904720 – ipa-adtrust-install fails unexpectedly

Bug 904720 - ipa-adtrust-install fails unexpectedly

Summary: ipa-adtrust-install fails unexpectedly

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	freeipa
Sub Component:
Version:	18
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Rob Crittenden
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-01-27 09:49 UTC by Marco
Modified:	2013-04-11 10:05 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2013-04-11 10:05:32 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Marco 2013-01-27 09:49:21 UTC

-> Description of problem:
ipa-adtrust-install fails unexpectedly

-> Version-Release number of selected component (if applicable):
Fedora 18
system packages were updated with yum 26.01.13

# rpm -qa | grep freeipa
freeipa-server-trust-ad-3.1.0-2.fc18.x86_64
freeipa-python-3.1.0-2.fc18.x86_64
freeipa-server-selinux-3.1.0-2.fc18.x86_64
freeipa-admintools-3.1.0-2.fc18.x86_64
freeipa-server-3.1.0-2.fc18.x86_64
freeipa-client-3.1.0-2.fc18.x86_64

-> How reproducible:
always, tried it multiple times in an vm

-> Steps to Reproduce:
1. Install a fresh Fedora 18 vm
2. # yum update -y
3. # echo "$IPADDRESS$    ipa-server.matrix.local ipa-server" >> /etc/hosts
4. # reboot
5. # yum install -y "*ipa-server" "*ipa-server-trust-ad" samba4-winbind-clients samba4-winbind samba4-client bind bind-dyndb-ldap
6. # ipa-server-install -a mypassword1 -p mypassword2 --domain=matrix.local --realm=MATRIX.LOCAL
7. # kinit admin
8. # ipa-adtrust-install --netbios-name=MATRIX -a mypassword1
  
tried to follow the official wiki guide here :
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain

-> Actual results:
"Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket"
However issuing a kdestroy and a subsequent kinit does not solve the problem.

-> Expected results:
Successful completition of the "ipa-adtrust-install", so I can continue creating an actual AD forest trust.

-> Additional info:
* The Kerberos ticket is valid during the issuing of the ipa-adtrust-install command :

[root linux user]# kinit admin
Password for admin MATRIX LOCAL:
[root linux user]# klist
Ticket cache: DIR::/run/user/1000/krb5cc_c9794d10f5cd59bd63c423ac50fad257/tktT3hTsU
Default principal: admin MATRIX LOCAL

Valid starting     Expires            Service principal
01/19/13 12:19:06  01/20/13 12:19:02  krbtgt/MATRIX LOCAL MATRIX LOCAL
[root linux user]# id admin
uid=1396400000(admin) gid=1396400000(admins) groups=1396400000(admins)
[root linux user]# getent passwd admin
admin:*:1396400000:1396400000:Administrator:/home/admin:/bin/bash
[root linux user]# ipa-adtrust-install --netbios-name=MATRIX -a mypassword1
...
Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket

* ipaserver-install.log shows :
2013-01-19T17:19:56Z DEBUG Starting external process
2013-01-19T17:19:56Z DEBUG args=kinit admin
2013-01-19T17:19:57Z DEBUG Process finished, return code=0
2013-01-19T17:19:57Z DEBUG stdout=Password for admin MATRIX LOCAL:

2013-01-19T17:19:57Z DEBUG stderr=
2013-01-19T17:19:57Z INFO   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 617, in
run_script
    return_value = main_function()

  File "/usr/sbin/ipa-adtrust-install", line 304, in main
    sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket")

2013-01-19T17:19:57Z INFO The ipa-adtrust-install command failed, exception: SystemExit: Outdated Kerberos credentials.
Use kdestroy and kinit to update your ticket

* ldapsearch works fine (as long as I have a valid ticket) :
snip_______________________________________
Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket
[root ipa-server user]# klist
Ticket cache: DIR::/run/user/1000/krb5cc_508afa59f766b611435821eb50fee5d0/tktALmOIY
Default principal: admin MATRIX LOCAL

Valid starting     Expires            Service principal
01/22/13 20:20:56  01/23/13 20:20:56  krbtgt/MATRIX LOCAL MATRIX LOCAL
[root ipa-server user]# ldapsearch -H ldap://ipa-server.matrix.local -Y GSSAPI -b \
>   'dc=matrix,dc=local' -s base
SASL/GSSAPI authentication started
SASL username: admin MATRIX LOCAL
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=matrix,dc=local> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

