#5528 Client reenrollment using keytab fails during authentication
Closed: Fixed None Opened 8 years ago by mbabinsk.

After unenrolling IPA client, it should be possible to reenroll the client using a previously backed-up keytab. This however doesn't work in current IPA master branch, see the error when trying to reenroll client:

ipa-client-install -k /etc/krb5.keytab 
Discovery was successful!
Client hostname: client1.ipa.test
Realm: IPA.TEST
DNS Domain: ipa.test
IPA Server: master1.ipa.test
BaseDN: dc=ipa,dc=test

Continue to configure the system with these values? [no]: yes
Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
Synchronizing time with KDC...
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529639111): Bad format in credentials cache (filename: /tmp/tmpz8h8jH)
Installation failed. Rolling back changes.
IPA client is not configured on this system.

This can also be seen in the 'test_forced_client_reenrollment' CI test suite ran with
current master:

Exception:

=================================== FAILURES ===================================
____________ TestForcedClientReenrollment.test_reenroll_with_keytab ____________

self = <ipatests.test_integration.test_forced_client_reenrollment.TestForcedClientReenrollment object at 0x7f0bade26a10>
client = None

    def test_reenroll_with_keytab(self, client):
        """
            Client re-enrollment using keytab
            """
        self.backup_keytab()
        sshfp_record_pre = self.get_sshfp_record()
        self.restore_client()
        self.check_client_host_entry()
        self.restore_keytab()
>       self.reenroll_client(keytab=self.BACKUP_KEYTAB)

test_integration/test_forced_client_reenrollment.py:68: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
test_integration/test_forced_client_reenrollment.py:196: in reenroll_client
    raiseonerr=not expect_fail
../pytest_multihost/host.py:222: in run_command
    command.wait(raiseonerr=raiseonerr)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

self = <pytest_multihost.transport.SSHCommand object at 0x7f0bade26350>
raiseonerr = True

    def wait(self, raiseonerr=True):
        """Wait for the remote process to exit

            Raises an excption if the exit code is not 0, unless raiseonerr is
            true.
            """
        if self._done:
            return self.returncode

        self._end_process()

        self._done = True

        if raiseonerr and self.returncode:
            self.log.error('Exit code: %s', self.returncode)
>           raise subprocess.CalledProcessError(self.returncode, self.argv)
E           CalledProcessError: Command '['ipa-client-install', '-U', '--server', 'master.ipa.test', '--domain', 'ipa.test', '--keytab', '/root/ipatests/krb5.keytab']' returned non-zero exit status 1

../pytest_multihost/transport.py:147: CalledProcessError

stderr output:

<DEBUG>: RUN ['ipa-client-install', '-U', '--server', 'master.ipa.test', '--domain', 'ipa.test', '--keytab', '/root/ipatests/krb5.keytab']
[2015-12-07T17:09:33Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: Client hostname: client1.ipa.test
[2015-12-07T17:09:33Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: Realm: IPA.TEST
[2015-12-07T17:09:33Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: DNS Domain: ipa.test
[2015-12-07T17:09:33Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: IPA Server: master.ipa.test
[2015-12-07T17:09:33Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: BaseDN: dc=ipa,dc=test
[2015-12-07T17:09:33Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: Synchronizing time with KDC...
[2015-12-07T17:09:33Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: Attempting to sync time using ntpd.  Will timeout after 15 seconds
[2015-12-07T17:09:44Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: Attempting to sync time using ntpd.  Will timeout after 15 seconds
[2015-12-07T17:09:55Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
[2015-12-07T17:09:55Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: Please make sure the following ports are opened in the firewall settings:
[2015-12-07T17:09:55Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>:      TCP: 80, 88, 389
[2015-12-07T17:09:55Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>:      UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
[2015-12-07T17:09:55Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: Also note that following ports are necessary for ipa-client working properly after enrollment:
[2015-12-07T17:09:55Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>:      TCP: 464
[2015-12-07T17:09:55Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>:      UDP: 464, 123 (if NTP enabled)
[2015-12-07T17:09:55Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: Kerberos authentication failed: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529639111): Bad format in credentials cache
[2015-12-07T17:09:55Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: Installation failed. Rolling back changes.
[2015-12-07T17:09:55Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: IPA client is not configured on this system.
[2015-12-07T17:09:55Z ipa.ipatests.test_integration.host.Host.client1.cmd51] <DEBUG>: 
ipa: ERROR: Exit code: 1

The same procedure works when using IPA 4.2 branch client/master and the corresponding CI tests pass normally (#5511 affects negative tests only). This is a regression most likely caused by migration from python-krbV to python-gssapi (python-gssapi-1.1.3-1.fc23.x86_64 used during testing).


master:

  • 5886f87 ipa-client-install: create a temporary directory for ccache files

Metadata Update from @mbabinsk:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.3

7 years ago

Login to comment on this ticket.

Metadata