Hide Forgot
Description of problem: Certmonger will fail to issue host certificate when IPA client is outside of the IPA domain. Version-Release number of selected component (if applicable): IPA Server RHEL 6.2beta ipa-server-2.1.1-4.el6.x86_64 IPA Client RHEL 6.1: ipa-client-2.0.0-23.el6.x86_64 How reproducible: Setup a IPA client outside the IPA domain. i.e: IPA server (ix.example.com) IPA Client (test.example.com) Steps to Reproduce: 1. add "search ix.example.com" to clients resolv.conf. 2. # ipa-client-install ipa-client-install will fail to find SRV records for test.example.com and continue to look for search/domain in resolv.conf and prompt you to confirm the findings. installation will successfully finish without errors. 3. # ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20111019195147': status: CA_UNCONFIGURED ca-error: Error setting up ccache for local "host" service using default keytab. stuck: yes ... Actual results: host certificate will not be issued, but host will successfully be authenticated to the kerberos realm. klist -kt /etc/krb5.keytab will show you the host tickets. Expected results: Host certificate should successfully be issued. Additional info: Workaround: Manually mapping the IPA client domain to IPA domain in /etc/krb5.conf and restart of certmonger will solve the issue. add this to krb5.conf under [domain_realm] --- .test.example.com = IX.EXAMPLE.COM test.example.com = IX.EXAMPLE.COM ---- ipa-client-install should be able to add this mapping by default.
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative.
This use case is not supported via configuration tools right now but we will evaluate what we can do for the next release.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2006
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/bb6e720393d9060bfcc0161853b94b0d5f15a2d5 ipa-2-1: https://fedorahosted.org/freeipa/changeset/a2d0ca279441c669ee0dbd6469c546c371a5c925
Please add steps to verify/reproduce what was fixed? Is this deployment with or without integrated DNS ?
This isn't dependent on the integrated DNS. Prior to the fix you'd see this if the client is in a different sub-domain than than the IPA server. With the fix additional mappings should be added to /etc/krb5.conf from the client subdomain to the IPA realm.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: Realm-Domain mapping is not specified in client Kerberos configuration when client is outside of the IPA domain Consequence: certmonger will fail to issue host certificate Fix: Realm-Domain mapping is properly configured when client is outside of the IPA domain Result: certmonger correctly issues the host certificate
Server: ipa-server.rhts.eng.bos.redhat.com Client: [root@sideswipe ~]# hostname sideswipe.lab.eng.pnq.redhat.com [root@sideswipe ~]# 1. ipa-client-install with all the required server details. 2. client installation was successful. [root@sideswipe ~]# ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20111107061016': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - sideswipe.lab.eng.pnq.redhat.com',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - sideswipe.lab.eng.pnq.redhat.com',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=RHTS.ENG.BOS.REDHAT.COM subject: CN=sideswipe.lab.eng.pnq.redhat.com,O=RHTS.ENG.BOS.REDHAT.COM expires: 2013-11-07 06:10:21 UTC eku: id-kp-serverAuth,id-kp-clientAuth track: yes auto-renew: yes [root@sideswipe ~]# [root@sideswipe ~]# [root@sideswipe ~]# cat /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = RHTS.ENG.BOS.REDHAT.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] RHTS.ENG.BOS.REDHAT.COM = { kdc = hp-dl580g5-01.rhts.eng.bos.redhat.com:88 admin_server = hp-dl580g5-01.rhts.eng.bos.redhat.com:749 default_domain = rhts.eng.bos.redhat.com pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .rhts.eng.bos.redhat.com = RHTS.ENG.BOS.REDHAT.COM rhts.eng.bos.redhat.com = RHTS.ENG.BOS.REDHAT.COM .lab.eng.pnq.redhat.com = RHTS.ENG.BOS.REDHAT.COM lab.eng.pnq.redhat.com = RHTS.ENG.BOS.REDHAT.COM [root@sideswipe ~]# [root@sideswipe ~]# kinit admin Password for admin@RHTS.ENG.BOS.REDHAT.COM: [root@sideswipe ~]# ipa user-add shanks First name: shanks Last name: r ------------------- Added user "shanks" ------------------- User login: shanks First name: shanks Last name: r Full name: shanks r Display name: shanks r Initials: sr Home directory: /home/shanks GECOS field: shanks r Login shell: /bin/sh Kerberos principal: shanks@RHTS.ENG.BOS.REDHAT.COM UID: 1478000003 GID: 1478000003 Keytab: False Password: False [root@sideswipe ~]# ipa passwd shanks New Password: Enter New Password again to verify: ----------------------------------------------------- Changed password for "shanks@RHTS.ENG.BOS.REDHAT.COM" ----------------------------------------------------- [root@sideswipe ~]# kinit shanks Password for shanks@RHTS.ENG.BOS.REDHAT.COM: Password expired. You must change it now. Enter new password: Enter it again: [root@sideswipe ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: shanks@RHTS.ENG.BOS.REDHAT.COM Valid starting Expires Service principal 11/07/11 11:46:01 11/08/11 11:46:00 krbtgt/RHTS.ENG.BOS.REDHAT.COM@RHTS.ENG.BOS.REDHAT.COM [root@sideswipe ~]# root@hp-dl580g5-01 ~]# rpm -qi ipa-server Name : ipa-server Relocations: (not relocatable) Version : 2.1.3 Vendor: Red Hat, Inc. Release : 8.el6 Build Date: Tue 01 Nov 2011 05:51:27 PM EDT Install Date: Mon 07 Nov 2011 12:21:33 AM EST Build Host: x86-012.build.bos.redhat.com Group : System Environment/Base Source RPM: ipa-2.1.3-8.el6.src.rpm Size : 3381421 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://www.freeipa.org/ Summary : The IPA authentication server [root@sideswipe ~]# rpm -qi ipa-client Name : ipa-client Relocations: (not relocatable) Version : 2.1.3 Vendor: Red Hat, Inc. Release : 8.el6 Build Date: Wed 02 Nov 2011 03:21:27 AM IST Install Date: Thu 03 Nov 2011 04:36:12 PM IST Build Host: x86-012.build.bos.redhat.com Group : System Environment/Base Source RPM: ipa-2.1.3-8.el6.src.rpm Size : 227611 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://www.freeipa.org/ Summary : IPA authentication for use on clients
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html