RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 970618 - [RFE] pac-type change must be effective immediately without kdc restart
Summary: [RFE] pac-type change must be effective immediately without kdc restart
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: Namita Soman
URL:
Whiteboard:
: 970620 (view as bug list)
Depends On:
Blocks: 1168850
TreeView+ depends on / blocked
 
Reported: 2013-06-04 13:11 UTC by Dmitri Pal
Modified: 2015-09-23 14:44 UTC (History)
4 users (show)

Fixed In Version: ipa-4.0.3-1.el7
Doc Type: Bug Fix
Doc Text:
The following known issue description has been removed from the RHEL 7.0 Release Notes. The Identity Manager (IdM) Kerberos driver does not actively update default PAC types for Kerberos tickets issued by IdM Kerberos key distribution center (KDC). Consequently, if the default list of PAC types is changed in the IdM configuration, the IdM Kerberos KDC does not generate the configured PAC types for the issued tickets until the KDC is restarted. To change the default list, run the "ipa config-mod --pac-type <NEW-PAC-TYPES>" command. To work around this problem, restart the IdM Kerberos KDC service on all IdM servers. As a result, IdM Kerberos KDC generates the configured PAC types as set in the IdM server configuration.
Clone Of:
Environment:
Last Closed: 2015-03-05 10:09:24 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0442 0 normal SHIPPED_LIVE Moderate: ipa security, bug fix, and enhancement update 2015-03-05 14:50:39 UTC

Description Dmitri Pal 2013-06-04 13:11:45 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3626

Global change in pac type requires kdc restart to be effective. Such change must be effective immediately without kdc restart
{{{
* When default pac-type is MS-PAC to start with

[root@gondola ~]# kinit admin
Password for admin: 

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin

Valid starting     Expires            Service principal
05/14/13 00:49:11  05/15/13 00:49:08  krbtgt/TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:49 /tmp/krb5cc_0

* Change PAC type to PAD

[root@gondola ~]# ipa config-mod --pac-type PAD
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: PAD

[root@gondola ~]# kinit admin
Password for admin:

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin

Valid starting     Expires            Service principal
05/14/13 00:51:47  05/15/13 00:51:44  krbtgt/TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:51 /tmp/krb5cc_0  # Size is same as when pac type was MS-PAC

* Restarted ipa

[root@gondola ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
ipa: INFO: The ipactl command was successful

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:53 /tmp/krb5cc_0

[root@gondola ~]# kdestroy 

[root@gondola ~]# kinit admin
Password for admin: 

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin

Valid starting     Expires            Service principal
05/14/13 00:54:04  05/15/13 00:54:01  krbtgt/TESTRELM.COM
[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 707 May 14 00:54 /tmp/krb5cc_0 # Size is much less

* Changed back to MS-PAC

[root@gondola ~]# ipa config-mod --pac-type MS-PAC
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC

[root@gondola ~]# kdestroy 

[root@gondola ~]# kinit admin
Password for admin: 

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin

Valid starting     Expires            Service principal
05/14/13 00:55:24  05/15/13 00:55:21  krbtgt/TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 707 May 14 00:55 /tmp/krb5cc_0  # no change in size

[root@gondola ~]# kvno host/gondola.testrelm.com
host/gondola.testrelm.com: kvno = 2

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1221 May 14 00:56 /tmp/krb5cc_0

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin

Valid starting     Expires            Service principal
05/14/13 00:55:24  05/15/13 00:55:21  krbtgt/TESTRELM.COM
05/14/13 00:56:09  05/15/13 00:55:21  host/gondola.testrelm.com

* Restarted krb5kdc service

[root@gondola ~]# service krb5kdc restart
Redirecting to /bin/systemctl restart  krb5kdc.service

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin

Valid starting     Expires            Service principal
05/14/13 00:55:24  05/15/13 00:55:21  krbtgt/TESTRELM.COM
05/14/13 00:56:09  05/15/13 00:55:21  host/gondola.testrelm.com

[root@gondola ~]# kdestroy 

[root@gondola ~]# kinit admin
Password for admin: 

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin

Valid starting     Expires            Service principal
05/14/13 00:57:24  05/15/13 00:57:21  krbtgt/TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:57 /tmp/krb5cc_0
}}}
Comment 1 Dmitri Pal 2013-06-04 14:28:49 UTC 
This is a release note BZ for 7.0.
Comment 2 Douglas Silas 2013-11-11 18:55:37 UTC 
If this feature or issue should be documented in the Release or Technical Notes for RHEL 7.0 Beta, please select the correct Doc Type from the drop-down menu and enter a description in Doc Text.

