#6799 ipa-replica-install with DL0 fails to get annonymous keytab
Closed: fixed 7 years ago Opened 7 years ago by mbasti.

Steps to reproduce:

  • RHEL6.8 master
  • do ipa-replica-prepare
  • install IPA4.5 on a new machine, ipa-replica-install <replicafile>
  • see error
  [9/22]: retrieving anonymous keytab
  [error] CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /var/lib/ipa/api/anon.keytab -p WELLKNOWN/ANONYMOUS -H ldapi://%2fvar%2frun%2fslapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket -Y EXTERNAL' returned non-zero exit status 9
2017-03-22T14:38:04Z DEBUG   [9/22]: retrieving anonymous keytab
2017-03-22T14:38:04Z DEBUG Backing up system configuration file '/var/lib/ipa/api/anon.keytab'
2017-03-22T14:38:04Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index'
2017-03-22T14:38:04Z DEBUG Starting external process
2017-03-22T14:38:04Z DEBUG args=/usr/sbin/ipa-getkeytab -k /var/lib/ipa/api/anon.keytab -p WELLKNOWN/ANONYMOUS -H ldapi://%2fvar%2frun%2fslapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket -Y EXTERNAL
2017-03-22T14:38:04Z DEBUG Process finished, return code=9
2017-03-22T14:38:04Z DEBUG stdout=
2017-03-22T14:38:04Z DEBUG stderr=Failed to parse result: PrincipalName not found.

Retrying with pre-4.0 keytab retrieval method...
Failed to parse result: PrincipalName not found.

Failed to get keytab!
Failed to get keytab

It looks that anonymous principal is created only during first installation not for replicas.


Metadata Update from @mbasti:
- Issue priority set to: 1
- Issue set to the milestone: FreeIPA 4.5.1
- Issue tagged with: regression

7 years ago

Metadata Update from @mbabinsk:
- Issue assigned to mbabinsk

7 years ago

The issue affects replica install of both domain levels against master version < 4.5 as these masters do not create anonymous principals and replicas do not bother to check/re-add them when needed.

DL0 should never try to use anonymous principal because PKINIT is not existing for DL0. We had another bug about it a week or two ago.

Metadata Update from @stlaz:
- Custom field blockedby adjusted to https://pagure.io/freeipa/issue/6801

7 years ago

But we can add the principal without actually using it, right?

Yes, we can (should).

master:

  • 191668e Always check and create anonymous principal during KDC install
  • 2eabb0d Remove duplicate functionality in upgrade

ipa-4-5:

  • ce94f7f Always check and create anonymous principal during KDC install
  • 0fcd565 Remove duplicate functionality in upgrade

Metadata Update from @mbasti:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1437555

7 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1437555

7 years ago

Login to comment on this ticket.

Metadata