Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-129224

Fix ipatests for kdcproxy after CVE-2025-59088 fix

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • rhel-9.8
    • rhel-9.4.z
    • ipa
    • None
    • Low
    • ZStream
    • rhel-idm-ipa
    • 0
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Regression Exception
    • Unspecified Release Note Type - Unknown
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      Fix provided in this upstream PR:
      https://github.com/freeipa/freeipa/pull/8026

      This fix should be fixed in all maintained RHEL minor versions to keep gating test from failing.

      self = <ipatests.test_integration.test_http_kdc_proxy.TestHttpKdcProxy object at 0x7f944f2de9d0>
users = {'ad': {'domain': <ipatests.pytest_ipa.integration.config.Domain object at 0x7f9450365580>, 'name': 'testuser@AD-8Y5Q...., 'name': 'ipa_test_user', 'password': 'SecretIpaTestUser', 'test_service': 'HTTP/master.testrelm.test@TESTRELM.TEST'}}
use_tcp = False

    @pytest.mark.usefixtures('restrict_network_for_client',
                             'client_use_kdcproxy')
    @pytest.mark.parametrize('use_tcp', [True, False])
    def test_ad_user_login_on_client_with_kdcproxy(self, users, use_tcp):
        with self.configure_kdc_proxy_for_ad_trust(use_tcp):
>           self.check_kerberos_requests(users['ad'], skip_kpasswd_check=True)

self       = <ipatests.test_integration.test_http_kdc_proxy.TestHttpKdcProxy object at 0x7f944f2de9d0>
use_tcp    = False
users      = {'ad': {'domain': <ipatests.pytest_ipa.integration.config.Domain object at 0x7f9450365580>, 'name': 'testuser@AD-8Y5Q...., 'name': 'ipa_test_user', 'password': 'SecretIpaTestUser', 'test_service': 'HTTP/master.testrelm.test@TESTRELM.TEST'}}

test_integration/test_http_kdc_proxy.py:211: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
test_integration/test_http_kdc_proxy.py:149: in check_kerberos_requests
    tasks.kinit_as_user(self.client, user['name'], user['password'])
        self       = <ipatests.test_integration.test_http_kdc_proxy.TestHttpKdcProxy object at 0x7f944f2de9d0>
        skip_kpasswd_check = True
        user       = {'domain': <ipatests.pytest_ipa.integration.config.Domain object at 0x7f9450365580>, 'name': 'testuser@AD-8Y5Q.TEST', 'password': 'Secret123', 'test_service': 'HTTP/root-dc-8y5q.ad-8y5q.test@AD-8Y5Q.TEST'}
pytest_ipa/integration/tasks.py:2252: in kinit_as_user
    return host.run_command(
        host       = <ipatests.pytest_ipa.integration.host.Host client.testrelm.test (client)>
        krb5_trace = False
        password   = 'Secret123'
        raiseonerr = True
        user       = 'testuser@AD-8Y5Q.TEST'
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <ipatests.pytest_ipa.integration.host.Host client.testrelm.test (client)>
argv = ['kinit', 'testuser@AD-8Y5Q.TEST'], set_env = True
stdin_text = 'Secret123\n', log_stdout = True, raiseonerr = True, cwd = None
bg = False, encoding = 'utf-8', ok_returncode = 0

    def run_command(self, argv, set_env=True, stdin_text=None,
                    log_stdout=True, raiseonerr=True,
                    cwd=None, bg=False, encoding='utf-8', ok_returncode=0):
        """Wrapper around run_command to log stderr on raiseonerr=True
    
        :param ok_returncode: return code considered to be correct,
                              you can pass an integer or sequence of integers
        """
        result = super().run_command(
            argv, set_env=set_env, stdin_text=stdin_text,
            log_stdout=log_stdout, raiseonerr=False, cwd=cwd, bg=bg,
            encoding=encoding
        )
        # in FIPS mode SSH may print noise to stderr, remove the string
        # "FIPS mode initialized" + optional newline.
        result.stderr_bytes = FIPS_NOISE_RE.sub(b'', result.stderr_bytes)
        try:
            result_ok = result.returncode in ok_returncode
        except TypeError:
            result_ok = result.returncode == ok_returncode
        if not result_ok and raiseonerr:
            result.log.error('stderr: %s', result.stderr_text)
>           raise subprocess.CalledProcessError(
                result.returncode, argv,
                result.stdout_text, result.stderr_text
            )
E           subprocess.CalledProcessError: Command '['kinit', 'testuser@AD-8Y5Q.TEST']' returned non-zero exit status 1.

