View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000470AlmaLinux-8ipapublic2024-07-04 03:522024-09-05 19:59
Reporteradelton Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Summary0000470: ipa-server-install fails with [error] RuntimeError: Failed to initialize kerberos container
DescriptionWhen running ipa-server-install in an AlmaLinux 8-based container, the process stops at

  [43/43]: restarting directory server
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/10]: adding kerberos container to the directory
  [2/10]: configuring KDC
  [3/10]: initialize kerberos container
  [error] RuntimeError: Failed to initialize kerberos container
Failed to initialize kerberos container
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

 The /var/log/ipaserver-install.log then ends with

2024-07-04T03:41:08Z DEBUG [3/10]: initialize kerberos container
2024-07-04T03:41:08Z DEBUG Starting external process
2024-07-04T03:41:08Z DEBUG args=['kdb5_util', 'create', '-s', '-r', 'EXAMPLE.TEST', '-x', 'ipa-setup-override-restrictions']
2024-07-04T03:41:08Z DEBUG Process finished, return code=1
2024-07-04T03:41:08Z DEBUG stdout=Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.TEST',
master key name 'K/M@EXAMPLE.TEST'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

2024-07-04T03:41:08Z DEBUG stderr=kdb5_util: Invalid argument while adding entries to the database

2024-07-04T03:41:08Z DEBUG kdb5_util failed with CalledProcessError(Command ['kdb5_util', 'create', '-s', '-r', 'EXAMPLE.TEST', '-x', 'ipa-setup-override-restrictions'] returned non-zero exit status 1: 'kdb5_util: Invalid argument while adding entries to the database\n')
2024-07-04T03:41:08Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/krbinstance.py", line 358, in __init_ipa_kdb
    ipautil.run(args, nolog=(self.master_password,), stdin=''.join(dialogue))
  File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in run
    p.returncode, arg_string, output_log, error_log
ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['kdb5_util', 'create', '-s', '-r', 'EXAMPLE.TEST', '-x', 'ipa-setup-override-restrictions'] returned non-zero exit status 1: 'kdb5_util: Invalid argument while adding entries to the database\n')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step
    method()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/krbinstance.py", line 361, in __init_ipa_kdb
    raise RuntimeError("Failed to initialize kerberos container")
RuntimeError: Failed to initialize kerberos container

2024-07-04T03:41:08Z DEBUG [error] RuntimeError: Failed to initialize kerberos container
2024-07-04T03:41:08Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute
    return_value = self.run()
  File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 344, in run
    return cfgr.run()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run
    return self.execute()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute
    for rval in self._executor():
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure
    next(executor)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 566, in main
    master_install(self)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 278, in decorated
    func(installer)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 893, in install
    subject_base=options.subject_base)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/krbinstance.py", line 215, in create_instance
    self.start_creation()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step
    method()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/krbinstance.py", line 361, in __init_ipa_kdb
    raise RuntimeError("Failed to initialize kerberos container")

2024-07-04T03:41:08Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Failed to initialize kerberos container
2024-07-04T03:41:08Z ERROR Failed to initialize kerberos container
2024-07-04T03:41:08Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

 This is with

# rpm -qf /usr/lib64/krb5/plugins/kdb/ipadb.so
ipa-server-4.9.13-10.module_el8.10.0+3857+9c8da539.x86_64
Steps To ReproduceI believe that even on non-container installation, merely running

ipa-server-install -U -r EXAMPLE.TEST -n example.test -p Secret123 -a Secret123

should trigger the issue.

Alternatively, in a checkout directory of https://github.com/freeipa/freeipa-container, run

docker=podman tests/run-partial-tests.sh Dockerfile.almalinux-8
Additional InformationFirst reported in https://github.com/freeipa/freeipa-container/actions/runs/9476735094/job/26118187109.

The previous run https://github.com/freeipa/freeipa-container/actions/runs/5571782333/jobs/10177165151 which used ipa-server-4.9.13-9.module_el8.10.0+3844+20e075e5 worked fine.
TagsNo tags attached.
abrt_hash
URL

Activities

frank-bergmann

2024-07-10 14:30

reporter   ~0001051

I can confirm that the current release doesn't work on a host (non-container) installation and throws exactly the error shown above.
I can also confirm that the release before (4.9.13-9.module_el8.10.0+3844+20e075e5) does work fine.

It seems that one of the two security fixes is broken:
- 0027-kdb-fix-vulnerability-in-GCD-rules-handling.patch
- 0028-kdb-apply-combinatorial-logic-for-ticket-flags.patch

Taking a quick look I think it is related to patch 0027.

The changelog entry:
* Tue Apr 30 2024 Julien Rische <jrische@redhat.com> - 4.9.13-10
- kdb: apply combinatorial logic for ticket flags (CVE-2024-3183)
  Resolves: RHEL-29927
- kdb: fix vulnerability in GCD rules handling (CVE-2024-2698)
  Resolves: RHEL-29692

frank-bergmann

2024-07-12 12:29

reporter   ~0001052

Update: The issue is caused by 0028-kdb-apply-combinatorial-logic-for-ticket-flags.patch

frank-bergmann

2024-07-15 14:32

reporter   ~0001053

The call of kdb5_util was NOT modified. With the older/working version and the new/broken version it is always
```kdb5_util create -s -r REALM.TLD -x ipa-setup-override-restrictions```
Hence the "Invalid argument while adding entries to the database" is just a follow-up error.

frank-bergmann

2024-07-16 17:00

reporter   ~0001055

A fresh RHEL 8 installation does not have this issue.

The kdb_util issue:
kdb5_util: MS-PAC generator: Local domain NT attributes not configured

archaicx

2024-09-05 19:59

reporter   ~0001062

I also can confirm that versionlocking to ipa-server-4.9.13-9.module_el8.10.0+3844+20e075e5 allows this is install.

Issue History

Date Modified Username Field Change
2024-07-04 03:52 adelton New Issue
2024-07-10 14:30 frank-bergmann Note Added: 0001051
2024-07-12 12:29 frank-bergmann Note Added: 0001052
2024-07-15 14:32 frank-bergmann Note Added: 0001053
2024-07-16 17:00 frank-bergmann Note Added: 0001055
2024-09-05 19:59 archaicx Note Added: 0001062