#6973 after upgrade login from web ui breaks
Closed: fixed 7 years ago Opened 7 years ago by simo.

Apparently kdc.crt is readable only by root now,. However the from based auth code uses it for anchors when users autenthicate locally.
So after updating my test VMs to latest master I see this when I try to auth:
[Mon May 22 14:36:37.274858 2017] [wsgi:error] [pid 26269] [remote 192.168.123.1:45548] ipa: DEBUG: args=/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_26269 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
[Mon May 22 14:36:37.287311 2017] [wsgi:error] [pid 26269] [remote 192.168.123.1:45548] ipa: DEBUG: Process finished, return code=1
[Mon May 22 14:36:37.287379 2017] [wsgi:error] [pid 26269] [remote 192.168.123.1:45548] ipa: DEBUG: stdout=Password for WELLKNOWN/ANONYMOUS@IPA.TEST:
[Mon May 22 14:36:37.287383 2017] [wsgi:error] [pid 26269] [remote 192.168.123.1:45548]
[Mon May 22 14:36:37.287420 2017] [wsgi:error] [pid 26269] [remote 192.168.123.1:45548] ipa: DEBUG: stderr=kinit: Pre-authentication failed: Cannot open file '/var/kerberos/krb5kdc/kdc.crt': Permission denied while getting initial credentials
[Mon May 22 14:36:37.287423 2017] [wsgi:error] [pid 26269] [remote 192.168.123.1:45548]


Metadata Update from @simo:
- Issue tagged with: bug, regression

7 years ago

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.5.2

7 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1455541

7 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1455541

7 years ago

master:

  • 9c3fad9 krb5: make sure KDC certificate is readable
    ipa-4-5:

  • db79670 krb5: make sure KDC certificate is readable

Metadata Update from @mbabinsk:
- Issue close_status updated to: fixed
- Issue set to the milestone: None (was: FreeIPA 4.5.2)
- Issue status updated to: Closed (was: Open)

7 years ago

Changing milestone back to FreeIPA 4.5.2 as it was accidentally removed during closing ticket.

Metadata Update from @pvomacka:
- Issue set to the milestone: FreeIPA 4.5.2

7 years ago

Metadata Update from @stlaz:
- Issue status updated to: Open (was: Closed)

7 years ago

The fix reveals the private key to the world.

master:

  • 3b68927 kdc.key should not be visible to all

ipa-4-5:

  • 37be8e9 kdc.key should not be visible to all

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.3 (was: FreeIPA 4.5.2)

7 years ago

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.4 (was: FreeIPA 4.5.3)

7 years ago

Closing seems to be fixed in 4.5.2 and pusher forgot to close it.

Metadata Update from @pvoborni:
- Issue close_status updated to: fixed
- Issue set to the milestone: FreeIPA 4.5.2 (was: FreeIPA 4.5.4)
- Issue status updated to: Closed (was: Open)

7 years ago

Log in to comment on this ticket.

Metadata