Issue #2414: Improve error message when s4u2proxy delegation fails - freeipa

freeipa

#2414 Improve error message when s4u2proxy delegation fails

Closed: Fixed None Opened 12 years ago by mkosek.

When the s4u2 proxy delegation fails, we return an Internal Error, which does not really help in investigating the root cause. The error message should be improved.

Error message:

# ipa user-find
ipa: ERROR: cannot connect to u'http://vm-068.idm.lab.bos.redhat.com/ipa/xml': Internal Server Error

/var/log/httpd/error_log:

[Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] mod_wsgi (pid=29694): Exception occurred       processing WSGI script '/usr/share/ipa/wsgi.py'.
[Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] Traceback (most recent call last):
[Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68]   File "/usr/share/ipa/wsgi.py", line 48, in   application
[Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68]     return api.Backend.session(environ,        start_response)
[Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68]   File "/usr/lib/python2.7/site-packages/      ipaserver/rpcserver.py", line 148, in __call__
[Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68]     return self.route(environ, start_response)
[Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68]   File "/usr/lib/python2.7/site-packages/      ipaserver/rpcserver.py", line 160, in route
[Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68]     return app(environ, start_response)
[Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68]   File "/usr/lib/python2.7/site-packages/      ipaserver/rpcserver.py", line 320, in __call__
[Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68]     self.create_context(ccache=environ.        get('KRB5CCNAME'))
[Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68]   File "/usr/lib/python2.7/site-packages/      ipalib/backend.py", line 110, in create_context
[Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68]     self.Backend.ldap2.connect(ccache=ccache)
[Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68]   File "/usr/lib/python2.7/site-packages/      ipalib/backend.py", line 62, in connect
[Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68]     conn = self.create_connection(*args, **kw)
[Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68]   File "/usr/lib/python2.7/site-packages/      ipalib/encoder.py", line 190, in new_f
[Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68]     return f(*new_args, **kwargs)
[Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68]   File "/usr/lib/python2.7/site-packages/      ipaserver/plugins/ldap2.py", line 478, in create_connection
[Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68]     _handle_errors(e)
[Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68]   File "/usr/lib/python2.7/site-packages/      ipaserver/plugins/ldap2.py", line 243, in _handle_errors
[Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68]     raise errors.DatabaseError(desc=desc,      info=info)
[Mon Feb 20 04:40:44 2012] [error] [client 10.16.78.68] DatabaseError: Local error: SASL(-1): generic  failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (KDC returned error string: NOT_ALLOWED_TO_DELEGATE)

mkosek commented 12 years ago

How to test:

An easy way of reproducing the issue is for example to modifify ipaAllowedTarget in cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX to point to an non-existent ACL container or remove a memberPrincipal for the tested machine.

rcritten commented 12 years ago

The call to create_connection in the backend was outside a try/except so we would miss public ACI errors. This will catch them.

To test this you can delete the S4U2Proxy delegation:

$ ldapmodify -x -D 'cn=directory manager' -W
LDAP Password:
dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
changetype: modify
delete: memberPrincipal

$ kinit admin
$ user-show admin
ipa: ERROR: Insufficient access: KDC returned NOT_ALLOWED_TO_DELEGATE

To fix your instance run:

# ipa-ldap-updater --ldapi /usr/share/ipa/updates/30-s4u2proxy.update

rcritten commented 12 years ago

attachment
freeipa-rcrit-964-exception.patch

mkosek commented 12 years ago

master: b241e82[[BR]]
ipa-2-2: a9b33ff

Metadata Update from @mkosek:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/03

7 years ago

Metadata

Assignee

rcritten

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 2.2 Core Effort - 2012/03

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#2414 Improve error message when s4u2proxy delegation fails Closed: Fixed None Opened 12 years ago by mkosek.

Metadata

#2414 Improve error message when s4u2proxy delegation fails

Closed: Fixed None Opened 12 years ago by mkosek.