Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1493541
Description of problem: When you switch from local pkinit to full pkinit with an IPA CA signed CA certificate, the tool ipa-pkinit-manage says it was successful, even though no IPA CA signed KDC cert has been requested: # ipa-pkinit-manage status PKINIT is disabled The ipa-pkinit-manage command was successful # ipa-pkinit-manage --verbose enable ipa.ipaserver.install.ipa_pkinit_manage.PKINITManage: DEBUG: Not logging to a file ipa: DEBUG: importing all plugin modules in ipaserver.plugins... ipa: DEBUG: importing plugin module ipaserver.plugins.aci ipa: DEBUG: importing plugin module ipaserver.plugins.automember ipa: DEBUG: importing plugin module ipaserver.plugins.automount ipa: DEBUG: importing plugin module ipaserver.plugins.baseldap ipa: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.baseuser ipa: DEBUG: importing plugin module ipaserver.plugins.batch ipa: DEBUG: importing plugin module ipaserver.plugins.ca ipa: DEBUG: importing plugin module ipaserver.plugins.caacl ipa: DEBUG: importing plugin module ipaserver.plugins.cert ipa: DEBUG: importing plugin module ipaserver.plugins.certmap ipa: DEBUG: importing plugin module ipaserver.plugins.certprofile ipa: DEBUG: importing plugin module ipaserver.plugins.config ipa: DEBUG: importing plugin module ipaserver.plugins.delegation ipa: DEBUG: importing plugin module ipaserver.plugins.dns ipa: DEBUG: importing plugin module ipaserver.plugins.dnsserver ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag ipa: DEBUG: importing plugin module ipaserver.plugins.domainlevel ipa: DEBUG: importing plugin module ipaserver.plugins.group ipa: DEBUG: importing plugin module ipaserver.plugins.hbac ipa: DEBUG: ipaserver.plugins.hbac is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.hbacrule ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvc ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup ipa: DEBUG: importing plugin module ipaserver.plugins.hbactest ipa: DEBUG: importing plugin module ipaserver.plugins.host ipa: DEBUG: importing plugin module ipaserver.plugins.hostgroup ipa: DEBUG: importing plugin module ipaserver.plugins.idrange ipa: DEBUG: importing plugin module ipaserver.plugins.idviews ipa: DEBUG: importing plugin module ipaserver.plugins.internal ipa: DEBUG: importing plugin module ipaserver.plugins.join ipa: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 ipa: DEBUG: importing plugin module ipaserver.plugins.location ipa: DEBUG: importing plugin module ipaserver.plugins.migration ipa: DEBUG: importing plugin module ipaserver.plugins.misc ipa: DEBUG: importing plugin module ipaserver.plugins.netgroup ipa: DEBUG: importing plugin module ipaserver.plugins.otp ipa: DEBUG: ipaserver.plugins.otp is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.otpconfig ipa: DEBUG: importing plugin module ipaserver.plugins.otptoken ipa: DEBUG: importing plugin module ipaserver.plugins.passwd ipa: DEBUG: importing plugin module ipaserver.plugins.permission ipa: DEBUG: importing plugin module ipaserver.plugins.ping ipa: DEBUG: importing plugin module ipaserver.plugins.pkinit ipa: DEBUG: importing plugin module ipaserver.plugins.privilege ipa: DEBUG: importing plugin module ipaserver.plugins.pwpolicy ipa: DEBUG: importing plugin module ipaserver.plugins.rabase ipa: DEBUG: ipaserver.plugins.rabase is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.radiusproxy ipa: DEBUG: importing plugin module ipaserver.plugins.realmdomains ipa: DEBUG: importing plugin module ipaserver.plugins.role ipa: DEBUG: importing plugin module ipaserver.plugins.schema ipa: DEBUG: importing plugin module ipaserver.plugins.selfservice ipa: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap ipa: DEBUG: importing plugin module ipaserver.plugins.server ipa: DEBUG: importing plugin module ipaserver.plugins.serverrole ipa: DEBUG: importing plugin module ipaserver.plugins.serverroles ipa: DEBUG: importing plugin module ipaserver.plugins.service ipa: DEBUG: importing plugin module ipaserver.plugins.servicedelegation ipa: DEBUG: importing plugin module ipaserver.plugins.session ipa: DEBUG: importing plugin module ipaserver.plugins.stageuser ipa: DEBUG: importing plugin module ipaserver.plugins.sudo ipa: DEBUG: ipaserver.plugins.sudo is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmd ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup ipa: DEBUG: importing plugin module ipaserver.plugins.sudorule ipa: DEBUG: importing plugin module ipaserver.plugins.topology ipa: DEBUG: importing