-
Bug
-
Resolution: Done-Errata
-
Normal
-
rhel-9.4
-
ipa-4.11.0-6.el9
-
None
-
None
-
ZStream
-
2
-
rhel-sst-idm-ipa
-
ssg_idm
-
24
-
26
-
1
-
QE ack, Dev ack
-
False
-
-
No
-
2024-Q1-Alpha-S3, 2024-Q1-Alpha-S4
-
Approved Blocker
-
Pass
-
Not Needed
-
None
-
Unspecified Release Note Type - Unknown
-
None
Cloned from: https://pagure.io/freeipa/issue/9465
Since commit 3e20a96c3091f9216cd2bcb1c5853593ed5de88c (FreeIPA 4.9.0, ~2020) (issue https://pagure.io/freeipa/issue/8319) we allow issuing tickets with MS-PAC to Kerberos services. This, in turn, requires presence of `krbCanonicalName` attribute to force canonicalization.
Services created before commit e6ff83e3610d553f6ff98e3adbfbe3c6984b2f17 (FreeIPA 4.4.0, ~2016) had no normalization to set `krbCanonicalName`; services created after that version was upgraded to do have `krbCanonicalName`.
This bug only affects 'old' services: if they miss `krbCanonicalName`, a TGT cannot be issued for them. If this service is `HTTP/...` on IPA master, then users cannot connect to IPA services using IPA API (including provisioning on new hosts).
This will be seen as
```
# ipa ping
ipa: ERROR: No valid Negotiate header in server response
```
Kerberos KDC log will tell:
```
Oct 13 14:38:10 master.ipa.test krb5kdc[2743](info): AS_REQ : handle_authdata (2)
Oct 13 14:38:10 master.ipa.test krb5kdc[2743](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 192.168.7.1: HANDLE_AUTHDATA: HTTP/master.ipa.test@IPA.TEST for krbtgt/IPA.TEST@IPA.TEST, No such file or directory
```
The `No such file or directory` comes from `else` part below from the code of `ipadb_fill_info3()`
```
if (is_host) {
ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "fqdn", &strres);
if (ret) {
/* fqdn is mandatory for hosts */
return ret;
}
} else if (is_service) {
ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"krbCanonicalName", &strres);
if (ret) {
/* krbCanonicalName is mandatory for services */
return ret;
}
```
- links to
-
RHSA-2023:121880
ipa bug fix and enhancement update
- mentioned on
[RHEL-23627] Pagure #9465: IPA stops working if HTTP/... service principal was created before FreeIPA 4.4.0 and never modified
Sudhir Menon
added a comment - Automation not required after discussing with DEV. 
gitlab-bot
added a comment - Florence Blanc-Renaud mentioned this issue in a merge request of Red Hat / centos-stream / rpms / ipa on branch dtm24:
ipa-4.11.0-6
gitlab-bot
added a comment - Florence Blanc-Renaud mentioned this issue in a merge request of Red Hat / centos-stream / rpms / ipa on branch dtm24 : ipa-4.11.0-6 There are 2 ways to reproduce the issue:
- either install IPA with an old version (before 4.4.0) and upgrade/migrate. This will result in the service HTTP/server.ipa.test@ipa.test missing the krbcanonicalname attribute
- or on a new installation, use ldapmodify to edit the entry krbprincipalname=HTTP/server.ipa.test@IPA.TEST,cn=services,cn=accounts,dc=ipa,dc=test and remove krbcanonicalname, restart IPA, try kinit admin + one ipa * command.
Before the fix:
# ipa user-find ipa: ERROR: No valid Negotiate header in server response
After the fix: works well
Fixed upstream
master:
- ed977a6 kdb: PAC generator: do not fail if canonical principal is missing
ipa-4-9:
- dcb9d6e kdb: PAC generator: do not fail if canonical principal is missing
ipa-4-10:
- 196d631 kdb: PAC generator: do not fail if canonical principal is missing
ipa-4-11:
- d09acb5 kdb: PAC generator: do not fail if canonical principal is missing
Since the problem described in this issue should be resolved in a recent advisory, it has been closed.
For information on the advisory (Moderate: ipa security update), and where to find the updated files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2024:2147