#4225 AD user accessing IPA invalid credentials exception is not propagated to the CLI
Closed: Invalid None Opened 10 years ago by abbra.

When using AD credentials to connect to IPA server via CLI, I'm getting following:

[root@masteripa ~]# klist
Ticket cache: FILE:/tmp/krbccname2
Default principal: Administrator@AD12Y.AD12X.WEALD.VDA.LI

Valid starting       Expires              Service principal
06.03.2014 10:25:01  06.03.2014 20:25:01  krbtgt/AD12Y.AD12X.WEALD.VDA.LI@AD12Y.AD12X.WEALD.VDA.LI
    renew until 07.03.2014 10:24:56
06.03.2014 10:25:03  06.03.2014 20:25:01  krbtgt/AD12X.WEALD.VDA.LI@AD12Y.AD12X.WEALD.VDA.LI
    renew until 07.03.2014 10:24:56
06.03.2014 10:25:03  06.03.2014 20:25:01  krbtgt/IPA.WEALD.VDA.LI@AD12X.WEALD.VDA.LI
    renew until 07.03.2014 10:24:56
06.03.2014 10:25:13  06.03.2014 20:25:01  host/masteripa.ipa.weald.vda.li@IPA.WEALD.VDA.LI
    renew until 07.03.2014 10:24:56
06.03.2014 10:53:47  06.03.2014 20:25:01  HTTP/masteripa.ipa.weald.vda.li@IPA.WEALD.VDA.LI
    renew until 07.03.2014 10:24:56
[root@masteripa ~]# ipa -v user-show  --all --raw admin
ipa: ERROR: cannot connect to 'https://masteripa.ipa.weald.vda.li/ipa/json': Internal Server Error

and in the error_log:

[Thu Mar 06 10:53:47.693081 2014] [:error] [pid 7750] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Thu Mar 06 10:53:47.693278 2014] [:error] [pid 7750] ipa: DEBUG: WSGI jsonserver_kerb.__call__:
[Thu Mar 06 10:53:48.715985 2014] [:error] [pid 7750] [remote 192.168.100.179:188] mod_wsgi (pid=7750): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Thu Mar 06 10:53:48.768140 2014] [:error] [pid 7750] [remote 192.168.100.179:188] Traceback (most recent call last):
[Thu Mar 06 10:53:48.768275 2014] [:error] [pid 7750] [remote 192.168.100.179:188]   File "/usr/share/ipa/wsgi.py", line 49, in application
[Thu Mar 06 10:53:48.768869 2014] [:error] [pid 7750] [remote 192.168.100.179:188]     return api.Backend.wsgi_dispatch(environ, start_response)
[Thu Mar 06 10:53:48.768895 2014] [:error] [pid 7750] [remote 192.168.100.179:188]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 249, in __call__
[Thu Mar 06 10:53:48.780353 2014] [:error] [pid 7750] [remote 192.168.100.179:188]     return self.route(environ, start_response)
[Thu Mar 06 10:53:48.780431 2014] [:error] [pid 7750] [remote 192.168.100.179:188]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 261, in route
[Thu Mar 06 10:53:48.780496 2014] [:error] [pid 7750] [remote 192.168.100.179:188]     return app(environ, start_response)
[Thu Mar 06 10:53:48.780517 2014] [:error] [pid 7750] [remote 192.168.100.179:188]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 794, in __call__
[Thu Mar 06 10:53:48.780555 2014] [:error] [pid 7750] [remote 192.168.100.179:188]     self.create_context(ccache=user_ccache)
[Thu Mar 06 10:53:48.780585 2014] [:error] [pid 7750] [remote 192.168.100.179:188]   File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 114, in create_context
[Thu Mar 06 10:53:48.787426 2014] [:error] [pid 7750] [remote 192.168.100.179:188]     self.Backend.ldap2.connect(ccache=ccache)
[Thu Mar 06 10:53:48.787496 2014] [:error] [pid 7750] [remote 192.168.100.179:188]   File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 63, in connect
[Thu Mar 06 10:53:48.787573 2014] [:error] [pid 7750] [remote 192.168.100.179:188]     conn = self.create_connection(*args, **kw)
[Thu Mar 06 10:53:48.787612 2014] [:error] [pid 7750] [remote 192.168.100.179:188]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 164, in create_connection
[Thu Mar 06 10:53:48.792717 2014] [:error] [pid 7750] [remote 192.168.100.179:188]     conn.simple_bind_s(bind_dn, bind_pw)
[Thu Mar 06 10:53:48.792768 2014] [:error] [pid 7750] [remote 192.168.100.179:188]   File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
[Thu Mar 06 10:53:48.805522 2014] [:error] [pid 7750] [remote 192.168.100.179:188]     self.gen.throw(type, value, traceback)
[Thu Mar 06 10:53:48.805555 2014] [:error] [pid 7750] [remote 192.168.100.179:188]   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1165, in error_handler
[Thu Mar 06 10:53:48.823923 2014] [:error] [pid 7750] [remote 192.168.100.179:188]     raise errors.ACIError(info="%s %s" % (info, desc))
[Thu Mar 06 10:53:48.824170 2014] [:error] [pid 7750] [remote 192.168.100.179:188] ACIError: Insufficient access: SASL(-14): authorization failure: Invalid credentials