For info about the differences between known issues, driver updates, deprecated functionality, release notes and Technology Previews, see:

https://engineering.redhat.com/docs/en-US/Policy/70.ecs/html-single/Describing_Errata_Release_and_Technical_Notes_for_Engineers/index.html#bh-known_issue

If you have questions, please email rhel-notes.
Comment 3 Martin Kosek 2013-11-28 13:34:21 UTC 
Filling Known Issue doc text for 7.0
Comment 4 Martin Kosek 2014-02-07 17:18:50 UTC 
Upstream ticket:

https://fedorahosted.org/freeipa/ticket/4153
Comment 5 Martin Kosek 2014-02-07 17:19:45 UTC 
*** Bug 970620 has been marked as a duplicate of this bug. ***
Comment 6 Martin Kosek 2014-06-19 12:53:36 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/8b2f4443dcf61e1edf59ef0812ed05e1fa93f8fc
Comment 8 Steeve Goveas 2015-01-27 20:38:46 UTC 
Verified in version

[root@vm-idm-019 ~]# rpm -q ipa-server 
ipa-server-4.1.0-16.el7.x86_64

[root@vm-idm-019 ~]# kdestroy 

[root@vm-idm-019 ~]# echo Secret123 | kinit admin
Password for admin: 

[root@vm-idm-019 ~]# ipa config-show | grep PAC
  Default PAC types: nfs:NONE, MS-PAC

[root@vm-idm-019 ~]# klist
Ticket cache: DIR::/tmp/krb5cc_0.d/tkt
Default principal: admin

Valid starting       Expires              Service principal
01/28/2015 02:01:00  01/29/2015 02:01:00  krbtgt/IPAVIEWS.TEST

[root@vm-idm-019 ~]# ll /tmp/krb5cc_0.d/tkt 
-rw-------. 1 root root 1453 Jan 28 02:01 /tmp/krb5cc_0.d/tkt

[root@vm-idm-019 ~]# ipa config-mod --pac-type PAD
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: ipaviews.test
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=IPAVIEWS.TEST
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default PAC types: PAD

[root@vm-idm-019 ~]# kdestroy 

[root@vm-idm-019 ~]# sleep 30

[root@vm-idm-019 ~]# echo Secret123 | kinit admin
Password for admin: 

[root@vm-idm-019 ~]# klist
Ticket cache: DIR::/tmp/krb5cc_0.d/tkt
Default principal: admin

Valid starting       Expires              Service principal
01/28/2015 02:02:30  01/29/2015 02:02:30  krbtgt/IPAVIEWS.TEST

[root@vm-idm-019 ~]# ll /tmp/krb5cc_0.d/tkt 
-rw-------. 1 root root 894 Jan 28 02:02 /tmp/krb5cc_0.d/tkt

[root@vm-idm-019 ~]# ipa config-mod --pac-type "nfs:NONE" --pac-type  "MS-PAC"
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: ipaviews.test
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=IPAVIEWS.TEST
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default PAC types: nfs:NONE, MS-PAC

[root@vm-idm-019 ~]# kdestroy 

[root@vm-idm-019 ~]# sleep 30

[root@vm-idm-019 ~]# echo Secret123 | kinit admin
Password for admin: 

[root@vm-idm-019 ~]# klist
Ticket cache: DIR::/tmp/krb5cc_0.d/tkt
Default principal: admin

Valid starting       Expires              Service principal
01/28/2015 02:04:44  01/29/2015 02:04:44  krbtgt/IPAVIEWS.TEST

[root@vm-idm-019 ~]# ll /tmp/krb5cc_0.d/tkt 
-rw-------. 1 root root 1453 Jan 28 02:04 /tmp/krb5cc_0.d/tkt
Comment 10 errata-xmlrpc 2015-03-05 10:09:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html
Note You need to log in before you can comment on or make changes to this bug.