Issue #6792: Upgrade to FreeIPA 4.5.0 does not configure anonymous principal for PKINIT - freeipa

freeipa

#6792 Upgrade to FreeIPA 4.5.0 does not configure anonymous principal for PKINIT

Closed: fixed 6 years ago Opened 6 years ago by mbabinsk.

When upgrading from FreeIPA 4.4.3 to FreeIPA 4.5.0, the RPM upgrade fails with the following message:

 Cleanup     : freeipa-client-common-4.4.3-2.fc25.noarch                                                     34/39 
  Cleanup     : freeipa-common-4.4.3-2.fc25.noarch                                                            35/39 
  Cleanup     : bind-pkcs11-libs-32:9.10.4-4.P6.fc25.x86_64                                                   36/39 
  Cleanup     : bind-libs-lite-32:9.10.4-4.P6.fc25.x86_64                                                     37/39 
  Cleanup     : bind-libs-32:9.10.4-4.P6.fc25.x86_64                                                          38/39 
  Cleanup     : bind-license-32:9.10.4-4.P6.fc25.noarch                                                       39/39 
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Failed to configure anonymous PKINIT
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information

When inspecting /var/log/ipaupgrade.log we can see that the PKINIT keypair is issued but the anonymous principal is not created by upgrader code:

<SNIP>
2017-03-21T15:51:07Z DEBUG stderr=
2017-03-21T15:51:07Z DEBUG Starting external process
2017-03-21T15:51:07Z DEBUG args=/usr/bin/kinit -n -c /tmp/krbccMLh35h/ccache
2017-03-21T15:51:07Z DEBUG Process finished, return code=1
2017-03-21T15:51:07Z DEBUG stdout=
2017-03-21T15:51:07Z DEBUG stderr=kinit: Client 'WELLKNOWN/ANONYMOUS@IPA.TEST' not found in Kerberos database while getting initial credentials

2017-03-21T15:51:07Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-03-21T15:51:07Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 48, in run
    raise admintool.ScriptError(str(e))

2017-03-21T15:51:07Z DEBUG The ipa-server-upgrade command failed, exception: ScriptError: Failed to configure anonymous PKINIT
2017-03-21T15:51:07Z ERROR Failed to configure anonymous PKINIT

This causes the password auth to IPA server (via JSON-RPC API or WebUI) to fail after upgrade and thus breaks the core functionality.

Steps to reproduce:

1.) Install FreeIPA 4.4.3 or older
2.) Upgrade to FreeIPA 4.5.0

Actual results:

Upgrade fails and WebUI logins on updated master do not work

Expected results:

Upgrade finishes without errors and WebUI works.

Metadata Update from @mbabinsk:
- Issue priority set to: 1

6 years ago

Metadata Update from @mbabinsk:
- Issue assigned to mbabinsk

6 years ago

pvoborni commented 6 years ago

Upgrade failed, marking as regression.

Metadata Update from @pvoborni:
- Issue tagged with: regression

6 years ago

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.5.1

6 years ago

mbasti commented 6 years ago

master:

c2d95d3 Upgrade: configure PKINIT after adding anonymous principal
1fc48cd Remove unused variable from failed anonymous PKINIT handling
17aa51e Split out anonymous PKINIT test to a separate method
5c22f90 Ensure KDC is propery configured after upgrade

ipa-4-5:

b9002bf Upgrade: configure PKINIT after adding anonymous principal
4b2b1d3 Remove unused variable from failed anonymous PKINIT handling
c139302 Split out anonymous PKINIT test to a separate method
89fc0a1 Ensure KDC is propery configured after upgrade

Metadata Update from @mbasti:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

mbasti commented 6 years ago

Needs https://github.com/freeipa/freeipa/pull/666

EDIT: I misread ticket, it can be closed

Edited 6 years ago by mbasti

Metadata Update from @mbasti:
- Issue status updated to: Open (was: Closed)

6 years ago

Metadata Update from @mbasti:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1437946

6 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1437946

6 years ago

pvoborni commented 6 years ago

Issue linked to bug 1437946

Metadata

Assignee

mbabinsk

Tags

Blocking

None

Depending on

None

Priority

critical

Milestone

FreeIPA 4.5.1

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1437946

tester

None

changelog

None

design

None

freeipa

Source Code

#6792 Upgrade to FreeIPA 4.5.0 does not configure anonymous principal for PKINIT Closed: fixed 6 years ago Opened 6 years ago by mbabinsk.

Metadata

regression

#6792 Upgrade to FreeIPA 4.5.0 does not configure anonymous principal for PKINIT

Closed: fixed 6 years ago Opened 6 years ago by mbabinsk.