plugin module ipaserver.plugins.trust ipa: DEBUG: importing plugin module ipaserver.plugins.user ipa: DEBUG: importing plugin module ipaserver.plugins.vault ipa: DEBUG: importing plugin module ipaserver.plugins.virtual ipa: DEBUG: ipaserver.plugins.virtual is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.whoami ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection context.ldap2_56421648 ipa.ipaserver.plugins.cert.ca_is_enabled: DEBUG: raw: ca_is_enabled(version=u'2.228') ipa.ipaserver.plugins.cert.ca_is_enabled: DEBUG: ca_is_enabled(version=u'2.228') ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x53d9b00> ipa.ipaserver.plugins.config.config_show: DEBUG: raw: config_show(version=u'2.228') ipa.ipaserver.plugins.config.config_show: DEBUG: config_show(rights=False, all=False, raw=False, version=u'2.228') ipa.ipaserver.plugins.cert.ca_is_enabled: DEBUG: raw: ca_is_enabled(version=u'2.228') ipa.ipaserver.plugins.cert.ca_is_enabled: DEBUG: ca_is_enabled(version=u'2.228') ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Configuring Kerberos KDC (krb5kdc) Configuring Kerberos KDC (krb5kdc) ipa: DEBUG: [1/1]: installing X509 Certificate for PKINIT [1/1]: installing X509 Certificate for PKINIT ipa: DEBUG: certmonger request is in state dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1) ipa: DEBUG: certmonger request is in state dbus.String(u'MONITORING', variant_level=1) ipa: DEBUG: service KDC has all config values set ipa: DEBUG: duration: 5 seconds ipa: DEBUG: Done configuring Kerberos KDC (krb5kdc). Done configuring Kerberos KDC (krb5kdc). ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl restart krb5kdc.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active krb5kdc.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active ipa: DEBUG: stderr= ipa: DEBUG: service KDC: config string pkinitEnabled already set ipa: DEBUG: service KDC has already enabled config values ['pkinitEnabled'] ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection context.ldap2_56421648 ipa.ipaserver.install.ipa_pkinit_manage.PKINITManage: INFO: The ipa-pkinit-manage command was successful Version-Release number of selected component (if applicable): ipa-server-4.5.0-21.el7_4.1.2.x86_64 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: No new certificate signed by the IPA CA has been requested. Expected results: Either the tool should report and error that requesting an IPA CA signed certificate failed or is not possible, or a new CSR should be generated to request an IPA CA signed certificate for the IPA KDC. Additional info:
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1493541
Metadata Update from @pvoborni: - Issue set to the milestone: FreeIPA 4.7 (was: FreeIPA 4.6)
Metadata Update from @pvoborni: - Issue priority set to: normal
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
Metadata Update from @frenaud: - Issue assigned to frenaud
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2630
I just ended up hitting this with our FreeIPA v4.5.4 clusters that we migrated to from v3. My understanding is that PKINIT was disabled as we were on Domain Level 0 w/ a few v3 nodes left in the cluster. After decomming all of our v3 nodes and then upgrading to Domain Level 1 I went to enable PKINIT across all of the instances. '
The /var/kerberos/krb5kdc/kdc.crt certificates already existed and were self-signed. As noted here, they weren't re-issued and signed by the FreeIPA CA.
/var/kerberos/krb5kdc/kdc.crt
A workaround if other folks hit this appears to be just running getcert resubmit -vwf /var/kerberos/krb5kdc/kdc.crt as root on your FreeIPA servers that have PKINIT enabled. The new certificate is now signed by the FreeIPA CA and is no longer self-signed. After which, kinit -n works without issue.
getcert resubmit -vwf /var/kerberos/krb5kdc/kdc.crt
root
kinit -n
Hope this helps someone!
@jaredl you can also delete the key/cert at /var/kerberos/krb5kdc/kdc.{key,crt} and re-run ipa-pkinit-manage. This is what pull request https://github.com/freeipa/freeipa/pull/2630 is doing.
/var/kerberos/krb5kdc/kdc.{key,crt}
ipa-pkinit-manage
Change to FreeIPA 4.6.5 milestone as 4.6 also affected. We don't have 4.5 in support anymore as RHEL 7.6 packages FreeIPA 4.6.4 effectively, Fedora is at FreeIPA 4.7.1, CentOS already has FreeIPA 4.6.4 in CentOS CR, and Debian doesn't package server well yet.
Metadata Update from @abbra: - Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.7.1)
master:
ipa-4-7:
ipa-4-6:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.