#7200 ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not.
Closed: fixed a year ago Opened 2 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1493541

Description of problem:
When you switch from local pkinit to full pkinit with an IPA CA signed CA
certificate, the tool ipa-pkinit-manage says it was successful, even though no
IPA CA signed KDC cert has been requested:

# ipa-pkinit-manage status
PKINIT is disabled
The ipa-pkinit-manage command was successful

# ipa-pkinit-manage --verbose enable
ipa.ipaserver.install.ipa_pkinit_manage.PKINITManage: DEBUG: Not logging to a
file
ipa: DEBUG: importing all plugin modules in ipaserver.plugins...
ipa: DEBUG: importing plugin module ipaserver.plugins.aci
ipa: DEBUG: importing plugin module ipaserver.plugins.automember
ipa: DEBUG: importing plugin module ipaserver.plugins.automount
ipa: DEBUG: importing plugin module ipaserver.plugins.baseldap
ipa: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.baseuser
ipa: DEBUG: importing plugin module ipaserver.plugins.batch
ipa: DEBUG: importing plugin module ipaserver.plugins.ca
ipa: DEBUG: importing plugin module ipaserver.plugins.caacl
ipa: DEBUG: importing plugin module ipaserver.plugins.cert
ipa: DEBUG: importing plugin module ipaserver.plugins.certmap
ipa: DEBUG: importing plugin module ipaserver.plugins.certprofile
ipa: DEBUG: importing plugin module ipaserver.plugins.config
ipa: DEBUG: importing plugin module ipaserver.plugins.delegation
ipa: DEBUG: importing plugin module ipaserver.plugins.dns
ipa: DEBUG: importing plugin module ipaserver.plugins.dnsserver
ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag
ipa: DEBUG: importing plugin module ipaserver.plugins.domainlevel
ipa: DEBUG: importing plugin module ipaserver.plugins.group
ipa: DEBUG: importing plugin module ipaserver.plugins.hbac
ipa: DEBUG: ipaserver.plugins.hbac is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvc
ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup
ipa: DEBUG: importing plugin module ipaserver.plugins.hbactest
ipa: DEBUG: importing plugin module ipaserver.plugins.host
ipa: DEBUG: importing plugin module ipaserver.plugins.hostgroup
ipa: DEBUG: importing plugin module ipaserver.plugins.idrange
ipa: DEBUG: importing plugin module ipaserver.plugins.idviews
ipa: DEBUG: importing plugin module ipaserver.plugins.internal
ipa: DEBUG: importing plugin module ipaserver.plugins.join
ipa: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy
ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2
ipa: DEBUG: importing plugin module ipaserver.plugins.location
ipa: DEBUG: importing plugin module ipaserver.plugins.migration
ipa: DEBUG: importing plugin module ipaserver.plugins.misc
ipa: DEBUG: importing plugin module ipaserver.plugins.netgroup
ipa: DEBUG: importing plugin module ipaserver.plugins.otp
ipa: DEBUG: ipaserver.plugins.otp is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.otpconfig
ipa: DEBUG: importing plugin module ipaserver.plugins.otptoken
ipa: DEBUG: importing plugin module ipaserver.plugins.passwd
ipa: DEBUG: importing plugin module ipaserver.plugins.permission
ipa: DEBUG: importing plugin module ipaserver.plugins.ping
ipa: DEBUG: importing plugin module ipaserver.plugins.pkinit
ipa: DEBUG: importing plugin module ipaserver.plugins.privilege
ipa: DEBUG: importing plugin module ipaserver.plugins.pwpolicy
ipa: DEBUG: importing plugin module ipaserver.plugins.rabase
ipa: DEBUG: ipaserver.plugins.rabase is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.radiusproxy
ipa: DEBUG: importing plugin module ipaserver.plugins.realmdomains
ipa: DEBUG: importing plugin module ipaserver.plugins.role
ipa: DEBUG: importing plugin module ipaserver.plugins.schema
ipa: DEBUG: importing plugin module ipaserver.plugins.selfservice
ipa: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap
ipa: DEBUG: importing plugin module ipaserver.plugins.server
ipa: DEBUG: importing plugin module ipaserver.plugins.serverrole
ipa: DEBUG: importing plugin module ipaserver.plugins.serverroles
ipa: DEBUG: importing plugin module ipaserver.plugins.service
ipa: DEBUG: importing plugin module ipaserver.plugins.servicedelegation
ipa: DEBUG: importing plugin module ipaserver.plugins.session
ipa: DEBUG: importing plugin module ipaserver.plugins.stageuser
ipa: DEBUG: importing plugin module ipaserver.plugins.sudo
ipa: DEBUG: ipaserver.plugins.sudo is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmd
ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup
ipa: DEBUG: importing plugin module ipaserver.plugins.sudorule
ipa: DEBUG: importing plugin module ipaserver.plugins.topology
ipa: DEBUG: importing plugin module ipaserver.plugins.trust
ipa: DEBUG: importing plugin module ipaserver.plugins.user
ipa: DEBUG: importing plugin module ipaserver.plugins.vault
ipa: DEBUG: importing plugin module ipaserver.plugins.virtual
ipa: DEBUG: ipaserver.plugins.virtual is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.whoami
ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
context.ldap2_56421648
ipa.ipaserver.plugins.cert.ca_is_enabled: DEBUG: raw:
ca_is_enabled(version=u'2.228')
ipa.ipaserver.plugins.cert.ca_is_enabled: DEBUG:
ca_is_enabled(version=u'2.228')
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x53d9b00>
ipa.ipaserver.plugins.config.config_show: DEBUG: raw:
config_show(version=u'2.228')
ipa.ipaserver.plugins.config.config_show: DEBUG: config_show(rights=False,
all=False, raw=False, version=u'2.228')
ipa.ipaserver.plugins.cert.ca_is_enabled: DEBUG: raw:
ca_is_enabled(version=u'2.228')
ipa.ipaserver.plugins.cert.ca_is_enabled: DEBUG:
ca_is_enabled(version=u'2.228')
ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipa: DEBUG: Configuring Kerberos KDC (krb5kdc)
Configuring Kerberos KDC (krb5kdc)
ipa: DEBUG:   [1/1]: installing X509 Certificate for PKINIT
  [1/1]: installing X509 Certificate for PKINIT
ipa: DEBUG: certmonger request is in state
dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1)
ipa: DEBUG: certmonger request is in state dbus.String(u'MONITORING',
variant_level=1)
ipa: DEBUG: service KDC has all config values set
ipa: DEBUG:   duration: 5 seconds
ipa: DEBUG: Done configuring Kerberos KDC (krb5kdc).
Done configuring Kerberos KDC (krb5kdc).
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/bin/systemctl restart krb5kdc.service
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/bin/systemctl is-active krb5kdc.service
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active
ipa: DEBUG: stderr=
ipa: DEBUG: service KDC: config string pkinitEnabled already set
ipa: DEBUG: service KDC has already enabled config values ['pkinitEnabled']
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection
context.ldap2_56421648
ipa.ipaserver.install.ipa_pkinit_manage.PKINITManage: INFO: The
ipa-pkinit-manage command was successful


