Sometimes after I install IPA, I get the following error on all remote CLI commands:
$ ipa user-find ipa: ERROR: non-public: ValueError: keyctl padd failed: add_key: Key has been revoked Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 129, in execute result = self.Command[_name](*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 748, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 769, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 499, in forward response = command(*xml_wrap(params)) File "/usr/lib64/python2.7/xmlrpclib.py", line 1224, in __call__ return self.__send(self.__name, args) File "/usr/lib64/python2.7/xmlrpclib.py", line 1578, in __request verbose=self.__verbose File "/usr/lib64/python2.7/xmlrpclib.py", line 1264, in request return self.single_request(host, handler, request_body, verbose) File "/usr/lib64/python2.7/xmlrpclib.py", line 1297, in single_request return self.parse_response(response) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 264, in parse_response kernel_keyring.update_key('ipa_session_cookie', session_cookie) File "/usr/lib/python2.7/site-packages/ipapython/kernel_keyring.py", line 83, in update_key add_key(key, value) File "/usr/lib/python2.7/site-packages/ipapython/kernel_keyring.py", line 93, in add_key raise ValueError('keyctl padd failed: %s' % stderr) ValueError: keyctl padd failed: add_key: Key has been revoked
This happens every time I try to use an IPA command. Logging in as a different user (with su - username, but not plain su username) and kiniting again (as the original user) sometimes works but sometimes doesn't.
su - username
su username
kinit
keyctl purge user doesn't solve the problem:
keyctl purge user
$ keyctl purge user purged 0 keys
I'm not able to duplicate this. It might help to see what the keyring looks like when it gets into this state.
It is a bit confusing to have a revoked key when trying to add. We should only try to add a new key when it doesn't already exist, so how it could be revoked I'm not sure.
I got the same exception on a fresh install.
$ keyctl show Session Keyring 56014090 --alswrv 532 1030 keyring: _ses 995859403 --alswrv 532 -1 \_ keyring: _uid.532 509051956 --als-rv 0 0 \_ user: ipa_session_cookie
This time, though, keyctl purge solved the issue. I'll see if I can duplicate the original error fully.
keyctl purge
I logged to the machine again to find that I'm, again, locked out completely.
$ keyctl show Session Keyring Unable to dump key: Key has been revoked $ keyctl purge user purged 0 keys $ keyctl show Session Keyring Unable to dump key: Key has been revoked
With ipa commands, I get the same exception as above.
ipa
Very strange. What does keyctl list @s show?
Are you getting any SELinux errors when this happens?
Wrapped the update_key() with a try/except so this isn't fatal.
I also added per-principal support so a different key is used for each principal used.
$ keyctl list @s keyctl_read_alloc: Key has been revoked
I don't get any SELinux errors.
master: 429edcf
Metadata Update from @pviktori: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.0 Beta 2
Login to comment on this ticket.