After unenrolling IPA client, it should be possible to reenroll the client using a previously backed-up keytab. This however doesn't work in current IPA master branch, see the error when trying to reenroll client:
ipa-client-install -k /etc/krb5.keytab Discovery was successful! Client hostname: client1.ipa.test Realm: IPA.TEST DNS Domain: ipa.test IPA Server: master1.ipa.test BaseDN: dc=ipa,dc=test Continue to configure the system with these values? [no]: yes Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Kerberos authentication failed: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639111): Bad format in credentials cache (filename: /tmp/tmpz8h8jH) Installation failed. Rolling back changes. IPA client is not configured on this system.
This can also be seen in the 'test_forced_client_reenrollment' CI test suite ran with current master:
Exception:
=================================== FAILURES =================================== ____________ TestForcedClientReenrollment.test_reenroll_with_keytab ____________ self = <ipatests.test_integration.test_forced_client_reenrollment.TestForcedClientReenrollment object at 0x7f0bade26a10> client = None def test_reenroll_with_keytab(self, client): """ Client re-enrollment using keytab """ self.backup_keytab() sshfp_record_pre = self.get_sshfp_record() self.restore_client() self.check_client_host_entry() self.restore_keytab() > self.reenroll_client(keytab=self.BACKUP_KEYTAB) test_integration/test_forced_client_reenrollment.py:68: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ test_integration/test_forced_client_reenrollment.py:196: in reenroll_client raiseonerr=not expect_fail ../pytest_multihost/host.py:222: in run_command command.wait(raiseonerr=raiseonerr) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ self = <pytest_multihost.transport.SSHCommand object at 0x7f0bade26350> raiseonerr = True def wait(self, raiseonerr=True): """Wait for the remote process to exit Raises an excption if the exit code is not 0, unless raiseonerr is true. """ if self._done: return self.returncode self._end_process() self._done = True if raiseonerr and self.returncode: self.log.error('Exit code: %s', self.returncode) > raise subprocess.CalledProcessError(self.returncode, self.argv) E CalledProcessError: Command '['ipa-client-install', '-U', '--server', 'master.ipa.test', '--domain', 'ipa.test', '--keytab', '/root/ipatests/krb5.keytab']' returned non-zero exit status 1 ../pytest_multihost/transport.py:147: CalledProcessError
stderr output:
<DEBUG>: RUN ['ipa-client-install', '-U', '--server', 'master.ipa.test', '--domain', 'ipa.test', '--keytab', '/root/ipatests/krb5.keytab'] [2015-12-07T17:09:33Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: Client hostname: client1.ipa.test [2015-12-07T17:09:33Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: Realm: IPA.TEST [2015-12-07T17:09:33Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: DNS Domain: ipa.test [2015-12-07T17:09:33Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: IPA Server: master.ipa.test [2015-12-07T17:09:33Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: BaseDN: dc=ipa,dc=test [2015-12-07T17:09:33Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: Synchronizing time with KDC... [2015-12-07T17:09:33Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: Attempting to sync time using ntpd. Will timeout after 15 seconds [2015-12-07T17:09:44Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: Attempting to sync time using ntpd. Will timeout after 15 seconds [2015-12-07T17:09:55Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. [2015-12-07T17:09:55Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: Please make sure the following ports are opened in the firewall settings: [2015-12-07T17:09:55Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: TCP: 80, 88, 389 [2015-12-07T17:09:55Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: UDP: 88 (at least one of TCP/UDP ports 88 has to be open) [2015-12-07T17:09:55Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: Also note that following ports are necessary for ipa-client working properly after enrollment: [2015-12-07T17:09:55Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: TCP: 464 [2015-12-07T17:09:55Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: UDP: 464, 123 (if NTP enabled) [2015-12-07T17:09:55Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: Kerberos authentication failed: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639111): Bad format in credentials cache [2015-12-07T17:09:55Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: Installation failed. Rolling back changes. [2015-12-07T17:09:55Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: IPA client is not configured on this system. [2015-12-07T17:09:55Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: ipa: ERROR: Exit code: 1
The same procedure works when using IPA 4.2 branch client/master and the corresponding CI tests pass normally (#5511 affects negative tests only). This is a regression most likely caused by migration from python-krbV to python-gssapi (python-gssapi-1.1.3-1.fc23.x86_64 used during testing).
master:
Metadata Update from @mbabinsk: - Issue assigned to mbabinsk - Issue set to the milestone: FreeIPA 4.3
Login to comment on this ticket.