Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1512972 - ipa-client-install should warn about existing krb5.keytab
Summary: ipa-client-install should warn about existing krb5.keytab
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-14 14:28 UTC by Luc de Louw
Modified: 2019-03-25 17:12 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)

Description Luc de Louw 2017-11-14 14:28:22 UTC
Description of problem:

When enrolling a client with an existing /etc/krb5.keytab, the ipa-client-install appends the new keys to the keytab file without a warning

Version-Release number of selected component (if applicable):
4.5.0-21

How reproducible:
Always

Steps to Reproduce:
1. Find a system with an existing Keytab file
2. Enroll the System with ipa-client-install to an IPA environment
3. Use ktutil -> rkt -> l and find the keys appended

Actual results:
See reproducer

Expected results:
ipa-client-install should warn the user about an existing keytab file and let the user choose to either overwrite the keytab or append the new keys


Additional info:

Comment 3 Rob Crittenden 2017-11-14 15:03:09 UTC
Need more information on what problem(s) this causes. Are they trying to re-use the same realm name? What errors are being seen?

Comment 8 Alexander Bokovoy 2017-11-20 13:37:13 UTC
I guess we can add a logic that would check content of the krb5.keytab and decide to warn if it contains keys from a different realm than IPA. I doubt we should be erroring on them because it actually might be useful in some complex cases to allow keys from multiple realms in the same keytab (with a tuned sssd.conf to pick up proper keys by name).

Comment 9 Florence Blanc-Renaud 2017-11-20 16:46:06 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7269


Note You need to log in before you can comment on or make changes to this bug.