https://bugzilla.redhat.com/show_bug.cgi?id=904720 (Fedora)
-> Description of problem: ipa-adtrust-install fails unexpectedly -> Version-Release number of selected component (if applicable): Fedora 18 system packages were updated with yum 26.01.13 # rpm -qa | grep freeipa freeipa-server-trust-ad-3.1.0-2.fc18.x86_64 freeipa-python-3.1.0-2.fc18.x86_64 freeipa-server-selinux-3.1.0-2.fc18.x86_64 freeipa-admintools-3.1.0-2.fc18.x86_64 freeipa-server-3.1.0-2.fc18.x86_64 freeipa-client-3.1.0-2.fc18.x86_64 -> How reproducible: always, tried it multiple times in an vm -> Steps to Reproduce: 1. Install a fresh Fedora 18 vm 2. # yum update -y 3. # echo "$IPADDRESS$ ipa-server.matrix.local ipa-server" >> /etc/hosts 4. # reboot 5. # yum install -y "*ipa-server" "*ipa-server-trust-ad" samba4-winbind-clients samba4-winbind samba4-client bind bind-dyndb-ldap 6. # ipa-server-install -a mypassword1 -p mypassword2 --domain=matrix.local --realm=MATRIX.LOCAL 7. # kinit admin 8. # ipa-adtrust-install --netbios-name=MATRIX -a mypassword1 tried to follow the official wiki guide here : http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain -> Actual results: "Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket" However issuing a kdestroy and a subsequent kinit does not solve the problem.? -> Expected results: Successful completition of the "ipa-adtrust-install", so I can continue creating an actual AD forest trust. -> Additional info: * The Kerberos ticket is valid during the issuing of the ipa-adtrust-install command : [root linux user]# kinit admin Password for admin MATRIX LOCAL: [root linux user]# klist Ticket cache: DIR::/run/user/1000/krb5cc_c9794d10f5cd59bd63c423ac50fad257/tktT3hTsU Default principal: admin MATRIX LOCAL Valid starting Expires Service principal 01/19/13 12:19:06 01/20/13 12:19:02 krbtgt/MATRIX LOCAL MATRIX LOCAL [root linux user]# id admin uid=1396400000(admin) gid=1396400000(admins) groups=1396400000(admins) [root linux user]# getent passwd admin admin:*:1396400000:1396400000:Administrator:/home/admin:/bin/bash [root linux user]# ipa-adtrust-install --netbios-name=MATRIX -a mypassword1 ... Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket * ipaserver-install.log shows : 2013-01-19T17:19:56Z DEBUG Starting external process 2013-01-19T17:19:56Z DEBUG args=kinit admin 2013-01-19T17:19:57Z DEBUG Process finished, return code=0 2013-01-19T17:19:57Z DEBUG stdout=Password for admin MATRIX LOCAL: 2013-01-19T17:19:57Z DEBUG stderr= 2013-01-19T17:19:57Z INFO File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 617, in run_script return_value = main_function() File "/usr/sbin/ipa-adtrust-install", line 304, in main sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket") 2013-01-19T17:19:57Z INFO The ipa-adtrust-install command failed, exception: SystemExit: Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket * ldapsearch works fine (as long as I have a valid ticket) : snip_______________________________________ Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket [root ipa-server user]# klist Ticket cache: DIR::/run/user/1000/krb5cc_508afa59f766b611435821eb50fee5d0/tktALmOIY Default principal: admin MATRIX LOCAL Valid starting Expires Service principal 01/22/13 20:20:56 01/23/13 20:20:56 krbtgt/MATRIX LOCAL MATRIX LOCAL [root ipa-server user]# ldapsearch -H ldap://ipa-server.matrix.local -Y GSSAPI -b \ > 'dc=matrix,dc=local' -s base SASL/GSSAPI authentication started SASL username: admin MATRIX LOCAL SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=matrix,dc=local> with scope baseObject # filter: (objectclass=*) # requesting: ALL # # matrix.local dn: dc=matrix,dc=local objectClass: top objectClass: domain objectClass: pilotObject objectClass: domainRelatedObject objectClass: nisDomainObject dc: matrix info: IPA V2.0 nisDomain: matrix.local associatedDomain: matrix.local # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 _______________________________________snip
Due to introduction of DIR schema for credentials cache in Fedora 18 with libkrb5 1.11, there is behaviour change that affects FreeIPA framework code in ipaserver/plugins/ldap2.py, where in create_connection() we export KRB5CCNAME environmental variable with the name of ccache we get from krbV.CCache() instance.
krbV.CCache() internally calls krb5_cc_get_name() which returns DIR::/path/tkt where tkt is exact ccache file from the directory collection. Python binding in krbV then splits schema and path into two parts and later ldap2 code exports the path as KRB5CCNAME.
That path makes no sense with schema part, it would break not only DIR schema ccaches but also MEMORY ccaches. Therefore, we need to ensure to pass always ccache.type+":"+ccache.name around and treat passed name for ccache as full name everywhere.
Note that the bug has always been in our code. The current code would fail also for the MEMORY:xxxxx scheme as we would drop the 'MEMORY' part and pretend xxxxxx is the path for FILE: schema.
Patch ''freeipa-mkosek-357-use-fully-qualified-ccache-names.patch'' sent for review freeipa-mkosek-357-use-fully-qualified-ccache-names.patch
master:[[BR]] 3ad8d7c[[BR]] 893064f
ipa-3-1:[[BR]] 6728e0c[[BR]] 706c8ad
no clone - ipa-adtrust-install covered as new feature
Metadata Update from @mkosek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.2 - 2013/01
Login to comment on this ticket.