1134389 – ipa-server-install crashes as httpd cannot read Kerberos keys

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1134389 - ipa-server-install crashes as httpd cannot read Kerberos keys

Summary: ipa-server-install crashes as httpd cannot read Kerberos keys

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	21
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	F21BetaBlocker
TreeView+	depends on / blocked

Reported:	2014-08-27 12:47 UTC by Varun Mylaraiah
Modified:	2014-09-27 10:10 UTC (History)
CC List:	15 users (show)
Fixed In Version:	selinux-policy-3.13.1-82.fc21
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-09-27 10:10:00 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
AVC log (96.04 KB, text/plain) 2014-08-27 12:47 UTC, Varun Mylaraiah	no flags	Details
apache error log (23.60 KB, text/plain) 2014-08-27 12:52 UTC, Varun Mylaraiah	no flags	Details
View All

Description Varun Mylaraiah 2014-08-27 12:47:59 UTC

Created attachment 931441 [details]
AVC log

Version-Release number of selected component (if applicable):

freeipa-server-4.0.1-1.fc21.x86_64

Steps to Reproduce:
[root@masterf17 ~]# ipa-server-install  -a Secret123 -p Secret123 --domain=testrelm.com --realm=TESTRELM.COM --hostname masterf17.testrelm.com --setup-dns --forwarder=10.14.63.12

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Existing BIND configuration detected, overwrite? [no]: y
Warning: skipping DNS resolution of host masterf17.testrelm.com
Do you want to configure the reverse zone? [yes]: 
Please specify the reverse zone name [35.70.10.in-addr.arpa.]: 
Using reverse zone 35.70.10.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      masterf17.testrelm.com
IP address:    10.70.35.45
Domain name:   testrelm.com
Realm name:    TESTRELM.COM

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    10.14.63.12
Reverse zone:  35.70.10.in-addr.arpa.

