Red Hat Bugzilla – Bug 817869
Clean keytabs before installing new keys into them
Last modified: 2013-06-20 13:19:52 EDT
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/2698 In ipa-client-install and perhaps the server/replica installation we should consider running ipa-rmkeytab -k <keytab> -r $REALM to be sure that there aren't any remnants from a previous install of IPA or another KDC altogether.
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/3e3ac0ebabb5db25f9179b16ca8b4967e98a82a6 ipa-client-install now removes any keys that belong to the same realm.
Please add steps to verify that keys are removed.
klist -kt /etc/krb5.keytab Should contain only current keys for the realm.
To test this, you can: 1) Copy /etc/krb.keytab from master to client (it contains key for principal host/$MASTER_HOSTNAME@$REALM) 2) Run ipa-client-instal (realm is $REALM) 3) When the install is complete, "klist -kt /etc/krb5.keytab" should contain only keys for principal host/$CLIENT_HOSTNAME@$REALM
Verified. ipa-client version: =================== [root@rhel64client1 ~]# rpm -q ipa-client ipa-client-3.0.0-8.el6.x86_64 [root@rhel64client1 ~]# Steps used to verify: ==================== (1)Copied MASTER's keytab which contains master's keys only [root@rhel64client1 ~]# klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 11/27/12 03:48:21 host/rhel64master.testrelm.com@TESTRELM.COM 2 11/27/12 03:48:21 host/rhel64master.testrelm.com@TESTRELM.COM 2 11/27/12 03:48:21 host/rhel64master.testrelm.com@TESTRELM.COM 2 11/27/12 03:48:21 host/rhel64master.testrelm.com@TESTRELM.COM [root@rhel64client1 ~]# (2)Performed ipa-client-install [root@rhel64client1 ~]# ipa-client-install -p admin -w Secret123 --server=rhel64master.testrelm.com --domain=testrelm.com -U Hostname: rhel64client1.testrelm.com Realm: TESTRELM.COM DNS Domain: testrelm.com IPA Server: rhel64master.testrelm.com BaseDN: dc=testrelm,dc=com Removed old keys for realm TESTRELM.COM from /etc/krb5.keytab Synchronizing time with KDC... Enrolled in IPA realm TESTRELM.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TESTRELM.COM trying https://rhel64master.testrelm.com/ipa/xml Hostname (rhel64client1.testrelm.com) not found in DNS Failed to update DNS records. Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server u'http://rhel64master.testrelm.com/ipa/xml' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Unable to find 'admin' user with 'getent passwd admin'! Recognized configuration: SSSD NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. [root@rhel64client1 ~]# Following message shown while installation "Removed old keys for realm TESTRELM.COM from /etc/krb5.keytab" (3)Checked content of keytab file after ipa-client-install [root@rhel64client1 ~]# klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 11/27/12 04:50:09 host/rhel64client1.testrelm.com@TESTRELM.COM 1 11/27/12 04:50:09 host/rhel64client1.testrelm.com@TESTRELM.COM 1 11/27/12 04:50:08 host/rhel64client1.testrelm.com@TESTRELM.COM 1 11/27/12 04:50:09 host/rhel64client1.testrelm.com@TESTRELM.COM [root@rhel64client1 ~]# Keytab file does not contains keys other than client.
verified with +############################################################################################### +# Bug 817869 - Clean keytabs before installing new keys into them +############################################################################################### +ipaclientinstall_dirty_keytab() +{ + rlPhaseStartTest "ipa-client-install-02- " + uninstall_fornexttest + #rlLog "EXECUTING: ipa-client-install --domain=$DOMAIN --realm=$RELM --ntp-server=$NTPSERVER -p $ADMINID -w $ADMINPW --unattended --server=$MASTER" + #rlRun "ipa-client-install --domain=$DOMAIN --realm=$RELM --ntp-server=$NTPSERVER -p $ADMINID -w $ADMINPW --unattended --server=$MASTER" 0 "Installing ipa client and configuring - with all params" + rlLog "EXECUTING: ipa-client-install --domain=$DOMAIN --realm=$RELM -p $ADMINID -w $ADMINPW --unattended --server=$MASTER" + rlRun "ipa-client-install --domain=$DOMAIN --realm=$RELM -p $ADMINID -w $ADMINPW --unattended --server=$MASTER" 0 "Installing ipa client and configuring - with all params" + verify_install true + # Backup keytab + bkup="/dev/shm/ipa-client-backup-keytab" + ktab="/etc/krb5.keytab" + rm -f $bkup + cp -a $ktab $bkup + command="ipa-client-install --uninstall -U" + rlRun "$command" 0 "Uninstalling ipa client - after a force install" + if [ ! -f $ktab ]; then + cp -a $kbup $ktab + fi + klist -kt /etc/krb5.keytab + rlRun "ipa-client-install --domain=$DOMAIN --realm=$RELM -p $ADMINID -w $ADMINPW --unattended --server=$MASTER" 0 "Installing ipa client and configuring - with all params" + verify_install true + + klist -kt /etc/krb5.keytab + diff $bkup $ktab + + rlPhaseEnd +} +
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html