Steps to reproduce:
[9/22]: retrieving anonymous keytab [error] CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /var/lib/ipa/api/anon.keytab -p WELLKNOWN/ANONYMOUS -H ldapi://%2fvar%2frun%2fslapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket -Y EXTERNAL' returned non-zero exit status 9
2017-03-22T14:38:04Z DEBUG [9/22]: retrieving anonymous keytab 2017-03-22T14:38:04Z DEBUG Backing up system configuration file '/var/lib/ipa/api/anon.keytab' 2017-03-22T14:38:04Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2017-03-22T14:38:04Z DEBUG Starting external process 2017-03-22T14:38:04Z DEBUG args=/usr/sbin/ipa-getkeytab -k /var/lib/ipa/api/anon.keytab -p WELLKNOWN/ANONYMOUS -H ldapi://%2fvar%2frun%2fslapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket -Y EXTERNAL 2017-03-22T14:38:04Z DEBUG Process finished, return code=9 2017-03-22T14:38:04Z DEBUG stdout= 2017-03-22T14:38:04Z DEBUG stderr=Failed to parse result: PrincipalName not found. Retrying with pre-4.0 keytab retrieval method... Failed to parse result: PrincipalName not found. Failed to get keytab! Failed to get keytab
It looks that anonymous principal is created only during first installation not for replicas.
Metadata Update from @mbasti: - Issue priority set to: 1 - Issue set to the milestone: FreeIPA 4.5.1 - Issue tagged with: regression
Metadata Update from @mbabinsk: - Issue assigned to mbabinsk
The issue affects replica install of both domain levels against master version < 4.5 as these masters do not create anonymous principals and replicas do not bother to check/re-add them when needed.
DL0 should never try to use anonymous principal because PKINIT is not existing for DL0. We had another bug about it a week or two ago.
Metadata Update from @stlaz: - Custom field blockedby adjusted to https://pagure.io/freeipa/issue/6801
But we can add the principal without actually using it, right?
Yes, we can (should).
master:
ipa-4-5:
Metadata Update from @mbasti: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1437555
Issue linked to bug 1437555
Log in to comment on this ticket.