Apparently kdc.crt is readable only by root now,. However the from based auth code uses it for anchors when users autenthicate locally. So after updating my test VMs to latest master I see this when I try to auth: [Mon May 22 14:36:37.274858 2017] [wsgi:error] [pid 26269] [remote 192.168.123.1:45548] ipa: DEBUG: args=/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_26269 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem [Mon May 22 14:36:37.287311 2017] [wsgi:error] [pid 26269] [remote 192.168.123.1:45548] ipa: DEBUG: Process finished, return code=1 [Mon May 22 14:36:37.287379 2017] [wsgi:error] [pid 26269] [remote 192.168.123.1:45548] ipa: DEBUG: stdout=Password for WELLKNOWN/ANONYMOUS@IPA.TEST: [Mon May 22 14:36:37.287383 2017] [wsgi:error] [pid 26269] [remote 192.168.123.1:45548] [Mon May 22 14:36:37.287420 2017] [wsgi:error] [pid 26269] [remote 192.168.123.1:45548] ipa: DEBUG: stderr=kinit: Pre-authentication failed: Cannot open file '/var/kerberos/krb5kdc/kdc.crt': Permission denied while getting initial credentials [Mon May 22 14:36:37.287423 2017] [wsgi:error] [pid 26269] [remote 192.168.123.1:45548]
Metadata Update from @simo: - Issue tagged with: bug, regression
Metadata Update from @pvoborni: - Issue set to the milestone: FreeIPA 4.5.2
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1455541
Issue linked to bug 1455541
master:
9c3fad9 krb5: make sure KDC certificate is readable ipa-4-5:
db79670 krb5: make sure KDC certificate is readable
Metadata Update from @mbabinsk: - Issue close_status updated to: fixed - Issue set to the milestone: None (was: FreeIPA 4.5.2) - Issue status updated to: Closed (was: Open)
Changing milestone back to FreeIPA 4.5.2 as it was accidentally removed during closing ticket.
Metadata Update from @pvomacka: - Issue set to the milestone: FreeIPA 4.5.2
Metadata Update from @stlaz: - Issue status updated to: Open (was: Closed)
The fix reveals the private key to the world.
ipa-4-5:
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.3 (was: FreeIPA 4.5.2)
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.4 (was: FreeIPA 4.5.3)
Closing seems to be fixed in 4.5.2 and pusher forgot to close it.
Metadata Update from @pvoborni: - Issue close_status updated to: fixed - Issue set to the milestone: FreeIPA 4.5.2 (was: FreeIPA 4.5.4) - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.