kadm5_init_with_password: Incorrect password

JaBurd commented 5 years ago

Issue creating principals via host_keytab recipe.

We're setting the passwords via databag:

node.default['krb5']['master_password'] = passwords['kdcadmin'].to_s

# admin user
node.default['krb5']['admin_principal'] = 'kdcadmin/admin'
node.default['krb5']['admin_password'] = passwords['kdcadmin'].to_s

and appears they should be getting passed via the init:

https://github.com/atomic-penguin/cookbook-krb5/blob/master/resources/principal.rb#L30

Recipe: krb5::host_keytab
  * krb5_principal[host/kerberos.master.com] action create
  Recipe: build-essential::default
    * build_essential[install_packages] action install
      * yum_package[autoconf, bison, flex, gcc, gcc-c++, gettext, kernel-devel, make, m4, ncurses-devel, patch] action install (up to date)
       (up to date)
  Recipe: krb5::rkerberos_gem
    * yum_package[krb5-devel] action install (up to date)
    * chef_gem[rkerberos] action install (up to date)

    ================================================================================
    Error executing action `create` on resource 'krb5_principal[host/kerberos.master.com]'
    ================================================================================

    Kerberos::Kadm5::Exception
    --------------------------
    kadm5_init_with_password: Incorrect password

    Cookbook Trace:
    ---------------
    /var/chef/cache/cookbooks/krb5/libraries/helpers.rb:28:in `initialize'
    /var/chef/cache/cookbooks/krb5/libraries/helpers.rb:28:in `new'
    /var/chef/cache/cookbooks/krb5/libraries/helpers.rb:28:in `kadm5_init'
    /var/chef/cache/cookbooks/krb5/resources/principal.rb:30:in `block in class_from_file'

    Resource Declaration:
    ---------------------
    # In /var/chef/cache/cookbooks/krb5/recipes/host_keytab.rb

     21:   krb5_principal princ do
     22:     action :create
     23:   end
     24: end

    Compiled Resource:
    ------------------
    # Declared in /var/chef/cache/cookbooks/krb5/recipes/host_keytab.rb:21:in `block in from_file'

    krb5_principal("host/kerberos.master.com") do
      action [:create]
      default_guard_interpreter :default
      declared_type :krb5_principal
      cookbook_name "krb5"
      recipe_name "host_keytab"
    end

    System Info:
    ------------
    chef_version=14.5.33
    platform=centos
    platform_version=7.5.1804
    ruby=ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-linux]
    program_name=/usr/bin/chef-client
    executable=/opt/chef/bin/chef-client

Still trying to debug, looking for additional options to try as well.

JaBurd commented 5 years ago

This appears to be working in my local environment. I need to double check my passwords and usernames in the dev environment where it's failing.

JaBurd commented 5 years ago

Leveraging the rkerberos gem on my dev environment master server, it appears to be functioning as expected when passing the proper credentials:

irb(main):001:0> require 'rkerberos'
=> true
irb(main):002:0> krb5 = Kerberos::Krb5.new
=> #<Kerberos::Krb5:0x0000000001441b68>
irb(main):003:0> puts krb5.default_realm
KERBEROS.MASTER.COM
=> nil
irb(main):004:0> krb5.close
=> true
irb(main):005:0> kadm5 = Kerberos::Kadm5.new(:principal => 'kdcadmin/admin', :password => 'xxxpasswordxxx')
=> #<Kerberos::Kadm5:0x0000000001294ea0>
irb(main):006:0> kadm5.get_principal('host/kerberos.master.com')
=> #<Kerberos::Krb5::Principal attributes=0 aux_attributes=0 expire_time=nil fail_auth_count=0 kvno=2 last_failed=nil last_password_change=nil last_success=nil max_life=86400 max_renewable_life=0 mod_date=2019-04-15 15:16:01 -0400 mod_name="hdfs-dev/admin@KERBEROS.MASTER.COM" password_expiration=nil policy=nil principal="host/kerberos.master.com" >

JaBurd commented 5 years ago

Local environment still working. Though if un/pw aren't getting set & used properly I could see how it would work locally as it's just using blank values.

atomic-penguin / cookbook-krb5

kadm5_init_with_password: Incorrect password #51