Continue to configure the system with these values? [no]: y

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/39]: creating directory server user
  [2/39]: creating directory server instance
  [3/39]: adding default schema
  [4/39]: enabling memberof plugin
  [5/39]: enabling winsync plugin
  [6/39]: configuring replication version plugin
  [7/39]: enabling IPA enrollment plugin
  [8/39]: enabling ldapi
  [9/39]: configuring uniqueness plugin
  [10/39]: configuring uuid plugin
  [11/39]: configuring modrdn plugin
  [12/39]: configuring DNS plugin
  [13/39]: enabling entryUSN plugin
  [14/39]: configuring lockout plugin
  [15/39]: configuring OTP last token plugin
  [16/39]: creating indices
  [17/39]: enabling referential integrity plugin
  [18/39]: configuring certmap.conf
  [19/39]: configure autobind for root
  [20/39]: configure new location for managed entries
  [21/39]: configure dirsrv ccache
  [22/39]: enable SASL mapping fallback
  [23/39]: restarting directory server
  [24/39]: adding default layout
  [25/39]: adding delegation layout
  [26/39]: creating container for managed entries
  [27/39]: configuring user private groups
  [28/39]: configuring netgroups from hostgroups
  [29/39]: creating default Sudo bind user
  [30/39]: creating default Auto Member layout
  [31/39]: adding range check plugin
  [32/39]: creating default HBAC rule allow_all
  [33/39]: initializing group membership
  [34/39]: adding master entry
  [35/39]: configuring Posix uid/gid generation
  [36/39]: adding replication acis
  [37/39]: enabling compatibility plugin
  [38/39]: tuning directory server
  [39/39]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
  [1/25]: creating certificate server user
  [2/25]: configuring certificate server instance
  [3/25]: stopping certificate server instance to update CS.cfg
  [4/25]: disabling nonces
  [5/25]: set up CRL publishing
  [6/25]: starting certificate server instance
  [7/25]: creating RA agent certificate database
  [8/25]: importing CA chain to RA certificate database
  [9/25]: fixing RA database permissions
  [10/25]: setting up signing cert profile
  [11/25]: set certificate subject base
  [12/25]: enabling Subject Key Identifier
  [13/25]: enabling Subject Alternative Name
  [14/25]: enabling CRL and OCSP extensions for certificates
  [15/25]: setting audit signing renewal to 2 years
  [16/25]: configuring certificate server to start on boot
  [17/25]: restarting certificate server
  [18/25]: requesting RA certificate from CA
  [19/25]: issuing RA agent certificate
  [20/25]: adding RA agent as a trusted user
  [21/25]: configure certmonger for renewals
  [22/25]: configure certificate renewals
  [23/25]: configure RA certificate renewal
  [24/25]: configure Server-Cert certificate renewal
  [25/25]: Configure HTTP to proxy connections
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv): Estimated time 10 seconds
  [1/3]: configuring ssl for ds instance
  [2/3]: restarting directory server
  [3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd): Estimated time 1 minute
  [1/13]: setting mod_nss port to 443
  [2/13]: setting mod_nss password file
  [3/13]: enabling mod_nss renegotiate
  [4/13]: adding URL rewriting rules
  [5/13]: configuring httpd
  [6/13]: setting up ssl
  [7/13]: setting up browser autoconfig
  [8/13]: publish CA cert
  [9/13]: creating a keytab for httpd
  [10/13]: clean up any existing httpd ccache
  [11/13]: configuring SELinux for httpd
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR    Update failed: Server is unwilling to perform: Unknown attribute nsslapd-allow-hashed-passwords will be ignored
Restarting the directory server
Restarting the KDC
Restarting the certificate server
Configuring DNS (named)
  [1/12]: generating rndc key file
  [2/12]: adding DNS container
  [3/12]: setting up our zone
  [4/12]: setting up reverse zone
  [5/12]: setting up our own record
  [6/12]: setting up records for other masters
  [7/12]: setting up CA record
  [8/12]: setting up kerberos principal
  [9/12]: setting up named.conf
  [10/12]: restarting named
  [11/12]: configuring named to start on boot
  [12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
Configuration of client side components failed!
ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' '--on-master' '--unattended' '--domain' 'testrelm.com' '--server' 'masterf17.testrelm.com' '--realm' 'TESTRELM.COM' '--hostname' 'masterf17.testrelm.com'' returned non-zero exit status 1

Additional info:
I have attached apache error log and AVC log

Comment 1 Varun Mylaraiah 2014-08-27 12:52:00 UTC

Created attachment 931453 [details]
apache error log

Comment 2 Rob Crittenden 2014-08-27 12:55:05 UTC

What version of 389-ds-base?

Comment 3 Martin Kosek 2014-08-27 13:13:17 UTC

We discussed this issue with Varun he hits the same issue is freeipa-users member - see description of the problem here:

http://www.redhat.com/archives/freeipa-users/2014-August/msg00341.html

TLDR: this is a benign error as long as you do not try to migrate users from other DS. It will disappear with next release of 389-ds-base.

What concerns me are the AVCs, they are THE problem that makes ipa-client-install part crash - it cannot contact httpd as httpd cannot work with it's own keytab/ccache.

Moving to SELinux policy.

Comment 4 Miroslav Grepl 2014-08-28 14:21:13 UTC

Well it allows httpd to read/write users keys.

Comment 5 Martin Kosek 2014-08-28 14:30:48 UTC

httpd should just use default CCACHE type for storing it's own Kerberos credentials after authenticating with it's keytab:

# ls -laZ /etc/httpd/conf/ipa.keytab 
-rw-------. apache apache unconfined_u:object_r:httpd_config_t:s0 /etc/httpd/conf/ipa.keytab

The default CCACHE type is keyring, so this is what httpd uses. Maybe this is a problem that some resource not having the right SELinux context?

BTW, I do not see this AVC on F20 (selinux-policy-3.12.1-179.fc20.noarch) despite I am testing with the same FreeIPA code base.

Comment 6 Miroslav Grepl 2014-08-28 14:54:50 UTC

Yes, we have "fixes" for this in F20/RHEL7.0. Just realized still the same issue with keys.

