Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1452763
Description of problem: While testing Smart Cards on an IPA client with PKINIT enabled in IPA, I noticed intermittent failures. The certificate maps properly to the user but, the KDC on IPA would sometimes seem to try to match to the previous rule. Version-Release number of selected component (if applicable): krb5-server-1.15.1-8.el7.x86_64 How reproducible: unknown. Steps to Reproduce: 1. IPA Server installed with PKINIT support 2. IPA Client setup with Smart Card 3. Cert generated on IPA server and added to card 4. created one certmaprule and tested client 5. deleted rule and added new rule 6. tested authentication which should use the new rule Actual results: authentication would fail at times. work others. Expected results: always work. Additional info: FYI, rules used when I saw the error: ipa certmaprule-add ipaadcs12r2_defaultrule --maprule='(|(userCertificate;binar y={cert!bin})(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!a d_x500}))' --matchrule='<ISSUER>CN=Certificate Authority,O=TESTRELM.TEST' --domain=ipaadcs12r2.test --domain=testrelm.test ipa certmaprule-del ipaadcs12r2_ipacertrule ipa certmaprule-add testrealm_defaultrule --maprule='(|(userCertificate;binary= {cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500} ))' --matchrule='<ISSUER>CN=Certificate Authority,O=TESTRELM.TEST' --domain=testrelm.test This rule change seems to have happened between when the kdc workers loaded the rule. [Wed May 17 17:06:43.623274 2017] [:error] [pid 8318] ipa: INFO: [jsonserver_session] admin@TESTRELM.TEST: certmaprule_add/1(u'ipaadcs12r2_defaultrule', ipacertmapmaprule=u'(|(userCertif icate;binary={cert!bin})(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{s ubject_dn!ad_x500}))', ipacertmapmatchrule=u'<ISSUER>CN=Certificate Authority,O=TESTRELM.TEST', associateddomain=(<DNS name ipaadcs12r2.test>, <DNS name testrelm.test>), version=u'2.224'): SUCCESS [Thu May 18 14:43:51.148965 2017] [:error] [pid 8319] ipa: INFO: [jsonserver_session] admin@TESTRELM.TEST: certmaprule_del/1([u'ipaadcs12r2_defaultrule'], version=u'2.224'): SUCCESS [Thu May 18 14:44:30.060976 2017] [:error] [pid 8318] ipa: INFO: [jsonserver_session] admin@TESTRELM.TEST: certmaprule_add/1(u'testrealm_defaultrule', ipacertmapmaprule=u'(|(userCertific ate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_d n!nss_x500}))', ipacertmapmatchrule=u'<ISSUER>CN=Certificate Authority,O=TESTRELM.TEST', associateddomain=(<DNS name testrelm.test>,), version=u'2.224'): SUCCESS ######## Example krb5kdc.log entries showing failure and success May 18 17:26:08 auto-hv-02-guest08.testrelm.test krb5kdc[8259](info): Got cert filter [(|(userCertificate;binary=\30\82\04\0d... May 18 17:26:08 auto-hv-02-guest08.testrelm.test krb5kdc[8259](info): No matching entry found May 18 17:41:02 auto-hv-02-guest08.testrelm.test krb5kdc[8260](info): Got cert filter [(|(userCertificate;binary=\30\82\04\0d... May 18 17:41:02 auto-hv-02-guest08.testrelm.test krb5kdc[8260](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) <CLIENT_IP>: ISSUE: authtime 1495143662, etypes {rep=18 tkt=18 ses=18}, demosc1@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1452763
Metadata Update from @sbose: - Issue assigned to sbose
Metadata Update from @pvoborni: - Issue priority set to: critical - Issue set to the milestone: FreeIPA 4.5.2
https://github.com/freeipa/freeipa/pull/823
master:
ipa-4-5:
Metadata Update from @mbasti: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.