#3381 ipa-adtrust-install fails unexpectedly
Closed: Fixed None Opened 11 years ago by mkosek.

https://bugzilla.redhat.com/show_bug.cgi?id=904720 (Fedora)

-> Description of problem:
ipa-adtrust-install fails unexpectedly

-> Version-Release number of selected component (if applicable):
Fedora 18
system packages were updated with yum 26.01.13

# rpm -qa | grep freeipa
freeipa-server-trust-ad-3.1.0-2.fc18.x86_64
freeipa-python-3.1.0-2.fc18.x86_64
freeipa-server-selinux-3.1.0-2.fc18.x86_64
freeipa-admintools-3.1.0-2.fc18.x86_64
freeipa-server-3.1.0-2.fc18.x86_64
freeipa-client-3.1.0-2.fc18.x86_64

-> How reproducible:
always, tried it multiple times in an vm

-> Steps to Reproduce:
1. Install a fresh Fedora 18 vm
2. # yum update -y
3. # echo "$IPADDRESS$    ipa-server.matrix.local ipa-server" >> /etc/hosts
4. # reboot
5. # yum install -y "*ipa-server" "*ipa-server-trust-ad" samba4-winbind-clients
samba4-winbind samba4-client bind bind-dyndb-ldap
6. # ipa-server-install -a mypassword1 -p mypassword2 --domain=matrix.local
--realm=MATRIX.LOCAL
7. # kinit admin
8. # ipa-adtrust-install --netbios-name=MATRIX -a mypassword1

tried to follow the official wiki guide here :
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain

-> Actual results:
"Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket"
However issuing a kdestroy and a subsequent kinit does not solve the problem.?

-> Expected results:
Successful completition of the "ipa-adtrust-install", so I can continue
creating an actual AD forest trust.

-> Additional info:
* The Kerberos ticket is valid during the issuing of the ipa-adtrust-install
command :

[root linux user]# kinit admin
Password for admin MATRIX LOCAL:
[root linux user]# klist
Ticket cache:
DIR::/run/user/1000/krb5cc_c9794d10f5cd59bd63c423ac50fad257/tktT3hTsU
Default principal: admin MATRIX LOCAL

Valid starting     Expires            Service principal
01/19/13 12:19:06  01/20/13 12:19:02  krbtgt/MATRIX LOCAL MATRIX LOCAL
[root linux user]# id admin
uid=1396400000(admin) gid=1396400000(admins) groups=1396400000(admins)
[root linux user]# getent passwd admin
admin:*:1396400000:1396400000:Administrator:/home/admin:/bin/bash
[root linux user]# ipa-adtrust-install --netbios-name=MATRIX -a mypassword1
...
Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket

* ipaserver-install.log shows :
2013-01-19T17:19:56Z DEBUG Starting external process
2013-01-19T17:19:56Z DEBUG args=kinit admin
2013-01-19T17:19:57Z DEBUG Process finished, return code=0
2013-01-19T17:19:57Z DEBUG stdout=Password for admin MATRIX LOCAL:

2013-01-19T17:19:57Z DEBUG stderr=
2013-01-19T17:19:57Z INFO   File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 617,
in
run_script
    return_value = main_function()

  File "/usr/sbin/ipa-adtrust-install", line 304, in main
    sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to update
your ticket")

2013-01-19T17:19:57Z INFO The ipa-adtrust-install command failed, exception:
SystemExit: Outdated Kerberos credentials.
Use kdestroy and kinit to update your ticket

* ldapsearch works fine (as long as I have a valid ticket) :
snip_______________________________________
Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket
[root ipa-server user]# klist
Ticket cache:
DIR::/run/user/1000/krb5cc_508afa59f766b611435821eb50fee5d0/tktALmOIY
Default principal: admin MATRIX LOCAL

Valid starting     Expires            Service principal
01/22/13 20:20:56  01/23/13 20:20:56  krbtgt/MATRIX LOCAL MATRIX LOCAL
[root ipa-server user]# ldapsearch -H ldap://ipa-server.matrix.local -Y GSSAPI
-b \
>   'dc=matrix,dc=local' -s base
SASL/GSSAPI authentication started
SASL username: admin MATRIX LOCAL
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=matrix,dc=local> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

# matrix.local
dn: dc=matrix,dc=local
objectClass: top
objectClass: domain
objectClass: pilotObject
objectClass: domainRelatedObject
objectClass: nisDomainObject
dc: matrix
info: IPA V2.0
nisDomain: matrix.local
associatedDomain: matrix.local

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1
_______________________________________snip

Due to introduction of DIR schema for credentials cache in Fedora 18 with libkrb5 1.11, there is behaviour change that affects FreeIPA framework code in ipaserver/plugins/ldap2.py, where in create_connection() we export KRB5CCNAME environmental variable with the name of ccache we get from krbV.CCache() instance.

krbV.CCache() internally calls krb5_cc_get_name() which returns DIR::/path/tkt where tkt is exact ccache file from the directory collection. Python binding in krbV then splits schema and path into two parts and later ldap2 code exports the path as KRB5CCNAME.

That path makes no sense with schema part, it would break not only DIR schema ccaches but also MEMORY ccaches. Therefore, we need to ensure to pass always ccache.type+":"+ccache.name around and treat passed name for ccache as full name everywhere.

Note that the bug has always been in our code.
The current code would fail also for the MEMORY:xxxxx scheme as we would drop the 'MEMORY' part and pretend xxxxxx is the path for FILE: schema.

Patch ''freeipa-mkosek-357-use-fully-qualified-ccache-names.patch'' sent for review
freeipa-mkosek-357-use-fully-qualified-ccache-names.patch

master:[[BR]]
3ad8d7c[[BR]]
893064f

ipa-3-1:[[BR]]
6728e0c[[BR]]
706c8ad

no clone - ipa-adtrust-install covered as new feature

Metadata Update from @mkosek:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 3.2 - 2013/01

7 years ago

Login to comment on this ticket.

Metadata