ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library

Bug #1693154 reported by Martin Pitt on 2017-05-24
This bug affects 2 people
Affects Status Importance Assigned to Milestone
freeipa (Ubuntu)
Timo Aaltonen
kerberos-configs (Debian)

Bug Description

ipa-client-install fails because it modifies /etc/krb5.conf to include /etc/krb5.conf.d which doesn't exist, so kinit fails.

The (temporary) fix is to add /etc/krb5.conf.d directory to freeipa-client.

[Test case]
Enroll an IPA client with ipa-client-install, it should pass.

[Regression potential]
None, this is a safe addition.

[original description]
Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS) wrt. joining a FreeIPA kerberos server. I am running a server on with a COCKPIT.LAN domain (from the "ipa-*" image on https://fedorapeople.org/groups/cockpit/images/), and realmd.service fails. Running ipa-client-install manually shows why:

$ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd sssd-tools packagekit
$ echo 'nameserver' | sudo tee -a /etc/resolv.conf

$ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W --force-ntpd -w foobarfoo
Discovery was successful!
Client hostname: autopkgtest
DNS Domain: cockpit.lan
IPA Server: f0.cockpit.lan
BaseDN: dc=cockpit,dc=lan

Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

Installation failed. Rolling back changes.
IPA client is not configured on this system.

stracing shows that it tries to access /etc/krb5.conf.d/ which does not exist. mkdir'ing this is sufficient to fix it.

I'm not entirely sure if this is really in freeipa-client or krb5-user (kinit), but running "kinit -f <email address hidden>" directly succeeds.

ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: freeipa-client 4.4.3-3ubuntu2
ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11
Uname: Linux 4.10.0-21-generic x86_64
ApportVersion: 2.20.4-0ubuntu4.1
Architecture: amd64
Date: Wed May 24 09:30:57 2017
 PATH=(custom, no user)
SourcePackage: freeipa
UpgradeStatus: No upgrade log present (probably fresh install)

Martin Pitt (pitti) wrote :
Timo Aaltonen (tjaalton) wrote :

the client install creates /etc/krb5.conf with "includedir /etc/krb5.conf.d/"

while creating that directory should be done by krb5-config, it was fixed in sid/artful by freeipa-client 4.4.4-1. mit-krb5 will add the directory after stretch is released

SRU for zesty would be in order, though

Changed in freeipa (Ubuntu):
status: New → Fix Released
Changed in kerberos-configs (Debian):
status: Unknown → New
Martin Pitt (pitti) wrote :

Splendid, thanks Timo!

Timo Aaltonen (tjaalton) wrote :

fixed package uploaded to the queue

description: updated
Changed in freeipa (Ubuntu Zesty):
assignee: nobody → Timo Aaltonen (tjaalton)
status: New → In Progress

Hello Martin, or anyone else affected,

Accepted freeipa into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/freeipa/4.4.3-3ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in freeipa (Ubuntu Zesty):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-zesty
Martin Pitt (pitti) wrote :

Using the reproduction steps in the description, I re-confirmed that with the current zesty version joining the domain fails because of that missing directory. After installing freeipa-{client,common} from -proposed, joining the domain now succeeds.

tags: added: verification-done-zesty
removed: verification-needed-zesty
tags: removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package freeipa - 4.4.3-3ubuntu2.1

freeipa (4.4.3-3ubuntu2.1) zesty; urgency=medium

  * client.dirs: Ship /etc/krb5.conf.d, because not having that breaks
    the installer when krb5.conf tries to include it. (LP: #1693154)

 -- Timo Aaltonen <email address hidden> Wed, 14 Jun 2017 13:56:03 +0300

Changed in freeipa (Ubuntu Zesty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for freeipa has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.