Bug 986853 - ipa-client-install fails because pcsc-lite
Summary: ipa-client-install fails because pcsc-lite
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: krb5
Version: 5.9
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Nalin Dahyabhai
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 1049888
TreeView+ depends on / blocked
 
Reported: 2013-07-22 09:04 UTC by Eduardo Minguez
Modified: 2014-09-29 11:12 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-01-07 15:56:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Eduardo Minguez 2013-07-22 09:04:24 UTC 
Description of problem:
Running ipa-client-install in RHEL5.1 + RHEL5.9 ipa-client packages fails with the following message:
...
2013-07-08 11:07:56,290 DEBUG args=kinit admin.GSNET.CORP
2013-07-08 11:07:56,290 DEBUG stdout=Password for admin.GSNET.CORP: 
2013-07-08 11:07:56,290 DEBUG stderr=winscard_clnt.c:320:SCardEstablishContextTH() Cannot open public shared file: /v
ar/run/pcscd.pub
2013-07-08 11:07:56,291 DEBUG trying to retrieve CA cert via LDAP from ldap://vmlbcipal01.idm.lvtc.gsnet.corp
2013-07-08 11:07:56,433 DEBUG get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI Error: Uns
pecified GSS failure.  Minor code may provide more information (Unknown code krb5 7)
2013-07-08 11:07:56,433 DEBUG {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code
 may provide more information (Unknown code krb5 7)', 'desc': 'Local error'}
2013-07-08 11:07:56,434 ERROR Cannot obtain CA certificate
'ldap://vmlbcipal01.idm.lvtc.gsnet.corp' doesn't have a certificate.
2013-07-08 11:07:56,446 DEBUG args=kdestroy
2013-07-08 11:07:56,447 DEBUG stdout=
2013-07-08 11:07:56,447 DEBUG stderr=
...

Version-Release number of selected component (if applicable):
ipa-client-2.1.3-5.el5_9.2.x86_64.rpm

How reproducible:
Try to enroll a RHEL5.1 client with RHEL5.9 ipa-client packages

Steps to Reproduce:
1. Install RHEL5.1
2. Install ipa-client packages from RHEL5.9
3. Run ipa-client-install

Actual results:
...
2013-07-08 11:07:56,290 DEBUG args=kinit admin.GSNET.CORP
2013-07-08 11:07:56,290 DEBUG stdout=Password for admin.GSNET.CORP: 
2013-07-08 11:07:56,290 DEBUG stderr=winscard_clnt.c:320:SCardEstablishContextTH() Cannot open public shared file: /v
ar/run/pcscd.pub
2013-07-08 11:07:56,291 DEBUG trying to retrieve CA cert via LDAP from ldap://vmlbcipal01.idm.lvtc.gsnet.corp
2013-07-08 11:07:56,433 DEBUG get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI Error: Uns
pecified GSS failure.  Minor code may provide more information (Unknown code krb5 7)
2013-07-08 11:07:56,433 DEBUG {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code
 may provide more information (Unknown code krb5 7)', 'desc': 'Local error'}
2013-07-08 11:07:56,434 ERROR Cannot obtain CA certificate
'ldap://vmlbcipal01.idm.lvtc.gsnet.corp' doesn't have a certificate.
2013-07-08 11:07:56,446 DEBUG args=kdestroy
2013-07-08 11:07:56,447 DEBUG stdout=
2013-07-08 11:07:56,447 DEBUG stderr=
...

Expected results:
ipa-client-install execution succesfully

Additional info:
Removing pcsc-lite and re-running ipa-client-install works fine
Comment 1 Martin Kosek 2013-07-22 10:57:12 UTC 
I tested with ipa-client-2.1.3-7.el5 and pcsc-lite-1.4.4-4.el5_5 and installation worked fine for me.

I think that the possible problem in your case may be the mixed RHEL-5.1 and RHEL-5.9 environment. Anyway, moving to krb5 component as according to log, it's kinit that's failing.
Comment 3 Nalin Dahyabhai 2013-10-30 22:19:57 UTC 
krb5 error 7 is KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, which is an error that comes form a KDC.  What error was logged in the KDC's krb5kdc.log at this time?
Comment 5 Nalin Dahyabhai 2014-01-07 15:56:19 UTC 
Marking as closed due to insufficient data.
Note You need to log in before you can comment on or make changes to this bug.