IPA Client enrollment failed with HTTP Error 500 on RHEL7
Environment
Red Hat Enterprise Linux 7.2
Fix in Red Hat Enterprise Linux 7.3
Issue
ipa-client-install command failed with the below error
Hostname: ipa-client.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipa-server.example.com
BaseDN: dc=ipa,dc=example,dc=com
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Valid From: Tue Jun 16 23:42:02 2015 UTC
Valid Until: Sat Jun 16 23:42:02 2035 UTC
Joining realm failed: HTTP response code is 500, not 200
Installation failed. Rolling back changes.
IPA client is not configured on this system.
Resolution
A fix for this issue is available in RHEL 7.3 and later.
On RHEL 7.2, you can work around this issue by either:
- Ensuring that clients enroll serially.
- Rolling back to mod_auth_kerb for httpd authentication as per the following process:
- Install mod_auth_kerb:
# yum install mod_auth_kerb
- Check that the module is enabled in
/etc/httpd/conf.modules.d/10-auth_kerb.conf
# cat /etc/httpd/conf.modules.d/10-auth_kerb.conf
LoadModule auth_kerb_module modules/mod_auth_kerb.so
- Disable
mod_auth_gssapiin/etc/httpd/conf.modules.d/10-auth_gssapi.conf:
# cat /etc/httpd/conf.modules.d/10-auth_gssapi.conf
#LoadModule auth_gssapi_module modules/mod_auth_gssapi.so
- Reconfigure
/etc/httpd/conf.d/ipa.confto usemod_auth_kerbfor authenticating access to the/ipaLocation by commenting out the existingAuthType GSSAPIsection, and adding in the newAuthType Kerberossection:
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
#<Location "/ipa">
# AuthType GSSAPI
# AuthName "Kerberos Login"
# GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
# GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
# GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
# GssapiUseS4U2Proxy on
# Require valid-user
# ErrorDocument 401 /ipa/errors/unauthorized.html
# WSGIProcessGroup ipa
# WSGIApplicationGroup ipa
#</Location>
<Location "/ipa">
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms IPA.EXAMPLE.COM # <--- Add your own realm here.
Krb5KeyTab /etc/httpd/conf/ipa.keytab
KrbSaveCredentials on
KrbConstrainedDelegation on
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
WSGIProcessGroup ipa
WSGIApplicationGroup ipa
</Location>
- Restart the httpd service:
# systemctl restart httpd
- Test httpd authentication works as expected:
kinit adminand access the IPA console with firefox.
You can review the upstream bug report here:
https://fedorahosted.org/freeipa/ticket/5653
Root Cause
mod_auth_gssapi supplies ccache at /var/run/httpd/ipa/clientcaches/$USER@$REALM so that all request of the same user uses the same ccache. This is usually fine but IPA session mechanism clears this file at the end of each request. Therefore one request can clear ccache of a different one and it may lead to errors mentioned in this ticket.
This bug was introduced in ipa-server-4.2.0, when it migrated from mod_auth_kerberos to mod_auth_gssapi for httpd authentication.
Diagnostic Steps
Check for the presence of the following in the httpd error log on the IPA server:
$ grep Krb5Error error_log
[Mon Mar 07 10:18:08.133391 2016] [:error] [pid 31596] [remote <ip.addr:port>] Krb5Error: (-1765328185, 'Bad format in credentials cache')
[Mon Mar 07 10:18:09.838721 2016] [:error] [pid 31596] [remote <ip.addr:port>] Krb5Error: (-1765328189, 'No credentials cache found')
[Mon Mar 07 10:18:09.840420 2016] [:error] [pid 31596] [remote <ip.addr:port>] Krb5Error: (-1765328189, 'No credentials cache found')
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