__class__  = <class 'ipatests.pytest_ipa.integration.host.Host'>
argv       = ['kinit', 'testuser@AD-8Y5Q.TEST']
bg         = False
cwd        = None
encoding   = 'utf-8'
log_stdout = True
ok_returncode = 0
raiseonerr = True
result     = <pytest_multihost.transport.SSHCommand object at 0x7f944f251280>
result_ok  = False
self       = <ipatests.pytest_ipa.integration.host.Host client.testrelm.test (client)>
set_env    = True
stdin_text = 'Secret123\n'

pytest_ipa/integration/host.py:202: CalledProcessError
 -------------------------------Captured log setup------------------------------- 
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN ['kdestroy', '-A']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd247:transport.py:513 RUN ['kdestroy', '-A']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd247:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:415 STAT /bin/systemctl
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd248:transport.py:513 RUN ['ls', '/bin/systemctl']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd248:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN ['systemctl', 'stop', 'sssd']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd249:transport.py:513 RUN ['systemctl', 'stop', 'sssd']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd249:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd250:transport.py:513 RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd250:transport.py:557 removed '/var/lib/sss/db/config.ldb'
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd250:transport.py:557 removed '/var/lib/sss/db/sssd.ldb'
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd250:transport.py:557 removed '/var/lib/sss/db/cache_testrelm.test.ldb'
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd250:transport.py:557 removed '/var/lib/sss/db/timestamps_testrelm.test.ldb'
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd250:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN ['rm', '-fv', '/var/lib/sss/mc/group']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd251:transport.py:513 RUN ['rm', '-fv', '/var/lib/sss/mc/group']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd251:transport.py:557 removed '/var/lib/sss/mc/group'
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd251:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN ['rm', '-fv', '/var/lib/sss/mc/passwd']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd252:transport.py:513 RUN ['rm', '-fv', '/var/lib/sss/mc/passwd']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd252:transport.py:557 removed '/var/lib/sss/mc/passwd'
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd252:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN ['rm', '-fv', '/var/lib/sss/mc/initgroups']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd253:transport.py:513 RUN ['rm', '-fv', '/var/lib/sss/mc/initgroups']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd253:transport.py:557 removed '/var/lib/sss/mc/initgroups'
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd253:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN ['systemctl', 'start', 'sssd']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd254:transport.py:513 RUN ['systemctl', 'start', 'sssd']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd254:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN ['python3', '-c', 'from ipaplatform.osinfo import OSInfo; print(OSInfo().platform)']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd255:transport.py:513 RUN ['python3', '-c', 'from ipaplatform.osinfo import OSInfo; print(OSInfo().platform)']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd255:transport.py:557 rhel
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd255:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN ['systemctl', 'unmask', 'firewalld']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd256:transport.py:513 RUN ['systemctl', 'unmask', 'firewalld']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd256:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN ['systemctl', 'enable', 'firewalld']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd257:transport.py:513 RUN ['systemctl', 'enable', 'firewalld']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd257:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN ['systemctl', 'start', 'firewalld']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd258:transport.py:513 RUN ['systemctl', 'start', 'firewalld']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd258:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN ['firewall-cmd', '--direct', '--passthrough', 'ipv4', '-I', 'OUTPUT', '1', '-p', 'udp', '--dport', '53', '-j', 'ACCEPT']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd259:transport.py:513 RUN ['firewall-cmd', '--direct', '--passthrough', 'ipv4', '-I', 'OUTPUT', '1', '-p', 'udp', '--dport', '53', '-j', 'ACCEPT']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd259:transport.py:557 success
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd259:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN ['firewall-cmd', '--direct', '--passthrough', 'ipv6', '-I', 'OUTPUT', '1', '-p', 'udp', '--dport', '53', '-j', 'ACCEPT']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd260:transport.py:513 RUN ['firewall-cmd', '--direct', '--passthrough', 'ipv6', '-I', 'OUTPUT', '1', '-p', 'udp', '--dport', '53', '-j', 'ACCEPT']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd260:transport.py:557 success