Isn't this an expected error until #3242 is fixed? Isn't error caused by DS SASL plugin which cannot bind AD users to any LDAP object?

Related ticket: #3330 (SASL Fallback plugin configuration).

Behavior is expected but server crash (instead of returning proper exception) is not what we want.

Ok. Note that this does not affect FreeIPA 3.3.x versions as the CLI still use XMLRPC and not JSONRPC to communicate with FreeIPA server:

# klist
Ticket cache: FILE:/tmp/foo
Default principal: Administrator@TBAD.EXAMPLE.COM

Valid starting       Expires              Service principal
03/06/2014 07:28:52  03/06/2014 17:28:52  krbtgt/TBAD.EXAMPLE.COM@TBAD.EXAMPLE.COM
    renew until 03/07/2014 07:28:47
03/06/2014 07:31:25  03/06/2014 17:28:52  krbtgt/EXAMPLE.COM@TBAD.EXAMPLE.COM
    renew until 03/07/2014 07:28:47
03/06/2014 07:31:49  03/06/2014 17:28:52  HTTP/vm-067.example.com@EXAMPLE.COM
    renew until 03/07/2014 07:28:47

# ipa user-show admin
ipa: ERROR: Insufficient access: SASL(-14): authorization failure: Invalid credentials

Alexander, please switch on-review flag when a patch is ready. Otherwise people do not see this patch in appropriate views.

This ticket is not complete yet, moving to next month milestone.

I re-tested this issue with a latest master and I could not reproduce:

# kinit -C Administrator@tbad.idm.lab.eng.brq.redhat.com
Password for Administrator@tbad.idm.lab.eng.brq.redhat.com:

# klist
Ticket cache: FILE:/tmp/foo
Default principal: Administrator@TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM

Valid starting       Expires              Service principal
04/08/2014 16:32:36  04/09/2014 02:32:36  krbtgt/TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM@TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM
    renew until 04/09/2014 16:32:33

# ipa -v user-show  --all --raw admin
ipa: INFO: trying https://ipa.mkosek-fedora20.test/ipa/json
ipa: INFO: Forwarding 'user_show' to json server 'https://ipa.mkosek-fedora20.test/ipa/json'
ipa: ERROR: Insufficient access: SASL(-14): authorization failure: Invalid credentials

No crash, error is propagated.

Closing as worksforme.

Metadata Update from @abbra:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 4.0 - 2014/04

7 years ago

Log in to comment on this ticket.

Metadata