748110 – At times setting password fails with "Confidentiality required: Operation requires a secure connection." errro.

Bug 748110 - At times setting password fails with "Confidentiality required: Operation requires a secure connection." errro.

Summary: At times setting password fails with "Confidentiality required: Operation req...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	769545 (view as bug list)
Depends On:
Blocks:	756082
TreeView+	depends on / blocked

Reported:	2011-10-22 01:40 UTC by Gowrishankar Rajaiyan
Modified:	2018-11-30 20:07 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ipa-2.2.0-1.el6
Doc Type:	Bug Fix
Doc Text:	No documentation needed.
Clone Of:
Environment:
Last Closed:	2012-06-20 13:15:43 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0819	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2012-06-19 20:34:17 UTC

Description Gowrishankar Rajaiyan 2011-10-22 01:40:01 UTC

Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.1.3-2.el6.x86_64

How reproducible:
Not always

Steps to Reproduce:
1. install ipa-server with dns 
2. Used the following script to create dnsrecords, hosts, hostgroups and hbacrule
#!/bin/bash

for j in {1..7}; do
	for i in {2..253}; do

		ipa user-add user$j$i --first=u --last=$j$i
		ipa dnsrecord-add lab.eng.pnq.redhat.com host$j$i --a-rec=1.1.$j.$i
		ipa host-add host$j$i.lab.eng.pnq.redhat.com
		ipa hostgroup-add hostgrp$j$i --desc="hostgrp$j$i" 
		ipa hostgroup-add-member hostgrp$j$i --hosts=host$j$i.lab.eng.pnq.redhat.com
		ipa hbacrule-add hbacrulehost$j$i
		ipa hbacrule-add-user hbacrulehost$j$i --users=user$j$i
		ipa hbacrule-add-service hbacrulehost$j$i --hbacsvcs=sshd
		ipa hbacrule-add-sourcehost hbacrulehost$j$i --hostgroups=hostgrp$j$i
	        ipa hbacrule-add-host hbacrulehost$j$i --hostgroups=hostgrp$j$i

	done
done

3. [root@bumblebee ~]# date
Fri Oct 21 18:49:34 EDT 2011
[root@bumblebee ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin.PNQ.REDHAT.COM

Valid starting     Expires            Service principal
10/21/11 18:46:16  10/22/11 18:46:14  krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM
10/21/11 18:46:28  10/22/11 18:46:14  HTTP/bumblebee.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
[root@bumblebee ~]# 

4. [root@bumblebee ~]# ipa user-add shanks
First name: s
Last name: r
-------------------
Added user "shanks"
-------------------
  User login: shanks
  First name: s
  Last name: r
  Full name: s r
  Display name: s r
  Initials: sr
  Home directory: /home/shanks
  GECOS field: s r
  Login shell: /bin/sh
  Kerberos principal: shanks.PNQ.REDHAT.COM
  UID: 2601283
  GID: 2601283
  Keytab: False
  Password: False
[root@bumblebee ~]# 

5. ipa  passwd shanks
New Password: Shanks1
Enter New Password again to verify: Shanks1
  
Actual results:
ipa: ERROR: Confidentiality required: Operation requires a secure connection.

Expected results:
password set successfully 

Additional info:

[root@bumblebee ~]# ipa -d  passwd shanks
ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
ipa: DEBUG: args=klist -V
ipa: DEBUG: stdout=Kerberos 5 version 1.9

ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
ipa: INFO: trying https://bumblebee.lab.eng.pnq.redhat.com/ipa/xml
ipa: DEBUG: Created connection context.xmlclient
New Password: 
Enter New Password again to verify: 
ipa: DEBUG: raw: passwd(u'shanks', u'********', u'********')
ipa: DEBUG: passwd(u'shanks.PNQ.REDHAT.COM', u'********', u'********')
ipa: INFO: Forwarding 'passwd' to server u'https://bumblebee.lab.eng.pnq.redhat.com/ipa/xml'
ipa: DEBUG: NSSConnection init bumblebee.lab.eng.pnq.redhat.com
ipa: DEBUG: connect_socket_family: host=bumblebee.lab.eng.pnq.redhat.com port=443 family=PR_AF_INET
ipa: DEBUG: connecting: 10.65.201.64:443
ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
    Data:
        Version: 3 (0x2)
        Serial Number: 10 (0xa)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: CN=Certificate Authority,O=LAB.ENG.PNQ.REDHAT.COM
        Validity:
            Not Before: Thu Oct 20 14:33:01 2011 UTC
            Not After : Sun Oct 20 14:33:01 2013 UTC
        Subject: CN=bumblebee.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
                RSA Public Key:
                    Modulus:
                        c1:f4:ac:9a:15:1e:c2:c2:df:f3:07:1e:aa:c4:a1:b7:
                        36:91:a7:da:da:b6:15:07:3a:b1:a7:fe:ac:fb:fd:7a:
                        55:74:50:4c:45:66:06:6a:87:b4:aa:b4:8f:63:17:77:
                        de:e3:43:f6:6b:24:dd:29:38:b3:17:5d:e5:2e:ae:e8:
                        da:ae:52:6b:8c:4b:94:27:44:d3:b4:25:68:f2:a6:a9:
                        de:35:f8:3a:b2:55:ce:0d:cb:d8:92:d4:af:ad:a4:76:
                        a3:4c:2f:41:7c:b9:8d:f9:d3:38:12:05:38:2d:13:2e:
                        3f:2b:f9:bf:fd:91:c2:67:6b:76:92:1f:d5:b4:21:1f:
                        d5:a8:bd:86:ef:eb:cd:3b:cf:07:17:fe:0c:dd:73:3f:
                        74:59:84:89:b2:30:89:7a:1a:34:11:b7:31:63:cf:0f:
                        c3:e6:ae:6a:ca:9b:4c:35:28:64:a1:4c:76:60:fc:79:
                        99:80:64:b1:fd:55:06:99:b5:1c:6c:3c:ba:6a:bc:c1:
                        73:1f:81:c5:60:7a:8f:a9:b0:e7:b8:7c:fe:3c:b3:4b:
                        46:55:6f:73:82:85:87:0a:41:b6:59:75:50:42:ad:95:
                        d1:3f:ca:bd:2a:54:bd:4e:e1:23:89:98:40:d2:b4:60:
                        99:51:71:99:ef:32:c5:b9:b9:f1:19:6c:6f:ca:d8:7b
                    Exponent: 65537 (0x10001)
    Signed Extensions: (4)
        Name: Certificate Authority Key Identifier
        Critical: False
        Key ID:
            f2:43:f4:33:75:4a:6c:d2:75:b2:91:0f:70:5a:31:59:
            23:09:22:96
        Serial Number: None
        General Names: [0 total]

        Name: Authority Information Access
        Critical: False

        Name: Certificate Key Usage
        Critical: True
        Usages:
            Digital Signature
            Non-Repudiation
            Key Encipherment
            Data Encipherment

        Name: Extended Key Usage
        Critical: False
        Usages:
            TLS Web Server Authentication Certificate
            TLS Web Client Authentication Certificate

