Bug 970618 - [RFE] pac-type change must be effective immediately without kdc restart
[RFE] pac-type change must be effective immediately without kdc restart
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.0
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Martin Kosek
Namita Soman
: FutureFeature
: 970620 (view as bug list)
Depends On:
Blocks: 1168850
  Show dependency treegraph
 
Reported: 2013-06-04 09:11 EDT by Dmitri Pal
Modified: 2015-09-23 10:44 EDT (History)
4 users (show)

See Also:
Fixed In Version: ipa-4.0.3-1.el7
Doc Type: Bug Fix
Doc Text:
The following known issue description has been removed from the RHEL 7.0 Release Notes. The Identity Manager (IdM) Kerberos driver does not actively update default PAC types for Kerberos tickets issued by IdM Kerberos key distribution center (KDC). Consequently, if the default list of PAC types is changed in the IdM configuration, the IdM Kerberos KDC does not generate the configured PAC types for the issued tickets until the KDC is restarted. To change the default list, run the "ipa config-mod --pac-type <NEW-PAC-TYPES>" command. To work around this problem, restart the IdM Kerberos KDC service on all IdM servers. As a result, IdM Kerberos KDC generates the configured PAC types as set in the IdM server configuration.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-05 05:09:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dmitri Pal 2013-06-04 09:11:45 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3626

Global change in pac type requires kdc restart to be effective. Such change must be effective immediately without kdc restart
{{{
* When default pac-type is MS-PAC to start with

[root@gondola ~]# kinit admin
Password for admin@TESTRELM.COM: 

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM.COM

Valid starting     Expires            Service principal
05/14/13 00:49:11  05/15/13 00:49:08  krbtgt/TESTRELM.COM@TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:49 /tmp/krb5cc_0

* Change PAC type to PAD

[root@gondola ~]# ipa config-mod --pac-type PAD
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: PAD

[root@gondola ~]# kinit admin
Password for admin@TESTRELM.COM:

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM.COM

Valid starting     Expires            Service principal
05/14/13 00:51:47  05/15/13 00:51:44  krbtgt/TESTRELM.COM@TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:51 /tmp/krb5cc_0  # Size is same as when pac type was MS-PAC

* Restarted ipa

[root@gondola ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
ipa: INFO: The ipactl command was successful

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:53 /tmp/krb5cc_0

[root@gondola ~]# kdestroy 

[root@gondola ~]# kinit admin
Password for admin@TESTRELM.COM: 

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM.COM

Valid starting     Expires            Service principal
05/14/13 00:54:04  05/15/13 00:54:01  krbtgt/TESTRELM.COM@TESTRELM.COM
[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 707 May 14 00:54 /tmp/krb5cc_0 # Size is much less

* Changed back to MS-PAC

[root@gondola ~]# ipa config-mod --pac-type MS-PAC
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC

[root@gondola ~]# kdestroy 

[root@gondola ~]# kinit admin
Password for admin@TESTRELM.COM: 

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM.COM

Valid starting     Expires            Service principal
05/14/13 00:55:24  05/15/13 00:55:21  krbtgt/TESTRELM.COM@TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 707 May 14 00:55 /tmp/krb5cc_0  # no change in size

[root@gondola ~]# kvno host/gondola.testrelm.com@TESTRELM.COM
host/gondola.testrelm.com@TESTRELM.COM: kvno = 2

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1221 May 14 00:56 /tmp/krb5cc_0

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM.COM

Valid starting     Expires            Service principal
05/14/13 00:55:24  05/15/13 00:55:21  krbtgt/TESTRELM.COM@TESTRELM.COM
05/14/13 00:56:09  05/15/13 00:55:21  host/gondola.testrelm.com@TESTRELM.COM

* Restarted krb5kdc service

[root@gondola ~]# service krb5kdc restart
Redirecting to /bin/systemctl restart  krb5kdc.service

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM.COM

Valid starting     Expires            Service principal
05/14/13 00:55:24  05/15/13 00:55:21  krbtgt/TESTRELM.COM@TESTRELM.COM
05/14/13 00:56:09  05/15/13 00:55:21  host/gondola.testrelm.com@TESTRELM.COM

[root@gondola ~]# kdestroy 

[root@gondola ~]# kinit admin
Password for admin@TESTRELM.COM: 

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM.COM

Valid starting     Expires            Service principal
05/14/13 00:57:24  05/15/13 00:57:21  krbtgt/TESTRELM.COM@TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:57 /tmp/krb5cc_0
}}}
Comment 1 Dmitri Pal 2013-06-04 10:28:49 EDT
This is a release note BZ for 7.0.
Comment 2 Douglas Silas 2013-11-11 13:55:37 EST
If this feature or issue should be documented in the Release or Technical Notes for RHEL 7.0 Beta, please select the correct Doc Type from the drop-down menu and enter a description in Doc Text.

