FreeIPA on RPi3 Kerberos5 timeout

Question

I pulled a magic trick from a hat.
I put Kerberos 5 using FreeIPA on a Raspberry Pi 3 B.

It's an inexpensive box that does one thing only, issuing tickets. I modified the 60 second timeout to 2000 seconds, and it completed the install. Here is the next issue that I am not understanding all that well this time around.

On the Web UI, it fails on one tab, Authentication -> Certificates.

[Tue May 19 22:02:02.578593 2020] [wsgi:error] [pid 1364:tid 2941485888] [remote IP.119:53807] ipa: INFO: [jsonserver_session] admin@ARONETICS.COM: user_find(None, version='2.236', no_members=True): SUCCESS</br>
[Tue May 19 22:02:05.062481 2020] [:warn] [pid 2099:tid 2494501696] [client IP.119:53807] failed to set perms (3140) on file (/run/ipa/ccaches/admin@ARONETICS.COM)!, referer: https://flash.aronetics.com/ipa/ui/  
[Tue May 19 22:02:06.382009 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807] ipa: ERROR: non-public: OverflowError: timestamp out of range for platform time_t  
[Tue May 19 22:02:06.382180 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807] Traceback (most recent call last):  
[Tue May 19 22:02:06.382248 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]   File "/usr/lib/python3.7/site-packages/ipaserver/rpcserver.py", line 368, in wsgi_execute  
[Tue May 19 22:02:06.382269 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]     result = command(*args, **options)  
[Tue May 19 22:02:06.382288 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]   File "/usr/lib/python3.7/site-packages/ipalib/frontend.py", line 450, in __call  
[Tue May 19 22:02:06.382307 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]     return self.__do_call(*args, **options)  
[Tue May 19 22:02:06.382324 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]   File "/usr/lib/python3.7/site-packages/ipalib/frontend.py", line 478, in __do_call  
[Tue May 19 22:02:06.382343 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]     ret = self.run(*args, **options)  
[Tue May 19 22:02:06.382361 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]   File "/usr/lib/python3.7/site-packages/ipalib/frontend.py", line 800, in run  
[Tue May 19 22:02:06.382379 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]     return self.execute(*args, **options)  
[Tue May 19 22:02:06.382397 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]   File "/usr/lib/python3.7/site-packages/ipaserver/plugins/cert.py", line 1835, in execute  
[Tue May 19 22:02:06.382415 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]     **options)  
[Tue May 19 22:02:06.382433 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]   File "/usr/lib/python3.7/site-packages/ipaserver/plugins/cert.py", line 1701, in _ca_search  
[Tue May 19 22:02:06.382453 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]     convert_pkidatetime(obj['valid_not_after']))  
[Tue May 19 22:02:06.382471 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]   File "/usr/lib/python3.7/site-packages/ipaserver/plugins/cert.py", line 257, in convert_pkidatetime  
[Tue May 19 22:02:06.382490 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]     value = datetime.datetime.fromtimestamp(int(value) // 1000)  
[Tue May 19 22:02:06.382508 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807] OverflowError: timestamp out of range for platform time_t  
[Tue May 19 22:02:06.383531 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807] ipa: INFO: [jsonserver_session] admin@ARONETICS.COM: cert_find(None, version='2.236'): InternalError

[root@flash ~]# ipactl status  
Directory Service: RUNNING  
krb5kdc Service: RUNNING  
kadmin Service: RUNNING  
httpd Service: RUNNING  
ipa-custodia Service: RUNNING  
pki-tomcatd Service: RUNNING  
ipa-otpd Service: RUNNING  
ipa: INFO: The ipactl command was successful

I have to modify either the sytemd environment which is a bit dangerous (imho?!) or extend this timeout.

You could also avoid the problem by running a 64-bit Linux distro. I'm a bit surprised you didn't. — Michael Hampton, Jun 20 '20 at 19:14

score 1 · Answer 1 · answered Jun 19 '20 at 20:18

1

Your CA certificate validity time is past year 2038 which is, in UNIX timestamp is beyond 32-bit boundary. Thus, an attempt to handle such time in Python's datetime module on 32-bit platform fails.

Please open a ticket at https://pagure.io/freeipa/new_issue with this stacktrace. The code needs a bit of adoption to avoid using #fromtimestamp() method which throws OverflowError.

answered Jun 19 '20 at 20:18

abbra

1,025
5
8

Is it even possible to handle dates past 2038 on 32-bit Python?! – Michael Hampton Jun 19 '20 at 20:23
It depends on where you want to use that information. It is certainly possible to imitate it with 64-bit values. See also an equivalence note at https://docs.python.org/3/library/datetime.html#datetime.datetime.utcfromtimestamp, we can certainly parse the timestamp differently. – abbra Jun 20 '20 at 04:28
I created https://pagure.io/freeipa/issue/8378 for this issue. – abbra Jun 22 '20 at 08:19
What is the solution? – JohnnyShivers Jul 01 '20 at 03:19
The fix is in upstream already. We'll do a release next week, so Fedora repositories will be updated soon. – abbra Jul 02 '20 at 05:14

FreeIPA on RPi3 Kerberos5 timeout

1 Answers1