Bug 986853 - ipa-client-install fails because pcsc-lite
ipa-client-install fails because pcsc-lite
Status: CLOSED INSUFFICIENT_DATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: krb5 (Show other bugs)
5.9
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Nalin Dahyabhai
BaseOS QE Security Team
:
Depends On:
Blocks: 1049888
  Show dependency treegraph
 
Reported: 2013-07-22 05:04 EDT by Eduardo Minguez
Modified: 2014-09-29 07:12 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-01-07 10:56:19 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eduardo Minguez 2013-07-22 05:04:24 EDT
Description of problem:
Running ipa-client-install in RHEL5.1 + RHEL5.9 ipa-client packages fails with the following message:
...
2013-07-08 11:07:56,290 DEBUG args=kinit admin@IDM.LVTC.GSNET.CORP
2013-07-08 11:07:56,290 DEBUG stdout=Password for admin@IDM.LVTC.GSNET.CORP: 
2013-07-08 11:07:56,290 DEBUG stderr=winscard_clnt.c:320:SCardEstablishContextTH() Cannot open public shared file: /v
ar/run/pcscd.pub
2013-07-08 11:07:56,291 DEBUG trying to retrieve CA cert via LDAP from ldap://vmlbcipal01.idm.lvtc.gsnet.corp
2013-07-08 11:07:56,433 DEBUG get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI Error: Uns
pecified GSS failure.  Minor code may provide more information (Unknown code krb5 7)
2013-07-08 11:07:56,433 DEBUG {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code
 may provide more information (Unknown code krb5 7)', 'desc': 'Local error'}
2013-07-08 11:07:56,434 ERROR Cannot obtain CA certificate
'ldap://vmlbcipal01.idm.lvtc.gsnet.corp' doesn't have a certificate.
2013-07-08 11:07:56,446 DEBUG args=kdestroy
2013-07-08 11:07:56,447 DEBUG stdout=
2013-07-08 11:07:56,447 DEBUG stderr=
...

Version-Release number of selected component (if applicable):
ipa-client-2.1.3-5.el5_9.2.x86_64.rpm

How reproducible:
Try to enroll a RHEL5.1 client with RHEL5.9 ipa-client packages

Steps to Reproduce:
1. Install RHEL5.1
2. Install ipa-client packages from RHEL5.9
3. Run ipa-client-install

Actual results:
...
2013-07-08 11:07:56,290 DEBUG args=kinit admin@IDM.LVTC.GSNET.CORP
2013-07-08 11:07:56,290 DEBUG stdout=Password for admin@IDM.LVTC.GSNET.CORP: 
2013-07-08 11:07:56,290 DEBUG stderr=winscard_clnt.c:320:SCardEstablishContextTH() Cannot open public shared file: /v
ar/run/pcscd.pub
2013-07-08 11:07:56,291 DEBUG trying to retrieve CA cert via LDAP from ldap://vmlbcipal01.idm.lvtc.gsnet.corp
2013-07-08 11:07:56,433 DEBUG get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI Error: Uns
pecified GSS failure.  Minor code may provide more information (Unknown code krb5 7)
2013-07-08 11:07:56,433 DEBUG {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code
 may provide more information (Unknown code krb5 7)', 'desc': 'Local error'}
2013-07-08 11:07:56,434 ERROR Cannot obtain CA certificate
'ldap://vmlbcipal01.idm.lvtc.gsnet.corp' doesn't have a certificate.
2013-07-08 11:07:56,446 DEBUG args=kdestroy
2013-07-08 11:07:56,447 DEBUG stdout=
2013-07-08 11:07:56,447 DEBUG stderr=
...

Expected results:
ipa-client-install execution succesfully

Additional info:
Removing pcsc-lite and re-running ipa-client-install works fine
Comment 1 Martin Kosek 2013-07-22 06:57:12 EDT
I tested with ipa-client-2.1.3-7.el5 and pcsc-lite-1.4.4-4.el5_5 and installation worked fine for me.

I think that the possible problem in your case may be the mixed RHEL-5.1 and RHEL-5.9 environment. Anyway, moving to krb5 component as according to log, it's kinit that's failing.
Comment 3 Nalin Dahyabhai 2013-10-30 18:19:57 EDT
krb5 error 7 is KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, which is an error that comes form a KDC.  What error was logged in the KDC's krb5kdc.log at this time?
Comment 5 Nalin Dahyabhai 2014-01-07 10:56:19 EST
Marking as closed due to insufficient data.

Note You need to log in before you can comment on or make changes to this bug.