freeipa

Clone
Source Code
GIT

#2880 keyctl padd failed: key has been revoked
Closed: Fixed None Opened 11 years ago by pviktori.

Closed: Fixed
Reopen Issue

Sometimes after I install IPA, I get the following error on all remote CLI commands:

$ ipa user-find
ipa: ERROR: non-public: ValueError: keyctl padd failed: add_key: Key has been revoked
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 129, in execute
    result = self.Command[_name](*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 748, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 769, in forward
    return self.Backend.xmlclient.forward(self.name, *args, **kw)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 499, in forward
    response = command(*xml_wrap(params))
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1224, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1578, in __request
    verbose=self.__verbose
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1264, in request
    return self.single_request(host, handler, request_body, verbose)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1297, in single_request
    return self.parse_response(response)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 264, in parse_response
    kernel_keyring.update_key('ipa_session_cookie', session_cookie)
  File "/usr/lib/python2.7/site-packages/ipapython/kernel_keyring.py", line 83, in update_key
    add_key(key, value)
  File "/usr/lib/python2.7/site-packages/ipapython/kernel_keyring.py", line 93, in add_key
    raise ValueError('keyctl padd failed: %s' % stderr)
ValueError: keyctl padd failed: add_key: Key has been revoked

This happens every time I try to use an IPA command. Logging in as a different user (with su - username, but not plain su username) and kiniting again (as the original user) sometimes works but sometimes doesn't.

keyctl purge user doesn't solve the problem:

$ keyctl purge user
purged 0 keys

I'm not able to duplicate this. It might help to see what the keyring looks like when it gets into this state.

It is a bit confusing to have a revoked key when trying to add. We should only try to add a new key when it doesn't already exist, so how it could be revoked I'm not sure.

I got the same exception on a fresh install.

$ keyctl show
Session Keyring
  56014090 --alswrv    532  1030  keyring: _ses
 995859403 --alswrv    532    -1   \_ keyring: _uid.532
 509051956 --als-rv      0     0   \_ user: ipa_session_cookie

This time, though, keyctl purge solved the issue. I'll see if I can duplicate the original error fully.

I logged to the machine again to find that I'm, again, locked out completely.

$ keyctl show
Session Keyring
Unable to dump key: Key has been revoked

$ keyctl purge user
purged 0 keys

$ keyctl show
Session Keyring
Unable to dump key: Key has been revoked

With ipa commands, I get the same exception as above.

Very strange. What does keyctl list @s show?

Are you getting any SELinux errors when this happens?

Wrapped the update_key() with a try/except so this isn't fatal.

I also added per-principal support so a different key is used for each principal used.

 
$ keyctl list @s
keyctl_read_alloc: Key has been revoked

I don't get any SELinux errors.

master: 429edcf

Metadata Update from @pviktori:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 3.0 Beta 2
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
1
None
None
None
None
0
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.