IPA Client enrollment failed with HTTP Error 500 on RHEL7

Solution Verified - Updated -

Environment

Red Hat Enterprise Linux 7.2
Fix in Red Hat Enterprise Linux 7.3

Issue

ipa-client-install command failed with the below error

Hostname: ipa-client.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipa-server.example.com
BaseDN: dc=ipa,dc=example,dc=com
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
    Valid From:  Tue Jun 16 23:42:02 2015 UTC
    Valid Until: Sat Jun 16 23:42:02 2035 UTC

Joining realm failed: HTTP response code is 500, not 200

Installation failed. Rolling back changes.
IPA client is not configured on this system.

Resolution

A fix for this issue is available in RHEL 7.3 and later.

On RHEL 7.2, you can work around this issue by either:
- Ensuring that clients enroll serially.
- Rolling back to mod_auth_kerb for httpd authentication as per the following process:

  1. Install mod_auth_kerb:
# yum install mod_auth_kerb
  1. Check that the module is enabled in /etc/httpd/conf.modules.d/10-auth_kerb.conf
# cat /etc/httpd/conf.modules.d/10-auth_kerb.conf
LoadModule auth_kerb_module modules/mod_auth_kerb.so
  1. Disable mod_auth_gssapi in /etc/httpd/conf.modules.d/10-auth_gssapi.conf:
# cat /etc/httpd/conf.modules.d/10-auth_gssapi.conf 
#LoadModule auth_gssapi_module modules/mod_auth_gssapi.so
  1. Reconfigure /etc/httpd/conf.d/ipa.conf to use mod_auth_kerb for authenticating access to the /ipa Location by commenting out the existing AuthType GSSAPI section, and adding in the new AuthType Kerberos section:
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
#<Location "/ipa">
#  AuthType GSSAPI
#  AuthName "Kerberos Login"
#  GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
#  GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
#  GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
#  GssapiUseS4U2Proxy on
#  Require valid-user
#  ErrorDocument 401 /ipa/errors/unauthorized.html
#  WSGIProcessGroup ipa
#  WSGIApplicationGroup ipa
#</Location>

<Location "/ipa">
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms IPA.EXAMPLE.COM                                     # <--- Add your own realm here.
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  KrbConstrainedDelegation on
  Require valid-user
  ErrorDocument 401 /ipa/errors/unauthorized.html
  WSGIProcessGroup ipa                                  
  WSGIApplicationGroup ipa                              
</Location>
  1. Restart the httpd service:
# systemctl restart httpd
  1. Test httpd authentication works as expected: kinit admin and access the IPA console with firefox.

You can review the upstream bug report here:
https://fedorahosted.org/freeipa/ticket/5653

Root Cause

mod_auth_gssapi supplies ccache at /var/run/httpd/ipa/clientcaches/$USER@$REALM so that all request of the same user uses the same ccache. This is usually fine but IPA session mechanism clears this file at the end of each request. Therefore one request can clear ccache of a different one and it may lead to errors mentioned in this ticket.

This bug was introduced in ipa-server-4.2.0, when it migrated from mod_auth_kerberos to mod_auth_gssapi for httpd authentication.

Diagnostic Steps

Check for the presence of the following in the httpd error log on the IPA server:

$ grep Krb5Error error_log
[Mon Mar 07 10:18:08.133391 2016] [:error] [pid 31596] [remote <ip.addr:port>] Krb5Error: (-1765328185, 'Bad format in credentials cache')
[Mon Mar 07 10:18:09.838721 2016] [:error] [pid 31596] [remote <ip.addr:port>] Krb5Error: (-1765328189, 'No credentials cache found')
[Mon Mar 07 10:18:09.840420 2016] [:error] [pid 31596] [remote <ip.addr:port>] Krb5Error: (-1765328189, 'No credentials cache found')

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.