Bug 982291 - RHEL7 ipa-adtrust-install Outdated Kerberos credentials error
RHEL7 ipa-adtrust-install Outdated Kerberos credentials error
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: krb5 (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Nalin Dahyabhai
Patrik Kis
: TestBlocker
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-08 11:22 EDT by Scott Poore
Modified: 2014-06-13 05:40 EDT (History)
7 users (show)

See Also:
Fixed In Version: krb5-1.11.3-4.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 05:40:55 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Scott Poore 2013-07-08 11:22:47 EDT
Description of problem:

I'm seeing ipa-adtrust-install fail in RHEL7 unless I set KRB5CCNAME variable like in bug #904720 for Fedora 18.

[root@rhel7-1 ~]# klist
Ticket cache: DIR::/run/user/0/krb5cc/tktezfUZl
Default principal: admin@TESTRELM.COM

Valid starting       Expires              Service principal
07/03/2013 14:35:30  07/04/2013 14:35:30  krbtgt/TESTRELM.COM@TESTRELM.COM
[root@rhel7-1 ~]# echo $KRB5CCNAME

[root@rhel7-1 ~]# ipa-adtrust-install --netbios-name=NBEXAMPLE -a PASSWORD -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket

Version-Release number of selected component (if applicable):
ipa-server-3.2.1-1.el7.x86_64


How reproducible:
always


Steps to Reproduce:
1.  Setup IPA server
2.  ipa-adtrust-install --netbios-name=NBEXAMPLE -a PASSWORD -U
3.

Actual results:
Fails with outdated credentials error listed above.

Expected results:
Works without error.

Additional info:
Setting KRB5CCNAME as described in similar bug works around the isssue.

export KRB5CCNAME=/tmp/krb5cc_$(id -u)
Comment 2 Rob Crittenden 2013-07-08 11:50:25 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3769
Comment 3 Scott Poore 2013-07-09 11:43:12 EDT
FYI:  Just a note that this was after applying the following workaround to get ipa-server-install to work:

[root@rhel7-7 ~]#             mkdir -p     /run/user/0/krb5cc
[root@rhel7-7 ~]#             chmod -R 700 /run/user/0      

This was from this bug:  

https://bugzilla.redhat.com/show_bug.cgi?id=977972

So, when I see ipa-adtrust-install fail, that dir is in place:

[root@rhel7-7 ~]# echo $ADMINPW | kinit admin
Password for admin@TESTRELM.COM: 

[root@rhel7-7 ~]# ipa-adtrust-install --netbios-name=$(echo $IPA1_RELM|cut -f1 -d.) -a $ADMINPW -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket

[root@rhel7-7 ~]# 
[root@rhel7-7 ~]# ls -ld /run/user/0/krb5cc/
drwx------. 2 root root 80 Jul  9 11:37 /run/user/0/krb5cc/
Comment 4 Martin Kosek 2013-07-15 04:36:14 EDT
I tracked the problem down to call to ldapsearch in ipa-adtrust-install where we pass proper KRB5CCNAME and it fails:

# klist
Ticket cache: DIR::/run/user/0/krb5cc/tktB0zghY
Default principal: admin@IDM.LAB.BOS.REDHAT.COM

Valid starting       Expires              Service principal
07/15/2013 04:24:15  07/16/2013 04:24:15  krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM
07/15/2013 04:28:22  07/16/2013 04:24:15  ldap/vm-042.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM

This works:

# ldapsearch -h `hostname` -Y GSSAPI -b "" -s base
SASL/GSSAPI authentication started
SASL username: admin@IDM.LAB.BOS.REDHAT.COM
SASL SSF: 56
SASL data security layer installed.
# extended LDIF

This does not:

# KRB5CCNAME="DIR::/run/user/0/krb5cc/tktB0zghY" ldapsearch -h `hostname` -Y GSSAPI -b "" -s base
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available)


This looks like something that should work. Adding Nalin to CC to advise.
Comment 5 Alexander Bokovoy 2013-07-15 04:55:13 EDT
This behavior of krb5 libs is know problem. I've argued few times that libkrb5 need to properly detect the case when KRB5CCNAME points to specific ccache in the collection like it prints out by itself (DIR::/run/user/0/krb5cc is ccache collection, DIR::/run/user/0/krb5c/tktB0zghY is specific ccache in the collection) and process it properly.
Comment 7 Martin Kosek 2013-07-18 12:30:10 EDT
(In reply to Alexander Bokovoy from comment #5)
> This behavior of krb5 libs is know problem. I've argued few times that
> libkrb5 need to properly detect the case when KRB5CCNAME points to specific
> ccache in the collection like it prints out by itself
> (DIR::/run/user/0/krb5cc is ccache collection,
> DIR::/run/user/0/krb5c/tktB0zghY is specific ccache in the collection) and
> process it properly.

