Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1868207 - krb5-libs-1.18.2-19.fc32.x86_64 breaks FreeIPA replication
Summary: krb5-libs-1.18.2-19.fc32.x86_64 breaks FreeIPA replication
Keywords:
Status: CLOSED DUPLICATE of bug 1868482
Alias: None
Product: Fedora
Classification: Fedora
Component: krb5
Version: 32
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Robbie Harwood
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-08-12 02:09 UTC by Anthony Messina
Modified: 2020-08-13 16:20 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-08-13 16:20:24 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Anthony Messina 2020-08-12 02:09:00 UTC 
After upgrading to krb5-libs-1.18.2-19.fc32.x86_64 on my Fedora 32 FreeIPA instances, replication between masters breaks and the ns-slapd server is missing the REALM in credential selection.

ns-slapd[3778]: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Matching credential not found)

[11/Aug/2020:20:07:42.841467368 -0500] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.example.com@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))

Adding the following from /etc/krb5.conf.rpmnew to /etc/krb5.conf does not work:

qualify_shortname = ""
dns_canonicalize_hostname = fallback

but adding the following works:

dns_canonicalize_hostname = false

and then we get the proper credential selection (the cannot find KDC resolves after the system is fully up and running).

[09/Aug/2020:09:31:11.271124536 -0500] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa.example.com] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
Comment 1 Robbie Harwood 2020-08-12 16:48:01 UTC 
Hi Anthony, can you do the following for me:

klist -ekt /etc/dirsrv/ds.keytab
KRB5_TRACE=/dev/stderr kinit -kt /etc/dirsrv/ds.keytab ldap/ipa.example.com
klist -e # unless the previous failed, at which point don't bother

(kinit some other user)
kvno ldap/ipa.example.com
Comment 2 Anthony Messina 2020-08-12 18:13:57 UTC 
Sure.  The following works (with or without the upgrade).  The errors with the missing REALM above are from ns-slapd's error log.

[root@ipa ~]# klist -ekt /etc/dirsrv/ds.keytab
Keytab name: FILE:/etc/dirsrv/ds.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 01/18/20 10:59:16 ldap/ipa.example.com (aes256-cts-hmac-sha1-96) 
   1 01/18/20 10:59:16 ldap/ipa.example.com (aes128-cts-hmac-sha1-96) 