# matrix.local
dn: dc=matrix,dc=local
objectClass: top
objectClass: domain
objectClass: pilotObject
objectClass: domainRelatedObject
objectClass: nisDomainObject
dc: matrix
info: IPA V2.0
nisDomain: matrix.local
associatedDomain: matrix.local

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1
_______________________________________snip

Comment 1 Martin Kosek 2013-01-28 12:54:30 UTC

Hello Marco,

thanks for the report! I investigated the issue and found out that it is caused by the new Kerberos V5 DirCache support (credentials cache is stored in  /run/user/$UID/...) - https://fedoraproject.org/wiki/Features/KRB5DirCache. The problem here is that when we try to use these credentials in ipa-adtrust-install to communicate with Directory Server, Kerberos API returns an unexpected CCACHE file path format and the installer then crashes with the error you described:

$ python
Python 2.7.3 (default, Aug  9 2012, 17:23:57) 
[GCC 4.7.1 20120720 (Red Hat 4.7.1-5)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import krbV
>>> from ipalib import api
...
>>> ctx = krbV.default_context()
>>> ccache.name
':/run/user/1020800000/krb5cc/tktGQ5hS5'
>>> api.Backend.ldap2.connect(ccache.name)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 63, in connect
    conn = self.create_connection(*args, **kw)
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 839, in create_connection
    self.handle_errors(e)
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 731, in handle_errors
    raise errors.ACIError(info=info)
ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Unknown credential cache type)

Note the preceding ":" in the ccache.name we use in ipa-adtrust-install - it is the root cause of this issue as we did not expect this format in ipa-adtrust-install. It is definitely a bug in ipa-adtrust-install, I will create an upstream ticket to fix it.

In the meantime, Marco, can you please try the following workaround?

# export KRB5CCNAME=/tmp/krb5cc_$(id -u)
# kinit admin
# ipa-adtrust-install
...
# export KRB5CCNAME=

It will force krb5 libraries to use the old file based CCACHE and then return to standard format.

Comment 2 Martin Kosek 2013-01-28 12:58:33 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3381

Comment 3 Marco 2013-01-29 20:55:12 UTC

(In reply to comment #1)
> In the meantime, Marco, can you please try the following workaround?
> 
> # export KRB5CCNAME=/tmp/krb5cc_$(id -u)
> # kinit admin
> # ipa-adtrust-install
> ...
> # export KRB5CCNAME=
> 
> It will force krb5 libraries to use the old file based CCACHE and then
> return to standard format.

Sure thing - have the vm still around.

This workaround does the trick for me. "ipa-adtrust-install" goes through without an error when you first change the KRB5CCNAME like you suggest.

Thanks, no I can do my testing.
Hope this will go upstream soon.

Best Regards,
Marco

Comment 4 Martin Kosek 2013-02-01 07:17:11 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/3ad8d7c1fb1e65de8d88c494ca75a8c5c283a472
https://fedorahosted.org/freeipa/changeset/893064f6132a9cbcfa35f6eca8964c69caad533e

ipa-3-1: https://fedorahosted.org/freeipa/changeset/6728e0c8dc7d2540f056b7d6535755fb5c3981aa
https://fedorahosted.org/freeipa/changeset/706c8adbd007ad01f6f17762d3809f07ed9478f9

Comment 5 Fedora Update System 2013-03-26 16:08:02 UTC

freeipa-3.1.3-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/freeipa-3.1.3-1.fc18

Comment 6 Fedora Update System 2013-03-27 00:47:12 UTC

Package freeipa-3.1.3-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing freeipa-3.1.3-1.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-4460/freeipa-3.1.3-1.fc18
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2013-03-29 01:34:10 UTC

Package freeipa-3.1.3-2.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing freeipa-3.1.3-2.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-4460/freeipa-3.1.3-2.fc18
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2013-04-03 04:46:07 UTC

Package freeipa-3.1.3-4.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing freeipa-3.1.3-4.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-4460/freeipa-3.1.3-4.fc18
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2013-04-11 10:05:34 UTC

freeipa-3.1.3-4.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.