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd260:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN ['firewall-cmd', '--direct', '--passthrough', 'ipv4', '-I', 'OUTPUT', '2', '-p', 'tcp', '--dport', '80', '-j', 'ACCEPT']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd261:transport.py:513 RUN ['firewall-cmd', '--direct', '--passthrough', 'ipv4', '-I', 'OUTPUT', '2', '-p', 'tcp', '--dport', '80', '-j', 'ACCEPT']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd261:transport.py:557 success
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd261:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN ['firewall-cmd', '--direct', '--passthrough', 'ipv6', '-I', 'OUTPUT', '2', '-p', 'tcp', '--dport', '80', '-j', 'ACCEPT']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd262:transport.py:513 RUN ['firewall-cmd', '--direct', '--passthrough', 'ipv6', '-I', 'OUTPUT', '2', '-p', 'tcp', '--dport', '80', '-j', 'ACCEPT']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd262:transport.py:557 success
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd262:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN ['firewall-cmd', '--direct', '--passthrough', 'ipv4', '-I', 'OUTPUT', '3', '-p', 'tcp', '--dport', '443', '-j', 'ACCEPT']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd263:transport.py:513 RUN ['firewall-cmd', '--direct', '--passthrough', 'ipv4', '-I', 'OUTPUT', '3', '-p', 'tcp', '--dport', '443', '-j', 'ACCEPT']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd263:transport.py:557 success
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd263:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN ['firewall-cmd', '--direct', '--passthrough', 'ipv6', '-I', 'OUTPUT', '3', '-p', 'tcp', '--dport', '443', '-j', 'ACCEPT']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd264:transport.py:513 RUN ['firewall-cmd', '--direct', '--passthrough', 'ipv6', '-I', 'OUTPUT', '3', '-p', 'tcp', '--dport', '443', '-j', 'ACCEPT']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd264:transport.py:557 success
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd264:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN ['firewall-cmd', '--direct', '--passthrough', 'ipv4', '-I', 'OUTPUT', '4', '-p', 'tcp', '--sport', '22', '-j', 'ACCEPT']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd265:transport.py:513 RUN ['firewall-cmd', '--direct', '--passthrough', 'ipv4', '-I', 'OUTPUT', '4', '-p', 'tcp', '--sport', '22', '-j', 'ACCEPT']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd265:transport.py:557 success
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd265:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN ['firewall-cmd', '--direct', '--passthrough', 'ipv6', '-I', 'OUTPUT', '4', '-p', 'tcp', '--sport', '22', '-j', 'ACCEPT']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd266:transport.py:513 RUN ['firewall-cmd', '--direct', '--passthrough', 'ipv6', '-I', 'OUTPUT', '4', '-p', 'tcp', '--sport', '22', '-j', 'ACCEPT']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd266:transport.py:557 success
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd266:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN ['firewall-cmd', '--direct', '--passthrough', 'ipv4', '-P', 'OUTPUT', 'DROP']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd267:transport.py:513 RUN ['firewall-cmd', '--direct', '--passthrough', 'ipv4', '-P', 'OUTPUT', 'DROP']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd267:transport.py:557 success
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd267:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN ['firewall-cmd', '--direct', '--passthrough', 'ipv6', '-P', 'OUTPUT', 'DROP']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd268:transport.py:513 RUN ['firewall-cmd', '--direct', '--passthrough', 'ipv6', '-P', 'OUTPUT', 'DROP']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd268:transport.py:557 success
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd268:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN ['mktemp']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd269:transport.py:513 RUN ['mktemp']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd269:transport.py:557 /tmp/tmp.Z2BbEMAoTN
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd269:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN ['cp', '--preserve=all', '/etc/krb5.conf', '/tmp/tmp.Z2BbEMAoTN']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd270:transport.py:513 RUN ['cp', '--preserve=all', '/etc/krb5.conf', '/tmp/tmp.Z2BbEMAoTN']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd270:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:436 GET /etc/krb5.conf
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd271:transport.py:513 RUN ['cat', '/etc/krb5.conf']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd271:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:427 PUT /etc/krb5.conf
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd272:transport.py:513 RUN ['tee', '/etc/krb5.conf']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd272:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.client.IPAOpenSSHTransport:transport.py:391 RUN ['systemctl', 'restart', 'sssd.service']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd273:transport.py:513 RUN ['systemctl', 'restart', 'sssd.service']
DEBUG    ipatests.pytest_ipa.integration.host.Host.client.cmd273:transport.py:217 Exit code: 0
 ------------------------------Captured stderr call------------------------------ 
ipa: ERROR: stderr: kinit: Cannot contact any KDC for realm 'AD-8Y5Q.TEST' while getting initial credentials

              jrische@redhat.com Julien Rische
              jrische@redhat.com Julien Rische
              Julien Rische Julien Rische
              Sudhir Menon Sudhir Menon
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: