RHEL 61 IPA2b1's ipa-client-install unable to join an IPA domain
Environment
- Red Hat Enterprise Linux 6.1
libcurl-7.19.7-26.el6_1.1 ipa-client-2.0.0-23.el6_1.1.x86_64 ipa-python-2.0.0-23.el6_1.1.x86_64 ipa-admintools-2.0.0-23.el6_1.1.x86_64
Issue
If using the RHEL 6.1 tech preview of IPA 2, an IPA client will not be able to join an IPA domain with default configuration, the ipa-client-install script will fail with error:
Joining realm failed because of failing XML-RPC request.
This error may be caused by incompatible server/client major versions.
Resolution
If running with the package libcurl-7.19.7-26.el6_1.1, please upgrade to version libcurl-7.19.7-26.el6_1.2 and ipa-client-2.0.0-23.el6_1.2.
yum update libcurl ipa-client
# rpm -qa| grep -E 'libcurl|ipa-*'
ipa-admintools-2.0.0-23.el6_1.2
ipa-python-2.0.0-23.el6_1.2
libcurl-7.19.7-26.el6_1.2
ipa-client-2.0.0-23.el6_1.2
Root Cause
As a solution to CVE-2011-2192, libcurl disabled the GSSAPI credential delegation by default.
However, some xmlrpc-c clients had been relying on the feature and were broken by the change.
The IPA project needs to be able to delegate tickets using XML-RPC via xmlrpc-c which in turn uses libcurl.
This issue also affects certmonger which uses similar xmlrpc-c/libcurl calls to communicate with IPA.
Diagnostic Steps
Testing environment:
Red Hat Enterprise Linux Server release 6.1 (Santiago)
Linux ipaclient1.example.com 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
yum install -y ipa-client ipa-admintools bind-utils bind-dyndb-ldap
ipa-client-2.0.0-23.el6_1.1.x86_64
ipa-python-2.0.0-23.el6_1.1.x86_64
ipa-admintools-2.0.0-23.el6_1.1.x86_64
vi /etc/resolv.conf
search example.com
nameserver ip-of-ipa-server
/etc/init.d/messagebus start
/usr/sbin/ipa-client-install
Discovery was successful!
Hostname: ipaclient1.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipaserver1.example.com
BaseDN: dc=example,dc=com
Continue to configure the system with these values? [no]: yes
Enrollment principal: admin@EXAMPLE.COM
Password for admin@EXAMPLE.COM:
Joining realm failed because of failing XML-RPC request.
This error may be caused by incompatible server/client major versions.
Review logs on IPA client system:
tail /var/log/httpd/error_log
[Fri Aug 05 17:39:41 2011] [error] ipa: ERROR: xmlserver.__call__():
[Fri Aug 05 17:39:41 2011] [error] Traceback (most recent call last):
[Fri Aug 05 17:39:41 2011] [error] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 245, in __call__
[Fri Aug 05 17:39:41 2011] [error] response = self.wsgi_execute(environ)
[Fri Aug 05 17:39:41 2011] [error] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 229, in wsgi_execute
[Fri Aug 05 17:39:41 2011] [error] self.info('%s: %s(%s): %s', context.principal, name, ', '.join(self.Command[name]._repr_iter(**params)), e.__class__.__name__)
[Fri Aug 05 17:39:41 2011] [error] AttributeError: 'thread._local' object has no attribute 'principal'
tail /var/log/krb5kdc.log
Aug 05 17:39:41 ipaserver2.example.com krb5kdc[6950](info): AS_REQ (4 etypes {18 17 16 23}) 10.14.5.12: NEEDED_PREAUTH: admin@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Additional pre-authentication required
Aug 05 17:39:41 ipaserver2.example.com krb5kdc[6950](info): TGS_REQ (4 etypes {18 17 16 23}) 10.14.5.12: ISSUE: authtime 1312591180, etypes {rep=18 tkt=18 ses=18}, admin@EXAMPLE.COM for HTTP/ipaserver2.example.com@EXAMPLE.COM
tail /var/log/httpd/access_log
10.14.5.12 - - [05/Aug/2011:17:39:38 -0700] "GET /ipa/config/ca.crt HTTP/1.0" 200 1321 "-" "Wget/1.12 (linux-gnu)"
10.14.5.12 - - [05/Aug/2011:17:39:41 -0700] "POST /ipa/xml HTTP/1.1" 401 1502
10.14.5.12 - admin@EXAMPLE.COM [05/Aug/2011:17:39:41 -0700] "POST /ipa/xml HTTP/1.1" 500 25
Downgrade libcurl using yum:
yum downgrade libcurl curl
Loaded plugins: product-id, refresh-packagekit, rhnplugin, subscription-manager
Updating Red Hat repositories.
Setting up Downgrade Process
Resolving Dependencies
--> Running transaction check
---> Package curl.x86_64 0:7.19.7-26.el6 will be a downgrade
---> Package curl.x86_64 0:7.19.7-26.el6_1.1 will be erased
---> Package libcurl.x86_64 0:7.19.7-26.el6 will be a downgrade
---> Package libcurl.x86_64 0:7.19.7-26.el6_1.1 will be erased
...
Removed:
curl.x86_64 0:7.19.7-26.el6_1.1 libcurl.x86_64 0:7.19.7-26.el6_1.1
Installed:
curl.x86_64 0:7.19.7-26.el6 libcurl.x86_640:7.19.7-26.el6
Complete!
And re-try to install and enroll the IPA client:
/usr/sbin/ipa-client-install
Discovery was successful!
Hostname: ipaclient1.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipaserver2.example.com
BaseDN: dc=example,dc=com
Continue to configure the system with these values? [no]: yes
Enrollment principal: admin
Password for admin@EXAMPLE.COM:
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
SSSD enabled
Kerberos 5 enabled
NTP enabled
Client configuration complete.
Comments
Other possible workaround:
ipaserver1: ipa host-add ipaclient1.example.com --ip-address=10.14.5.12
ipaclient1: kinit admin
ipaclient1: ipa-getkeytab -s ipaserver1.example.com -p client1.example.com@EXAMPLE.COM -k /etc/krb5.keytab
ipaclient1: service sssd restart
Run the ipa-client-install with debug:
/usr/sbin/ipa-client-install --debug
...
root : DEBUG args=/usr/sbin/ipa-join -s ipaserver2.example.com -d
root : DEBUG stdout=
root : DEBUG stderr=XML-RPC CALL:
...snip...
HTTP response code is 500, not 200
Joining realm failed because of failing XML-RPC request.
This error may be caused by incompatible server/client major versions.
root : DEBUG args=kdestroy
root : DEBUG stdout=
root : DEBUG stderr=
[root@ipaclient1 ~]#
Bugzilla report 711454 - (CVE-2011-2192) CVE-2011-2192 curl: Improper delegation of client credentials during GSS negotiation
Bugzilla report 719938 - Add support for Kerberos ticket delegation
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments