The nightly test test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_otp is failing in rawhide, see PR #1745 with the following logs and report:
test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_otp
self = <ipatests.test_integration.test_krbtpolicy.TestPWPolicy object at 0x7f85cc2ac340> reset_to_default_policy = <function reset_to_default_policy.<locals>._reset_to_default_policy at 0x7f85cb03cc10> def test_krbtpolicy_otp(self, reset_to_default_policy): """Test otp ticket policy""" master = self.master master.run_command(['ipa', 'user-mod', USER1, '--user-auth-type', 'otp']) master.run_command(['ipa', 'config-mod', '--user-auth-type', 'otp']) master.run_command(['ipa', 'krbtpolicy-mod', USER1, '--otp-maxrenew=90', '--otp-maxlife=60']) armor = tasks.create_temp_file(self.master, create_file=False) otpuid, totp = add_otptoken(master, USER1, otptype="totp") otpvalue = totp.generate(int(time.time())).decode("ascii") reset_to_default_policy(master, USER1) try: tasks.kdestroy_all(master) # create armor for FAST > master.run_command(['kinit', '-n', '-c', armor]) test_integration/test_krbtpolicy.py:205: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ self = <ipatests.pytest_ipa.integration.host.Host master.ipa.test (master)> argv = ['kinit', '-n', '-c', '/tmp/tmp.OZTQMbRjQm'], set_env = True stdin_text = None, log_stdout = True, raiseonerr = True, cwd = None, bg = False encoding = 'utf-8', ok_returncode = 0 def run_command(self, argv, set_env=True, stdin_text=None, log_stdout=True, raiseonerr=True, cwd=None, bg=False, encoding='utf-8', ok_returncode=0): """Wrapper around run_command to log stderr on raiseonerr=True :param ok_returncode: return code considered to be correct, you can pass an integer or sequence of integers """ result = super().run_command( argv, set_env=set_env, stdin_text=stdin_text, log_stdout=log_stdout, raiseonerr=False, cwd=cwd, bg=bg, encoding=encoding ) # in FIPS mode SSH may print noise to stderr, remove the string # "FIPS mode initialized" + optional newline. result.stderr_bytes = FIPS_NOISE_RE.sub(b'', result.stderr_bytes) try: result_ok = result.returncode in ok_returncode except TypeError: result_ok = result.returncode == ok_returncode if not result_ok and raiseonerr: result.log.error('stderr: %s', result.stderr_text) > raise subprocess.CalledProcessError( result.returncode, argv, result.stdout_text, result.stderr_text ) E subprocess.CalledProcessError: Command '['kinit', '-n', '-c', '/tmp/tmp.OZTQMbRjQm']' returned non-zero exit status 1. pytest_ipa/integration/host.py:202: CalledProcessError ------------------------------ Captured log setup ------------------------------ INFO ipatests.pytest_ipa.integration.host.Host.master.IPAOpenSSHTransport:transport.py:391 RUN ['kinit', 'admin'] DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd134:transport.py:513 RUN ['kinit', 'admin'] DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd134:transport.py:557 Password for admin@IPA.TEST: DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd134:transport.py:217 Exit code: 0 ----------------------------- Captured stderr call ----------------------------- ipa: ERROR: stderr: kinit: KDC policy rejects request while getting initial credentials
Test scenario: - modify user authentication type to otp for user1 - modify default authentication type to otp - modify krb ticket policy with maxrenew=90 and maxlife=60 for user1 - add an OTP token for user1 - perform anonymous kinit with kinit -n -c /tmp/tmpfile
otp
user1
kinit -n -c /tmp/tmpfile
The call fails with the following error message:
kinit: KDC policy rejects request while getting initial credentials
Packages: - krb5-server-1.19.2-9.fc37.x86_64 - freeipa-server-4.10.0.dev-0.fc37.x86_64
List of packages updated between last week (successful run) and this week (failure): <img alt="pkgs.diff" src="/freeipa/issue/raw/files/747854d7c116ca0e41f49e92197f5261ebfa6f381d0aef1d5c5b9be7c1454f18-pkgs.diff" />
It is a similar issue I'm investigating myself. Basically, we should be enforcing auth types on user accounts only, not all principals.
May 29 04:07:53 master.ipa.test krb5kdc[18209](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17), camellia128-cts-cmac(25)}) 192.168.122.93: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS@IPA.TEST for krbtgt/IPA.TEST@IPA.TEST, Additional pre-authentication required May 29 04:07:53 master.ipa.test krb5kdc[18209](info): closing down fd 4 May 29 04:07:53 master.ipa.test krb5kdc[18209](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17), camellia128-cts-cmac(25)}) 192.168.122.93: Non-hardened password authentication not allowed for this user.: WELLKNOWN/ANONYMOUS@IPA.TEST for krbtgt/IPA.TEST@IPA.TEST, KDC policy rejects request
PR: https://github.com/freeipa/freeipa/pull/6279
Metadata Update from @abbra: - Issue assigned to abbra
master:
ipa-4-9:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.