I tend to agree. Moving to krb5 component for consideration.
Comment 8 Patrik Kis 2013-11-07 11:03:42 EST
Hi Nalin,

While writing test for this case (and also for other bugs) I observed the following behavior and wanted to check with you if is ok/expected.

When the ccache is in dir the path to ccache location expects DIR:: (double colon), but if the whole collection is used only DIR: (a single colon is expected).

0 [root@rhel7 tmp.GETzcj41d6 ]# klist -A
Ticket cache: DIR::/run/user/0/krb5cc/tkt72dvAz
Default principal: bob@ZMRAZ.COM

Valid starting       Expires              Service principal
11/07/2013 16:29:23  11/08/2013 16:29:23  krbtgt/ZMRAZ.COM@ZMRAZ.COM
	renew until 11/07/2013 16:29:23

Ticket cache: DIR::/run/user/0/krb5cc/tkt
Default principal: alice@ZMRAZ.COM

Valid starting       Expires              Service principal
11/07/2013 16:29:20  11/08/2013 16:29:20  krbtgt/ZMRAZ.COM@ZMRAZ.COM
	renew until 11/07/2013 16:29:20
0 [root@rhel7 tmp.GETzcj41d6 ]# 
0 [root@rhel7 tmp.GETzcj41d6 ]# KRB5CCNAME=DIR::/run/user/0/krb5cc/tkt klist
Ticket cache: DIR::/run/user/0/krb5cc/tkt
Default principal: alice@ZMRAZ.COM

Valid starting       Expires              Service principal
11/07/2013 16:29:20  11/08/2013 16:29:20  krbtgt/ZMRAZ.COM@ZMRAZ.COM
	renew until 11/07/2013 16:29:20
0 [root@rhel7 tmp.GETzcj41d6 ]# KRB5CCNAME=DIR::/run/user/0/krb5cc/tkt72dvAz klist
Ticket cache: DIR::/run/user/0/krb5cc/tkt72dvAz
Default principal: bob@ZMRAZ.COM

Valid starting       Expires              Service principal
11/07/2013 16:29:23  11/08/2013 16:29:23  krbtgt/ZMRAZ.COM@ZMRAZ.COM
	renew until 11/07/2013 16:29:23
0 [root@rhel7 tmp.GETzcj41d6 ]# 
0 [root@rhel7 tmp.GETzcj41d6 ]# KRB5CCNAME=DIR:/run/user/0/krb5cc/tkt72dvAz klist
klist: Bad format in credentials cache while getting default ccache
1 [root@rhel7 tmp.GETzcj41d6 ]# 
1 [root@rhel7 tmp.GETzcj41d6 ]# KRB5CCNAME=DIR:/run/user/0/krb5cc klist
Ticket cache: DIR::/run/user/0/krb5cc/tkt72dvAz
Default principal: bob@ZMRAZ.COM

Valid starting       Expires              Service principal
11/07/2013 16:29:23  11/08/2013 16:29:23  krbtgt/ZMRAZ.COM@ZMRAZ.COM
	renew until 11/07/2013 16:29:23
0 [root@rhel7 tmp.GETzcj41d6 ]# KRB5CCNAME=DIR::/run/user/0/krb5cc klist
klist: Credential cache name malformed while getting default ccache
1 [root@rhel7 tmp.GETzcj41d6 ]#
Comment 9 Nalin Dahyabhai 2013-11-07 13:04:15 EST
The root cause for this was sorted in bug #965574 - DIR: cache collections didn't work quite right, and we should have pulled the fix in around krb5-1.11.2-7 or so (the fixed-in is currently krb5-1.11.3-4.el7, which was the first build we had after that).  New-style KEYRING: cache collections shouldn't have this problem, either.
Comment 11 Ludek Smid 2014-06-13 05:40:55 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.