For info about the differences between known issues, driver updates, deprecated functionality, release notes and Technology Previews, see:

https://engineering.redhat.com/docs/en-US/Policy/70.ecs/html-single/Describing_Errata_Release_and_Technical_Notes_for_Engineers/index.html#bh-known_issue

If you have questions, please email rhel-notes@redhat.com.
Comment 3 Martin Kosek 2013-11-28 08:34:21 EST
Filling Known Issue doc text for 7.0
Comment 4 Martin Kosek 2014-02-07 12:18:50 EST
Upstream ticket:

https://fedorahosted.org/freeipa/ticket/4153
Comment 5 Martin Kosek 2014-02-07 12:19:45 EST
*** Bug 970620 has been marked as a duplicate of this bug. ***
Comment 6 Martin Kosek 2014-06-19 08:53:36 EDT
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/8b2f4443dcf61e1edf59ef0812ed05e1fa93f8fc
Comment 8 Steeve Goveas 2015-01-27 15:38:46 EST
Verified in version

[root@vm-idm-019 ~]# rpm -q ipa-server 
ipa-server-4.1.0-16.el7.x86_64

[root@vm-idm-019 ~]# kdestroy 

[root@vm-idm-019 ~]# echo Secret123 | kinit admin
Password for admin@IPAVIEWS.TEST: 

[root@vm-idm-019 ~]# ipa config-show | grep PAC
  Default PAC types: nfs:NONE, MS-PAC

[root@vm-idm-019 ~]# klist
Ticket cache: DIR::/tmp/krb5cc_0.d/tkt
Default principal: admin@IPAVIEWS.TEST

Valid starting       Expires              Service principal
01/28/2015 02:01:00  01/29/2015 02:01:00  krbtgt/IPAVIEWS.TEST@IPAVIEWS.TEST

[root@vm-idm-019 ~]# ll /tmp/krb5cc_0.d/tkt 
-rw-------. 1 root root 1453 Jan 28 02:01 /tmp/krb5cc_0.d/tkt

[root@vm-idm-019 ~]# ipa config-mod --pac-type PAD
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: ipaviews.test
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=IPAVIEWS.TEST
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default PAC types: PAD

[root@vm-idm-019 ~]# kdestroy 

[root@vm-idm-019 ~]# sleep 30

[root@vm-idm-019 ~]# echo Secret123 | kinit admin
Password for admin@IPAVIEWS.TEST: 

[root@vm-idm-019 ~]# klist
Ticket cache: DIR::/tmp/krb5cc_0.d/tkt
Default principal: admin@IPAVIEWS.TEST

Valid starting       Expires              Service principal
01/28/2015 02:02:30  01/29/2015 02:02:30  krbtgt/IPAVIEWS.TEST@IPAVIEWS.TEST

[root@vm-idm-019 ~]# ll /tmp/krb5cc_0.d/tkt 
-rw-------. 1 root root 894 Jan 28 02:02 /tmp/krb5cc_0.d/tkt

[root@vm-idm-019 ~]# ipa config-mod --pac-type "nfs:NONE" --pac-type  "MS-PAC"
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: ipaviews.test
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=IPAVIEWS.TEST
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default PAC types: nfs:NONE, MS-PAC

[root@vm-idm-019 ~]# kdestroy 

[root@vm-idm-019 ~]# sleep 30

[root@vm-idm-019 ~]# echo Secret123 | kinit admin
Password for admin@IPAVIEWS.TEST: 

[root@vm-idm-019 ~]# klist
Ticket cache: DIR::/tmp/krb5cc_0.d/tkt
Default principal: admin@IPAVIEWS.TEST

Valid starting       Expires              Service principal
01/28/2015 02:04:44  01/29/2015 02:04:44  krbtgt/IPAVIEWS.TEST@IPAVIEWS.TEST

[root@vm-idm-019 ~]# ll /tmp/krb5cc_0.d/tkt 
-rw-------. 1 root root 1453 Jan 28 02:04 /tmp/krb5cc_0.d/tkt
Comment 10 errata-xmlrpc 2015-03-05 05:09:24 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.