#7944 Unattended ipa-client-install with expired password yields kerberos red herring
Closed: wontfix 3 months ago by pcech. Opened 5 months ago by johnkeates.

Issue

Unattended ipa-client-install with an expired enrolment user error yields errors pointing to kerberos rather than the expired password. Somehow, this seems to hit a condition where you get an LDAP error (as in #7945) instead of a Kerberos error. Perhaps a race condition in the client or a race condition in the server where the first call succeeds but follow-up calls fails because the password has just expired during the install.

Steps to Reproduce

  1. Expire the password on the unattended install IPA user
  2. Issue an unattended install
  3. Install fails with kinit: Cannot read password while getting initial credentials

Actual behavior

ipa client fails with kerberos error

Expected behavior

ipa client fails with password expired message

Version/Release/Distribution

ipa-client-4.6.4-10.el7.centos.3.x86_64

Logs:

2019-05-07T11:34:25Z DEBUG args=/usr/bin/kinit host_enrollment_user@ipa-server-domain.com -c /tmp/krbccnwzCrI/ccache
2019-05-07T11:34:25Z DEBUG Process finished, return code=1
2019-05-07T11:34:25Z DEBUG stdout=Password for host_enrollment_user@ipa-server-domain.com: 
Password expired.  You must change it now.
Enter new password: 

2019-05-07T11:34:25Z DEBUG stderr=kinit: Cannot read password while getting initial credentials

2019-05-07T11:34:25Z INFO Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
2019-05-07T11:34:25Z ERROR Installation failed. Rolling back changes.
2019-05-07T11:34:27Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run
    return cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in run
    return self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 389, in execute
    for rval in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure
    next(executor)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 3632, in main
    install(self)
  File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 2353, in install
    _install(options)
  File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 2507, in _install
    rval=CLIENT_INSTALL_ERROR)

2019-05-07T11:34:27Z DEBUG The ipa-client-install command failed, exception: ScriptError: Kerberos authentication failed: kinit: Cannot read password while getting initial credentials

2019-05-07T11:34:27Z ERROR Kerberos authentication failed: kinit: Cannot read password while getting initial credentials

2019-05-07T11:34:27Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

I'm not sure I follow. Because it is unattended there is no user to enter the new password so it fails. Are you suggesting the port information be suppressed? I'm not sure IPA is/can be aware when prompting for the password that it is expired.

Metadata Update from @pcech:
- Custom field affects_doc adjusted to on
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

3 months ago

The issue is that regardless of unattended or attended install an unusable account will cause the install command to fail with a red herring. On the API side of things it makes sense that it can't ask for a new password to be entered, but that doesn't help a user or admin to diagnose failing installs. What does help is a message at the end of the log stating why the install failed.

Cannot read password while getting initial credentials is technically correct, but functionally unhelpful.

Right but just before that in the log is a very clear explanation of what happened. When forking out to call other programs it isn't always possible or useful to display both stderr and stdout but both are logged so it is possible to discover the fuller error.

Login to comment on this ticket.

Metadata