Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1868207
Summary: | krb5-libs-1.18.2-19.fc32.x86_64 breaks FreeIPA replication | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Anthony Messina <amessina> |
Component: | krb5 | Assignee: | Robbie Harwood <rharwood> |
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | urgent | Docs Contact: | |
Priority: | unspecified | ||
Version: | 32 | CC: | abokovoy, j, npmccallum, rharwood, sbose, ssorce |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-08-13 16:20:24 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Anthony Messina
2020-08-12 02:09:00 UTC
Hi Anthony, can you do the following for me: klist -ekt /etc/dirsrv/ds.keytab KRB5_TRACE=/dev/stderr kinit -kt /etc/dirsrv/ds.keytab ldap/ipa.example.com klist -e # unless the previous failed, at which point don't bother (kinit some other user) kvno ldap/ipa.example.com Sure. The following works (with or without the upgrade). The errors with the missing REALM above are from ns-slapd's error log. [root@ipa ~]# klist -ekt /etc/dirsrv/ds.keytab Keytab name: FILE:/etc/dirsrv/ds.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 01/18/20 10:59:16 ldap/ipa.example.com (aes256-cts-hmac-sha1-96) 1 01/18/20 10:59:16 ldap/ipa.example.com (aes128-cts-hmac-sha1-96) [root@ipa ~]# KRB5_TRACE=/dev/stderr kinit -kt /etc/dirsrv/ds.keytab ldap/ipa.example.com [1035] 1597255303.196623: Getting initial credentials for ldap/ipa.example.com [1035] 1597255303.196624: Found entries for ldap/ipa.example.com in keytab: aes256-cts, aes128-cts [1035] 1597255303.196626: Sending unauthenticated request [1035] 1597255303.196627: Sending request (200 bytes) to EXAMPLE.COM [1035] 1597255303.196628: Initiating TCP connection to stream 10.1.1.85:88 [1035] 1597255303.196629: Sending TCP request to stream 10.1.1.85:88 [1035] 1597255303.196630: Received answer (526 bytes) from stream 10.1.1.85:88 [1035] 1597255303.196631: Terminating TCP connection to stream 10.1.1.85:88 [1035] 1597255303.196632: Response was from master KDC [1035] 1597255303.196633: Received error from KDC: -1765328359/Additional pre-authentication required [1035] 1597255303.196636: Preauthenticating using KDC method data [1035] 1597255303.196637: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-SPAKE (151), PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133) [1035] 1597255303.196638: Selected etype info: etype aes256-cts, salt "q9K>C2V\xE17O[m4", params "" [1035] 1597255303.196639: Received cookie: MIT1\x00\x00\x00\x01`\xf8\xf4\x03^\xd4x&[\x9c\xfe\x9bLJ\xbe\xff\xd3\xea`\x85\xf4\xf3>u\xbb\xb6\xba(\x1d\x10\xa4\x12\xfb\x8e\xabv\x05\x1a\xf3\x19\xb8R\xae\xab4\x95\xc1\xca\x94 \xf6\xbe&\xb3\x10\x82\x1e{\x85\xa5IIX\x1d\x84\x97:\xe6*q\x1e\xf9b\x15B\x80T\xea/z\xd4\xb2WV7\x97\x9e\x8e\xb8a-\xc08)\xd6\x0bg\xd6\x9dg\xaf>\x0d\x99\xb0\x04\xd9\x0c\xceN\x98a\x93Z\x0fMN\x7ft\xcf\xc2*\xc7\xa90\xd0\x94\x9d\xc8* [1035] 1597255303.196640: PKINIT client has no configured identity; giving up [1035] 1597255303.196641: Preauth module pkinit (147) (info) returned: 0/Success [1035] 1597255303.196642: PKINIT client received freshness token from KDC [1035] 1597255303.196643: Preauth module pkinit (150) (info) returned: 0/Success [1035] 1597255303.196644: PKINIT client has no configured identity; giving up [1035] 1597255303.196645: Preauth module pkinit (16) (real) returned: 22/Invalid argument [1035] 1597255303.196646: SPAKE challenge received with group 1, pubkey 1A12A8D30A893F126B279968D6F79146A2FF052EC75B57D4E4F28127FA80A743 [1035] 1597255303.196647: Retrieving ldap/ipa.example.com from FILE:/etc/dirsrv/ds.keytab (vno 0, enctype aes256-cts) with result: 0/Success [1035] 1597255303.196648: SPAKE key generated with pubkey 867D0A72B9E85672EF17C68B85019719A8B5154DB5248565948D74515A4C189B [1035] 1597255303.196649: SPAKE algorithm result: B044C515A0580719782FD0DDA4FD9A135586ABC33AAC83140D81FF4466800FAC [1035] 1597255303.196650: SPAKE final transcript hash: 6A1D7067F5B9273FDB2733BAEADDF8A90EF00350E75DA7B9B5182C2D41B004A1 [1035] 1597255303.196651: Sending SPAKE response [1035] 1597255303.196652: Preauth module spake (151) (real) returned: 0/Success [1035] 1597255303.196653: Produced preauth for next request: PA-FX-COOKIE (133), PA-SPAKE (151) [1035] 1597255303.196654: Sending request (459 bytes) to EXAMPLE.COM [1035] 1597255303.196655: Initiating TCP connection to stream 10.1.1.85:88 [1035] 1597255303.196656: Sending TCP request to stream 10.1.1.85:88 [1035] 1597255303.196657: Received answer (833 bytes) from stream 10.1.1.85:88 [1035] 1597255303.196658: Terminating TCP connection to stream 10.1.1.85:88 [1035] 1597255303.196659: Response was from master KDC [1035] 1597255303.196660: AS key determined by preauth: aes256-cts/93E8 [1035] 1597255303.196661: Decrypted AS reply; session key is: aes256-cts/4F27 [1035] 1597255303.196662: FAST negotiation: available [1035] 1597255303.196663: Initializing FILE:/tmp/krb5cc_0 with default princ ldap/ipa.example.com [1035] 1597255303.196664: Storing ldap/ipa.example.com -> krbtgt/EXAMPLE.COM in FILE:/tmp/krb5cc_0 [1035] 1597255303.196665: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/EXAMPLE.COM: fast_avail: yes [1035] 1597255303.196666: Storing ldap/ipa.example.com -> krb5_ccache_conf_data/fast_avail/krbtgt\/EXAMPLE.COM\@EXAMPLE.COM@X-CACHECONF: in FILE:/tmp/krb5cc_0 [1035] 1597255303.196667: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/EXAMPLE.COM: pa_type: 151 [1035] 1597255303.196668: Storing ldap/ipa.example.com -> krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.COM\@EXAMPLE.COM@X-CACHECONF: in FILE:/tmp/krb5cc_0 [root@ipa ~]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ldap/ipa.example.com Valid starting Expires Service principal 08/12/20 13:01:43 08/13/20 13:01:43 krbtgt/EXAMPLE.COM Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 [root@ipa ~]# kinit admin Password for admin: [root@ipa ~]# kvno ldap/ipa.messinet.com ldap/ipa.messinet.com: kvno = 1 Thanks. For triage reasons I'm merging this with the other one. *** This bug has been marked as a duplicate of bug 1868482 *** |