- Issued:
- 2012-02-20
- Updated:
- 2012-02-20
RHBA-2012:0190 - ipa-client bug fix update
Synopsis
ipa-client bug fix update
Type/Severity
Bug Fix Advisory (none)
Topic
An updated ipa-client package that fixes various bugs and adds several enhancements is now available for Red Hat Enterprise Linux 5.
Description
The ipa-client package provides a tool to enroll a machine to an IPA version 2 server. IPA (Identity, Policy, Audit) is an integrated solution to provide centrally managed identity, that is, machine, user, virtual machines, groups, and authentication credentials.
The ipa-client package has been upgraded to upstream version 2.1.3, which provides a number of bug fixes and enhancements over the previous version. (BZ#753936)
This update also fixes the following bugs:
-
Prior to this update, GSSAPI credential delegation was disabled in the curl utility due to a security issue. As a result, applications that rely on the delegation did not work properly. This update utilizes a new constructor argument in the xmlrpc-c client API to set the new CURLOPT_GSSAPI_DELEGATION curl option. This option enables credential delegation. (BZ#723667)
-
A previous change to the Referer server required that a caller to the IPA server API include the Referer header in its request. Previously, requests from the certmonger and ipa administrative tools did not provide the header, and the tool requests could fail with the error "Missing or invalid HTTP Referer". However, the requests are transferred using curl and curl does not allow setting of arbitrary headers. To resolve this problem, the code has been changed so that the curl version is stored in the HTTP request field X-Original-User-Agent and the rest of the header is overridden. As a result, the correct header is used for the requests and the problem no longer occurs. (BZ#752226)
-
If the user ran the ipa-client-install command with the password defined (for example, "ipa-client-install --principal=admin --password=SecretPsswd"), the /var/log/ipaclient-install.log file contained the password in plain text. With this update, the underlying code is modified and the provided password is no longer saved in the logs in this scenario. (BZ#739068)
-
Previously, KDC (Key Distribution Center) autodiscovery failed if the domain name differed from the Kerberos realm name. This happened because the ipa-client-install utility always assumed that the realm name was identical to the domain name. Now the realm is used when performing autodiscovery and the problem no longer occurs. (BZ#710143)
-
The cyrus-sasl-gssapi package is a soft dependency needed by some IPA client tools. Previously, the ipa-client package spec file did not contain the cyrus-sasl-gssapi dependency for some architectures. As a result, installation on some platforms could fail. This update adds the missing dependency to the spec file and the installation process finishes successfully. (BZ#750338)
-
The cyrus-sasl-gssapi package is a soft dependency needed by some IPA client tools. Previously, when installing 32-bit packages on a 64-bit system, the macro determining the required architecture version of the cyrus-sasl-gssapi package did not work correctly. As a result, an incorrect version of cyrus-sasl-gssapi was installed and the system failed to work; for example, the ipa-getkeytab command failed with the following error because the 32-bit GSSAPI SASL mechanism was not available:
SASL Bind failed.
This update corrects the macro and the problem no longer occurs. (BZ#723620)
All ipa-client users are advised to upgrade to this updated package, which fixes these bugs and adds these enhancements.
Solution
Before applying this update, make sure all previously-released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.https://access.redhat.com/kb/docs/DOC-11259
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Enterprise Linux for Power, big endian | 5 | ppc |
| Red Hat Enterprise Linux for IBM z Systems | 5 | s390x |
| Red Hat Enterprise Linux Workstation | 5 | x86_64 |
| Red Hat Enterprise Linux Workstation | 5 | i386 |
| Red Hat Enterprise Linux Server | 5 | x86_64 |
| Red Hat Enterprise Linux Server | 5 | ia64 |
| Red Hat Enterprise Linux Server | 5 | i386 |
| Red Hat Enterprise Linux Server from RHUI | 5 | x86_64 |
| Red Hat Enterprise Linux Server from RHUI | 5 | i386 |
| Red Hat Enterprise Linux Desktop | 5 | x86_64 |
| Red Hat Enterprise Linux Desktop | 5 | i386 |
Updated Packages
- ipa-client-2.1.3-1.el5.x86_64.rpm
- ipa-client-2.1.3-1.el5.src.rpm
- ipa-client-2.1.3-1.el5.i386.rpm
- ipa-client-2.1.3-1.el5.ppc.rpm
- ipa-client-2.1.3-1.el5.s390x.rpm
- ipa-client-2.1.3-1.el5.ia64.rpm
Fixes
- This content is not included.BZ - 723620
- This content is not included.BZ - 739068
- This content is not included.BZ - 752226
- This content is not included.BZ - 753936
CVEs
(none)
References
(none)
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.