Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at
Bug 1165674 - getkeytab control implementation uses incorrect asn1 encoding
Summary: getkeytab control implementation uses incorrect asn1 encoding
Alias: None
Product: Fedora
Classification: Fedora
Component: freeipa
Version: 21
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: IPA Maintainers
QA Contact: Fedora Extras Quality Assurance
Whiteboard: AcceptedFreezeException
Depends On:
Blocks: F21FinalFreezeException
TreeView+ depends on / blocked
Reported: 2014-11-19 13:23 UTC by Martin Kosek
Modified: 2014-11-25 03:06 UTC (History)
8 users (show)

Fixed In Version: freeipa-4.1.1-2.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-11-25 03:06:53 UTC
Type: Bug

Attachments (Terms of Use)

Description Martin Kosek 2014-11-19 13:23:30 UTC
Description of problem:
Both in the client and in the server the getkeytab control implementation uses an incorrect sequence number for the service principal name tag.

Given errors already exist in the same code and the fact that clients can safely fallback to the old setkeytab for common operations, this mistake should be fixed in newer clients/servers.

Also, even when des-cbc-crc is allowed in krbsupportedencsalttypes and in krb5.conf/kdc.conf, one cannot generate keytab using this encryption type. In fact, specifying '-e' option to 'ipa-getkeytab' does not limit encryption types at all, even for strong cryptography.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. [root@cc21 ~]# ipa service-del afs/afs-host.ipacloud.test
Deleted service "afs/afs-host.ipacloud.test"

2. [root@cc21 ~]# ipa service-add afs/afs-host.ipacloud.test --force
Added service "afs/afs-host.ipacloud.test"
  Principal: afs/afs-host.ipacloud.test
  Managed by: afs-host.ipacloud.test

3. [root@cc21 ~]# ipa-getkeytab -s `hostname` -p afs/afs-host.ipacloud.test -P  -k /tmp/afs.keytab -e des-cbc-crc:v4
New Principal Password: 
Verify Principal Password: 
Keytab successfully retrieved and stored in: /tmp/afs.keytab

4. [root@cc21 ~]# klist -k /tmp/afs.keytab -Kte
Keytab name: FILE:/tmp/afs.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 11/12/2014 19:38:44 afs/afs-host.ipacloud.test (aes256-cts-hmac-sha1-96)  (0xe2142f9365ef689b130ad4b8b51fa3467380a869d5367f04f12242e4769e3a0c)
   1 11/12/2014 19:38:44 afs/afs-host.ipacloud.test (aes128-cts-hmac-sha1-96)  (0xaf6964c2084719218b64d95e5ba7e850)
   1 11/12/2014 19:38:44 afs/afs-host.ipacloud.test (des3-cbc-sha1)  (0x38049202542c4a3e6bd525a8452f15a185c12cec7ad6136b)
   1 11/12/2014 19:38:44 afs/afs-host.ipacloud.test (arcfour-hmac)  (0xf8e4df028cd34224ff0d0195cd3b5669)

Actual results:
Keytab with specified enctype is not retrieved.

Expected results:
Keytab with specified enctype is retrieved.

Additional info:

Comment 1 Martin Kosek 2014-11-19 13:24:16 UTC
Upstream ticket:

Comment 2 Martin Kosek 2014-11-19 13:24:38 UTC
Upstream ticket:

Comment 3 Simo Sorce 2014-11-19 14:00:13 UTC
Note that additional ancoding issues were found during investigation of this bug that warrant a change _before_ a release hits any stable distribution such to not cause issues to people.

Comment 4 Fedora Blocker Bugs Application 2014-11-19 14:01:51 UTC
Proposed as a Freeze Exception for 21-final by Fedora user simo using the blocker tracking app because:

 The current code will not be interoperable with the new code, this is not a blocker bug because it does not prevent basic blocker criteria as the client can recover for common operations, however we(freeipa team)'d prefer not to release incompatible code in a stable distribution.

Comment 5 Mike Ruckman 2014-11-19 18:02:32 UTC
Discussed in 2014-11-19 blocker review meeting. We will consider a fix for this if the updated package is available by Monday 2014-11-24. If not, we can revisit at the next meeting.

Comment 6 Petr Vobornik 2014-11-21 11:57:49 UTC
Fixed upstream

* b170851058d6712442d553ef3d11ecd21b282443
* c6afc489a1c9d86fd593bd47c4a8dae6d9a008d2
* b1a30bff04fe9763b8b270590ec37084fd19b4e0

* f065cec8a58bf4fee0334afdfb63db02f76c1ff7
* 45ceef14f9ffa5f3abf19088e991f427b7c5bd92
* dd3e91639bc3e87b5a95e344b7d190136ad30de0

* 55578e9cb33924085969102186250ee60c0a9d85
* 598b54716c6e177a6b5bfdbccf483d28bf40e0b8
* aa988311d1b5eefe16eb60c04227900814468e9f

Comment 7 Fedora Update System 2014-11-21 13:55:44 UTC
freeipa-4.1.1-2.fc21 has been submitted as an update for Fedora 21.

Comment 8 Fedora Update System 2014-11-22 20:21:30 UTC
Package freeipa-4.1.1-2.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing freeipa-4.1.1-2.fc21'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2014-11-25 03:06:53 UTC
freeipa-4.1.1-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.