[root@ipa ~]# KRB5_TRACE=/dev/stderr kinit -kt /etc/dirsrv/ds.keytab ldap/ipa.example.com
[1035] 1597255303.196623: Getting initial credentials for ldap/ipa.example.com
[1035] 1597255303.196624: Found entries for ldap/ipa.example.com in keytab: aes256-cts, aes128-cts
[1035] 1597255303.196626: Sending unauthenticated request
[1035] 1597255303.196627: Sending request (200 bytes) to EXAMPLE.COM
[1035] 1597255303.196628: Initiating TCP connection to stream 10.1.1.85:88
[1035] 1597255303.196629: Sending TCP request to stream 10.1.1.85:88
[1035] 1597255303.196630: Received answer (526 bytes) from stream 10.1.1.85:88
[1035] 1597255303.196631: Terminating TCP connection to stream 10.1.1.85:88
[1035] 1597255303.196632: Response was from master KDC
[1035] 1597255303.196633: Received error from KDC: -1765328359/Additional pre-authentication required
[1035] 1597255303.196636: Preauthenticating using KDC method data
[1035] 1597255303.196637: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-SPAKE (151), PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133)
[1035] 1597255303.196638: Selected etype info: etype aes256-cts, salt "q9K>C2V\xE17O[m4", params ""
[1035] 1597255303.196639: Received cookie: MIT1\x00\x00\x00\x01`\xf8\xf4\x03^\xd4x&[\x9c\xfe\x9bLJ\xbe\xff\xd3\xea`\x85\xf4\xf3>u\xbb\xb6\xba(\x1d\x10\xa4\x12\xfb\x8e\xabv\x05\x1a\xf3\x19\xb8R\xae\xab4\x95\xc1\xca\x94 \xf6\xbe&\xb3\x10\x82\x1e{\x85\xa5IIX\x1d\x84\x97:\xe6*q\x1e\xf9b\x15B\x80T\xea/z\xd4\xb2WV7\x97\x9e\x8e\xb8a-\xc08)\xd6\x0bg\xd6\x9dg\xaf>\x0d\x99\xb0\x04\xd9\x0c\xceN\x98a\x93Z\x0fMN\x7ft\xcf\xc2*\xc7\xa90\xd0\x94\x9d\xc8*
[1035] 1597255303.196640: PKINIT client has no configured identity; giving up
[1035] 1597255303.196641: Preauth module pkinit (147) (info) returned: 0/Success
[1035] 1597255303.196642: PKINIT client received freshness token from KDC
[1035] 1597255303.196643: Preauth module pkinit (150) (info) returned: 0/Success
[1035] 1597255303.196644: PKINIT client has no configured identity; giving up
[1035] 1597255303.196645: Preauth module pkinit (16) (real) returned: 22/Invalid argument
[1035] 1597255303.196646: SPAKE challenge received with group 1, pubkey 1A12A8D30A893F126B279968D6F79146A2FF052EC75B57D4E4F28127FA80A743
[1035] 1597255303.196647: Retrieving ldap/ipa.example.com from FILE:/etc/dirsrv/ds.keytab (vno 0, enctype aes256-cts) with result: 0/Success
[1035] 1597255303.196648: SPAKE key generated with pubkey 867D0A72B9E85672EF17C68B85019719A8B5154DB5248565948D74515A4C189B
[1035] 1597255303.196649: SPAKE algorithm result: B044C515A0580719782FD0DDA4FD9A135586ABC33AAC83140D81FF4466800FAC
[1035] 1597255303.196650: SPAKE final transcript hash: 6A1D7067F5B9273FDB2733BAEADDF8A90EF00350E75DA7B9B5182C2D41B004A1
[1035] 1597255303.196651: Sending SPAKE response
[1035] 1597255303.196652: Preauth module spake (151) (real) returned: 0/Success
[1035] 1597255303.196653: Produced preauth for next request: PA-FX-COOKIE (133), PA-SPAKE (151)
[1035] 1597255303.196654: Sending request (459 bytes) to EXAMPLE.COM
[1035] 1597255303.196655: Initiating TCP connection to stream 10.1.1.85:88
[1035] 1597255303.196656: Sending TCP request to stream 10.1.1.85:88
[1035] 1597255303.196657: Received answer (833 bytes) from stream 10.1.1.85:88
[1035] 1597255303.196658: Terminating TCP connection to stream 10.1.1.85:88
[1035] 1597255303.196659: Response was from master KDC
[1035] 1597255303.196660: AS key determined by preauth: aes256-cts/93E8
[1035] 1597255303.196661: Decrypted AS reply; session key is: aes256-cts/4F27
[1035] 1597255303.196662: FAST negotiation: available
[1035] 1597255303.196663: Initializing FILE:/tmp/krb5cc_0 with default princ ldap/ipa.example.com
[1035] 1597255303.196664: Storing ldap/ipa.example.com -> krbtgt/EXAMPLE.COM in FILE:/tmp/krb5cc_0
[1035] 1597255303.196665: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/EXAMPLE.COM: fast_avail: yes
[1035] 1597255303.196666: Storing ldap/ipa.example.com -> krb5_ccache_conf_data/fast_avail/krbtgt\/EXAMPLE.COM\@EXAMPLE.COM@X-CACHECONF: in FILE:/tmp/krb5cc_0
[1035] 1597255303.196667: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/EXAMPLE.COM: pa_type: 151
[1035] 1597255303.196668: Storing ldap/ipa.example.com -> krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.COM\@EXAMPLE.COM@X-CACHECONF: in FILE:/tmp/krb5cc_0

[root@ipa ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ldap/ipa.example.com

Valid starting     Expires            Service principal
08/12/20 13:01:43  08/13/20 13:01:43  krbtgt/EXAMPLE.COM
        Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
        

[root@ipa ~]# kinit admin
Password for admin: 

[root@ipa ~]# kvno ldap/ipa.messinet.com
ldap/ipa.messinet.com: kvno = 1
Comment 3 Robbie Harwood 2020-08-13 16:20:24 UTC 
Thanks.  For triage reasons I'm merging this with the other one.

*** This bug has been marked as a duplicate of bug 1868482 ***
Note You need to log in before you can comment on or make changes to this bug.