ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library

Bug #1693154 reported by Martin Pitt on 2017-05-24
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
freeipa (Ubuntu)
Undecided
Unassigned
Zesty
Undecided
Timo Aaltonen
kerberos-configs (Debian)
New
Unknown

Bug Description

[Impact]
ipa-client-install fails because it modifies /etc/krb5.conf to include /etc/krb5.conf.d which doesn't exist, so kinit fails.

The (temporary) fix is to add /etc/krb5.conf.d directory to freeipa-client.

[Test case]
Enroll an IPA client with ipa-client-install, it should pass.

[Regression potential]
None, this is a safe addition.

[original description]
Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS) wrt. joining a FreeIPA kerberos server. I am running a server on 10.111.112.100 with a COCKPIT.LAN domain (from the "ipa-*" image on https://fedorapeople.org/groups/cockpit/images/), and realmd.service fails. Running ipa-client-install manually shows why:

$ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd sssd-tools packagekit
$ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf

$ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W --force-ntpd -w foobarfoo
Discovery was successful!
Client hostname: autopkgtest
Realm: COCKPIT.LAN
DNS Domain: cockpit.lan
IPA Server: f0.cockpit.lan
BaseDN: dc=cockpit,dc=lan

Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

Installation failed. Rolling back changes.
IPA client is not configured on this system.

stracing shows that it tries to access /etc/krb5.conf.d/ which does not exist. mkdir'ing this is sufficient to fix it.

I'm not entirely sure if this is really in freeipa-client or krb5-user (kinit), but running "kinit -f <email address hidden>" directly succeeds.

ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: freeipa-client 4.4.3-3ubuntu2
ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11
Uname: Linux 4.10.0-21-generic x86_64
ApportVersion: 2.20.4-0ubuntu4.1
Architecture: amd64
Date: Wed May 24 09:30:57 2017
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: freeipa
UpgradeStatus: No upgrade log present (probably fresh install)

Martin Pitt (pitti) wrote :
Timo Aaltonen (tjaalton) wrote :

the client install creates /etc/krb5.conf with "includedir /etc/krb5.conf.d/"

while creating that directory should be done by krb5-config, it was fixed in sid/artful by freeipa-client 4.4.4-1. mit-krb5 will add the directory after stretch is released

SRU for zesty would be in order, though

Changed in freeipa (Ubuntu):
status: New → Fix Released
Changed in kerberos-configs (Debian):
status: Unknown → New
Martin Pitt (pitti) wrote :

Splendid, thanks Timo!

Timo Aaltonen (tjaalton) wrote :

fixed package uploaded to the queue

description: updated
Changed in freeipa (Ubuntu Zesty):
assignee: nobody → Timo Aaltonen (tjaalton)
status: New → In Progress

Hello Martin, or anyone else affected,

Accepted freeipa into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/freeipa/4.4.3-3ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in freeipa (Ubuntu Zesty):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-zesty
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.