RHBA-2013:1334 - Bug Fix Advisory

Topic

Updated ipa-client packages that fix several bugs and add various enhancements
are now available for Red Hat Enterprise Linux 5.

Description

IPA (Identity, Policy, Audit) is an integrated solution to provide centrally
managed identity, that is, machine, user, virtual machines, groups, and
authentication credentials. The ipa-client package provides a tool to enroll a
machine to an IPA version 2 server.

This update fixes the following bugs:

• If the IPA CA (Certification Authority) could not be added to the shared NSS

database in the /etc/pki/nssdb/ directory, the client installer terminated
unexpectedly with a fatal error message. The location of the directory has been
fixed and the client installer no longer crashes. (BZ#821500)

• Due to a missing dependency on the pyOpenSSL package, installation of

the ipa-client package failed. The missing dependency has been added and
ipa-client can now be installed as expected. (BZ#907071)

• In some cases, a CA certificate was stored in the base64-encoded form (PEM)

instead of the binary form (DER). The wrong CA format caused ipa-client to act
as if no CA was available and the system enrollment to terminate unexpectedly.
The ipa-client-install utility has been fixed to make the client more flexible
and be able to handle the data stored in either format. As a result, the system
enrollment as an IPA client now succeeds. (BZ#915504)

• Due to a bug, if one of the IPA masters was unavailable during

enrollment, the ipa-client-install did not fail over to another master.
Consequently, the ipa-client installation terminated unexpectedly. This bug has
been fixed, and ipa-client-install now fails over to a functional replica as
expected. (BZ#949632)

• Previously, there was more than one code path where a cleanup routine

could be called. If the xmlrpc_env_clean() function preceded the initializing
xmlrpc_env_init() function, the unenrolling of a client could fail. The order of
the calls in xmlrpc-c has been edited and unenrolling a client no longer fails.
(BZ#961132)

• In some cases, if replication between two IPA masters was slow, there

was a short time period where the client was not known to one of the
masters. Consequently, the kinit utility failed. The installation process has
been reordered so that all operations are done against the same
master the enrollment is initiated with. (BZ#976372)

Users of ipa-client are advised to upgrade to these updated packages, which fix
these bugs.

Solution

Before applying this update, make sure all previously-released errata relevant
to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 907071 - ipa-client missing pyOpenSSL dependency on RHEL5
• BZ - 949632 - ipa-client-install is not able to fail over to functional server
• BZ - 961132 - [abrt] freeipa-client-3.0.0-3.fc18: xmlrpc_env_clean: Process /usr/sbin/ipa-join was killed by signal 11 (SIGSEGV)
• BZ - 976372 - ipa-client-install Failed to obtain host TGT

CVEs

(none)

References

(none)