#8639 Login fails with exception in kinit_armor
Opened 2 years ago by carbenium. Modified 2 years ago

Issue

When kinit_armor fails due to deactived PKINIT or misconfiguration, the calling code expect a RuntimeError to be raised. Instead a CalledProcessError is raised, the login fails and following stack trace is logged:

[Wed Dec 30 23:50:30.027114 2020] [wsgi:error] [pid 418587:tid 418945] [remote 212.51.129.88:35854] Traceback (most recent call last):
[Wed Dec 30 23:50:30.027140 2020] [wsgi:error] [pid 418587:tid 418945] [remote 212.51.129.88:35854]   File "/usr/share/ipa/wsgi.py", line 59, in application
[Wed Dec 30 23:50:30.027154 2020] [wsgi:error] [pid 418587:tid 418945] [remote 212.51.129.88:35854]     return api.Backend.wsgi_dispatch(environ, start_response)
[Wed Dec 30 23:50:30.027163 2020] [wsgi:error] [pid 418587:tid 418945] [remote 212.51.129.88:35854]   File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 293, in __call__
[Wed Dec 30 23:50:30.027165 2020] [wsgi:error] [pid 418587:tid 418945] [remote 212.51.129.88:35854]     return self.route(environ, start_response)
[Wed Dec 30 23:50:30.027169 2020] [wsgi:error] [pid 418587:tid 418945] [remote 212.51.129.88:35854]   File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 305, in route
[Wed Dec 30 23:50:30.027175 2020] [wsgi:error] [pid 418587:tid 418945] [remote 212.51.129.88:35854]     return app(environ, start_response)
[Wed Dec 30 23:50:30.027179 2020] [wsgi:error] [pid 418587:tid 418945] [remote 212.51.129.88:35854]   File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 1015, in __call__
[Wed Dec 30 23:50:30.027181 2020] [wsgi:error] [pid 418587:tid 418945] [remote 212.51.129.88:35854]     self.kinit(user_principal, password, ipa_ccache_name)
[Wed Dec 30 23:50:30.027184 2020] [wsgi:error] [pid 418587:tid 418945] [remote 212.51.129.88:35854]   File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 1049, in kinit
[Wed Dec 30 23:50:30.027186 2020] [wsgi:error] [pid 418587:tid 418945] [remote 212.51.129.88:35854]     kinit_armor(
[Wed Dec 30 23:50:30.027190 2020] [wsgi:error] [pid 418587:tid 418945] [remote 212.51.129.88:35854]   File "/usr/lib/python3.9/site-packages/ipalib/install/kinit.py", line 127, in kinit_armor
[Wed Dec 30 23:50:30.027191 2020] [wsgi:error] [pid 418587:tid 418945] [remote 212.51.129.88:35854]     run(args, env=env, raiseonerr=True, capture_error=True)
[Wed Dec 30 23:50:30.027195 2020] [wsgi:error] [pid 418587:tid 418945] [remote 212.51.129.88:35854]   File "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 594, in run
[Wed Dec 30 23:50:30.027196 2020] [wsgi:error] [pid 418587:tid 418945] [remote 212.51.129.88:35854]     raise CalledProcessError(
[Wed Dec 30 23:50:30.027211 2020] [wsgi:error] [pid 418587:tid 418945] [remote 212.51.129.88:35854] ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_418587', '-X', 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero exit status 1: 'kinit: Cannot read password while getting initial credentials\\n')

Steps to Reproduce

  1. Disable PKINIT or introduce some misconfiguration such that kinit -n -X ... fails
  2. Try to login on the web UI

Actual behavior

Login fails with an unspecified error message.

Expected behavior

Login should succeed if the armor cache is not needed.

Version/Release/Distribution

4.8.10


Actually I might have been hitting https://pagure.io/freeipa/issue/8632 . Anyway I think the fix on IPA side is still justified.

Login to comment on this ticket.

Metadata