: shanks.BOS.REDHAT.COM
  UID: 1478000003
  GID: 1478000003
  Keytab: False
  Password: False
[root@sideswipe ~]# ipa passwd shanks
New Password: 
Enter New Password again to verify: 
-----------------------------------------------------
Changed password for "shanks.BOS.REDHAT.COM"
-----------------------------------------------------
[root@sideswipe ~]# kinit shanks
Password for shanks.BOS.REDHAT.COM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[root@sideswipe ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: shanks.BOS.REDHAT.COM

Valid starting     Expires            Service principal
11/07/11 11:46:01  11/08/11 11:46:00  krbtgt/RHTS.ENG.BOS.REDHAT.COM.BOS.REDHAT.COM
[root@sideswipe ~]#


root@hp-dl580g5-01 ~]# rpm -qi ipa-server
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 8.el6                         Build Date: Tue 01 Nov 2011 05:51:27 PM EDT
Install Date: Mon 07 Nov 2011 12:21:33 AM EST      Build Host: x86-012.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-8.el6.src.rpm
Size        : 3381421                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server


[root@sideswipe ~]# rpm -qi ipa-client
Name        : ipa-client                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 8.el6                         Build Date: Wed 02 Nov 2011 03:21:27 AM IST
Install Date: Thu 03 Nov 2011 04:36:12 PM IST      Build Host: x86-012.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-8.el6.src.rpm
Size        : 227611                           License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : IPA authentication for use on clients

Comment 13 errata-xmlrpc 2011-12-06 18:43:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html

Note You need to log in before you can comment on or make changes to this bug.