freeipa

#9082 ipa-client-install fails to update DNS entries

Opened 2 years ago by ricardoalonso. Modified 2 years ago

Issue

ipa-client-install fails to update DNS entry for a server that was reinstalled from CentOS 7 -> 8 (it was previous registered)

Steps to Reproduce

create and register a server using Centos/RHEL 7 on FreeIPA as a client
reinstall the client for CentOS/RHEL 8
re-register it using "ipa-client-install --force-join"

Actual behavior

nsupdate fails with the message:
tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = KDC returned error string: NO PREAUTH.

Expected behavior

all dns entries updated (specially the SSHFP values)

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
Client:

rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server

package freeipa-server is not installed
package freeipa-client is not installed
package ipa-server is not installed
ipa-client-4.9.6-6.module+el8.5.0+674+69615a50.x86_64
package 389-ds-base is not installed
package pki-ca is not installed
package krb5-server is not installed

Server:

rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server

package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64
ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64
389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64
pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch
krb5-server-1.18.2-14.el8.x86_64

Additional info:

journalctl -fu named-pkcs11 (from the server)

Jan 12 15:49:54 ipa named-pkcs11[3283]: client @0x7f3d2efa02c0 192.168.8.24#51837: update '168.192.in-addr.arpa/IN' denied
Jan 12 16:35:45 ipa named-pkcs11[3283]: client @0x7f3d2e93e650 192.168.8.110#45391: received notify for zone 'o2pos.com.br'
Jan 12 16:35:45 ipa named-pkcs11[3283]: zone o2pos.com.br/IN: sending notifies (serial 1642016145)
Jan 12 16:36:18 ipa named-pkcs11[3283]: client @0x7f3d2405da00 192.168.8.116#46955: update 'o2pos.com.br/IN' denied
Jan 12 16:36:18 ipa named-pkcs11[3283]: client @0x7f3d268dbfb0 192.168.8.116#46955: update 'o2pos.com.br/IN' denied
Jan 12 16:36:18 ipa.o2pos.com.br named-pkcs11[3283]: client @0x7f3d2405da00 192.168.8.116#46955: update 'o2pos.com.br/IN' denied
Jan 12 16:36:18 ipa.o2pos.com.br named-pkcs11[3283]: client @0x7f3d32afd7c0 192.168.8.116#46955: update 'o2pos.com.br/IN' denied
Jan 12 16:36:18 ipa.o2pos.com.br named-pkcs11[3283]: client @0x7f3d32afd7c0 192.168.8.116#46955: update 'o2pos.com.br/IN' denied
Jan 12 16:36:18 ipa.o2pos.com.br named-pkcs11[3283]: client @0x7f3d2405da00 192.168.8.116#46955: update 'o2pos.com.br/IN' denied
Jan 12 16:36:18 ipa.o2pos.com.br named-pkcs11[3283]: client @0x7f3d2405da00 192.168.8.116#44190: update 'o2pos.com.br/IN' denied
Jan 12 16:36:18 ipa.o2pos.com.br named-pkcs11[3283]: client @0x7f3d32afd7c0 192.168.8.116#44190: update 'o2pos.com.br/IN' denied

Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html
Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting

rcritten commented 2 years ago

What do you mean re-installed? As in a whole new installation? If so the Kerberos master key changed and the client needs to be re-enrolled completely.

ricardoalonso commented 2 years ago

I mean, the whole operational system is reinstalled (due a crash or upgrade) and you need to enroll it again with the "ipa-client-install --force" command

rcritten commented 2 years ago

A re-install generates a new Kerberos master key and CA. The client must be re-installed from scratch to pick this up.

Metadata Update from @rcritten:
- Issue close_status updated to: invalid
- Issue status updated to: Closed (was: Open)

2 years ago

Metadata Update from @ricardoalonso:
- Issue status updated to: Open (was: Closed)

2 years ago

ricardoalonso commented 2 years ago

It's the client reinstall, not the server. The server hasn't changed. I updated the description.

Edited 2 years ago by ricardoalonso

rcritten commented 2 years ago

What's the use-case here? The client went away somehow so you're installing it as a client again. Why use --force? That will not cause the installation to fail if the enrollment does but it also won't get a new keytab, hence the GSS errors you report.

Are you trying to retain the original host and service entries for some reason? Those services, if they have keytabs, will need to be re-generated as well. And any certificates re-issued.

I suspect what you want is run ipa host-disable <host> first which if memory services will drop the keytab and allow for more graceful re-enrollment.

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

Attachments 1

ipaclient-install.log

Attached 2 years ago View Comment

freeipa

Source Code

#9082 ipa-client-install fails to update DNS entries Opened 2 years ago by ricardoalonso. Modified 2 years ago

Close issue as:

Issue

Steps to Reproduce

Actual behavior

Expected behavior

Version/Release/Distribution

rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server

rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server

Additional info:

journalctl -fu named-pkcs11 (from the server)

Metadata

Attachments 1

#9082 ipa-client-install fails to update DNS entries

Opened 2 years ago by ricardoalonso. Modified 2 years ago