Comment 7 Martin Kosek 2014-08-29 06:20:33 UTC

Is there a risk in allowing this operation for httpd? Still, it should be only allowed to read it's own keys, i.e. keys of "apache" user, right? Also CCing Simo to advise.

Comment 8 Miroslav Grepl 2014-08-29 09:42:01 UTC

Martin,
I overlooked. We see key rings labeled with the user type (unconfined_t) from AVCs.

Comment 9 Simo Sorce 2014-08-29 16:18:49 UTC

(In reply to Martin Kosek from comment #7)
> Is there a risk in allowing this operation for httpd? Still, it should be
> only allowed to read it's own keys, i.e. keys of "apache" user, right? Also
> CCing Simo to advise.

When Miroslav says they allow http reading users' keys he means from a SELinux perspective, DAC still applies so apache will not, in fact, be able to read other users keys.

It is not clear to me how it happens that the apache user's keys are marked unconfined_t though, as the ccache should be generated by apache itself ...

Comment 10 Miroslav Grepl 2014-08-29 16:34:49 UTC

(In reply to Simo Sorce from comment #9)
> (In reply to Martin Kosek from comment #7)
> > Is there a risk in allowing this operation for httpd? Still, it should be
> > only allowed to read it's own keys, i.e. keys of "apache" user, right? Also
> > CCing Simo to advise.
> 
> When Miroslav says they allow http reading users' keys he means from a
> SELinux perspective, DAC still applies so apache will not, in fact, be able
> to read other users keys.
> 
> It is not clear to me how it happens that the apache user's keys are marked
> unconfined_t though, as the ccache should be generated by apache itself ...

Martin,
any idea?

Comment 11 Martin Kosek 2014-09-01 08:50:47 UTC

The actual kinit should happen by httpd running in the apache process itself, this is the code to create the keytab - the installer running by root does not do the kinit, it just prepares the keytab:

    def __create_http_keytab(self):
        installutils.kadmin_addprinc(self.principal)
        installutils.create_keytab(paths.IPA_KEYTAB, self.principal)
        self.move_service(self.principal)
        self.add_cert_to_service()

        pent = pwd.getpwnam("apache")
        os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid)

I showed the keytab context in Comment 5 (though this was tested on F20) - should we try to run restorecon on the context? Does keytab file context affect the keyring ccache context?

Comment 12 Rob Crittenden 2014-09-02 15:27:43 UTC

The ccache is created by mod_auth_kerb using direct Kerberos calls. A basic overview of the calls looks something like:

   krb5_cc_default(kcontext, &ccache)

   krb5_kt_default(kcontext, &keytab)

   krb5_get_init_creds_opt_init(&gicopts);
   krb5_get_init_creds_opt_set_forwardable(&gicopts, 1);

   krb5_get_init_creds_keytab(kcontext, &creds, princ, keytab,
        0, tgs_princ_name, &gicopts))

Comment 13 Adam Williamson 2014-09-09 23:24:52 UTC

I'm throwing a tentative BetaBlocker nomination at this, to focus minds, on the basis that we'll probably require Server roles to pass a smoke test at Beta, and this causes the primary Server role for F21 (domain controller) to fail deployment. I'm seeing it too, with F21 Alpha TC6.

Comment 14 Miroslav Grepl 2014-09-10 09:59:41 UTC

commit a35b57f685bb3b9a76832688cac0c517e34dcdd5
Author: Miroslav Grepl <mgrepl>
Date:   Wed Sep 10 11:58:54 2014 +0200

    Back port workaround for #1134389 from F20. It needs to remove removed from rawhide once we ship F21.

Comment 15 Fedora Update System 2014-09-18 13:19:55 UTC

selinux-policy-3.13.1-82.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-82.fc21

Comment 16 Fedora Update System 2014-09-19 17:45:06 UTC

Package selinux-policy-3.13.1-82.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-82.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-11120/selinux-policy-3.13.1-82.fc21
then log in and leave karma (feedback).

Comment 17 Fedora Update System 2014-09-27 10:10:00 UTC

selinux-policy-3.13.1-82.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.