Version-Release number of selected component (if applicable):
ipa-server-4.5.0-21.el7_4.1.2.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
No new certificate signed by the IPA CA has been requested.

Expected results:
Either the tool should report and error that requesting an IPA CA signed
certificate failed or is not possible, or a new CSR should be generated to
request an IPA CA signed certificate for the IPA KDC.

Additional info:

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1493541

2 years ago

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.7 (was: FreeIPA 4.6)

2 years ago

Metadata Update from @pvoborni:
- Issue priority set to: normal

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

2 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Metadata Update from @frenaud:
- Issue assigned to frenaud

2 years ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2630

2 years ago

I just ended up hitting this with our FreeIPA v4.5.4 clusters that we migrated to from v3. My understanding is that PKINIT was disabled as we were on Domain Level 0 w/ a few v3 nodes left in the cluster. After decomming all of our v3 nodes and then upgrading to Domain Level 1 I went to enable PKINIT across all of the instances. '

The /var/kerberos/krb5kdc/kdc.crt certificates already existed and were self-signed. As noted here, they weren't re-issued and signed by the FreeIPA CA.

A workaround if other folks hit this appears to be just running getcert resubmit -vwf /var/kerberos/krb5kdc/kdc.crt as root on your FreeIPA servers that have PKINIT enabled. The new certificate is now signed by the FreeIPA CA and is no longer self-signed. After which, kinit -n works without issue.

Hope this helps someone!

@jaredl you can also delete the key/cert at /var/kerberos/krb5kdc/kdc.{key,crt} and re-run ipa-pkinit-manage. This is what pull request https://github.com/freeipa/freeipa/pull/2630 is doing.

Change to FreeIPA 4.6.5 milestone as 4.6 also affected. We don't have 4.5 in support anymore as RHEL 7.6 packages FreeIPA 4.6.4 effectively, Fedora is at FreeIPA 4.7.1, CentOS already has FreeIPA 4.6.4 in CentOS CR, and Debian doesn't package server well yet.

Metadata Update from @abbra:
- Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.7.1)

a year ago

master:

  • 52c3c90 ipatest: add test for ipa-pkinit-manage enable|disable
  • a230153 PKINIT: fix ipa-pkinit-manage enable|disable

ipa-4-7:

  • 940755e ipatest: add test for ipa-pkinit-manage enable|disable
  • ffa04a1 PKINIT: fix ipa-pkinit-manage enable|disable

ipa-4-6:

  • c5b0874 ipatest: add test for ipa-pkinit-manage enable|disable
  • 7f653a0 PKINIT: fix ipa-pkinit-manage enable|disable

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Login to comment on this ticket.

Metadata