    Fingerprint (MD5):
        8d:b5:13:b8:0a:b9:c3:f9:a0:1c:b0:81:39:1f:0d:10
    Fingerprint (SHA1):
        e8:91:1c:b6:f9:31:42:b4:08:5c:73:45:30:97:37:8d:
        bf:cf:b3:5a
    Signature:
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Signature Data:
            65:d1:25:b6:e7:77:29:5d:2b:b5:76:b2:3f:85:18:3e:
            70:5d:f3:3e:dc:57:d7:8c:ca:97:f9:43:6d:0c:c7:bf:
            78:58:e6:47:9f:59:dd:45:7f:ab:c2:78:1d:42:91:a9:
            85:6d:e1:08:e0:61:d6:ee:66:90:00:2c:aa:56:98:b2:
            c6:c9:2c:87:22:61:d5:48:df:e8:df:d8:e5:44:17:2e:
            03:0f:06:64:15:fa:2c:62:20:02:bb:06:3a:f3:d4:a0:
            57:70:f2:32:fa:da:a8:06:75:35:7a:74:56:e4:3b:10:
            1b:93:5f:72:a3:75:2d:f9:a2:fd:8a:97:13:34:76:9b:
            dd:0f:81:62:db:8c:cb:ec:f2:07:90:50:3f:f1:17:cc:
            f5:8e:54:a3:78:31:f5:10:de:0a:0f:43:33:bd:83:a6:
            fd:7a:1d:9a:f9:b4:39:00:59:d1:63:83:df:83:79:c5:
            d4:4e:12:dc:09:d2:c6:07:cd:9c:a3:80:b0:fe:0d:37:
            3f:23:ad:6c:b3:5e:b1:d2:bf:a3:83:3c:8c:d3:32:2c:
            09:7b:52:26:7e:ee:31:4c:c9:f6:ac:1d:1b:40:5f:59:
            0f:85:d1:30:b5:bf:4c:90:56:68:f4:ea:4f:f4:97:aa:
            d5:d0:67:8b:3f:69:e6:b0:58:f8:af:22:4c:2d:35:ea
ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
ipa: DEBUG: cert valid True for "CN=bumblebee.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM"
ipa: DEBUG: handshake complete, peer = 10.65.201.64:443
ipa: DEBUG: Caught fault 4203 from server https://bumblebee.lab.eng.pnq.redhat.com/ipa/xml: Confidentiality required: Operation requires a secure connection.
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: Confidentiality required: Operation requires a secure connection.

Comment 2 Dmitri Pal 2011-10-22 23:15:47 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2021

Comment 3 Dmitri Pal 2011-10-24 15:27:10 UTC

Can you please provide dirsrv logs to see what is going on?

Comment 5 Nathan Kinder 2011-10-24 18:08:56 UTC

The problem is that the openldap libs on the system have the SASL maxssf property configured to 0.  This makes the negotiated SSF 0.

# find . | xargs grep maxssf ./*
/etc/openldap/ldap.conf:sasl_secprops   minssf=0,maxssf=0

We should not be setting these secprops in /etc/openldap/ldap.conf.

Comment 6 Rob Crittenden 2011-10-25 12:51:59 UTC

I think we should probably set our own LDAP_OPT_X_SASL_SSF_MAX so we won't be affected by this bad configuration.

Comment 7 Rob Crittenden 2012-02-06 17:12:06 UTC

Fixed upstream.

master: e6cdcad8df8712a5f452a74a3f3186146ef1e04b

ipa-2-2: e1b20be71d00e55cf2a3188222e6d76741602599

See the upstream trac ticket for a suggestion on testing.

Comment 9 Jenny Severance 2012-04-02 14:18:09 UTC

verified :

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bug748110: At times setting password fails with Confidentiality required: Operation requires a secure connection. errro
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Verifies https://bugzilla.redhat.com/show_bug.cgi?id=748110
:: [   PASS   ] :: Backup /etc/openldap/ldap.conf
:: [   PASS   ] :: Running 'service httpd restart'
:: [   PASS   ] :: Running 'tcpdump -i lo -w /tmp/snoop &'
:: [   PASS   ] :: Running 'ipa user-show admin'
:: [   PASS   ] :: Running 'tcpdump -i lo -r /tmp/snoop -s 8192 -X > /tmp/bug748110-tcpdump.txt 2>&1'
:: [   PASS   ] :: File '/tmp/bug748110-tcpdump.txt' should not contain 'cn=users'
:: [   PASS   ] :: File '/tmp/bug748110-tcpdump.txt' should not contain 'cn=accounts'
:: [   PASS   ] :: Restoring /etc/openldap/ldap.conf
:: [   PASS   ] :: Running 'service httpd restart'
:: [   LOG    ] :: Duration: 6s
:: [   LOG    ] :: Assertions: 9 good, 0 bad
:: [   PASS   ] :: RESULT: bug748110: At times setting password fails with Confidentiality required: Operation requires a secure connection. errro

version :
ipa-server-2.2.0-7.el6.x86_64

Comment 11 Martin Kosek 2012-04-18 20:52:43 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.

Comment 12 Rob Crittenden 2012-05-08 17:13:23 UTC

*** Bug 769545 has been marked as a duplicate of this bug. ***

Comment 14 errata-xmlrpc 2012-06-20 13:15:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html

Note You need to log in before you can comment on or make changes to this bug.