FreeIPA on RPi3 Kerberos5超时

Question

我从帽子里拉了个魔术。

我把Kerberos 5使用FreeIPA放在一个Raspberry Pi 3B上。

这是一个便宜的盒子，只做一件事，开票。我将60秒超时修改为2000秒，并完成了安装。这是下一个问题，这一次我不太理解。

在Web上，它在一个选项卡“身份验证->证书”上失败。

[Tue May 19 22:02:02.578593 2020] [wsgi:error] [pid 1364:tid 2941485888] [remote IP.119:53807] ipa: INFO: [jsonserver_session] admin@ARONETICS.COM: user_find(None, version='2.236', no_members=True): SUCCESS</br>
[Tue May 19 22:02:05.062481 2020] [:warn] [pid 2099:tid 2494501696] [client IP.119:53807] failed to set perms (3140) on file (/run/ipa/ccaches/admin@ARONETICS.COM)!, referer: https://flash.aronetics.com/ipa/ui/  
[Tue May 19 22:02:06.382009 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807] ipa: ERROR: non-public: OverflowError: timestamp out of range for platform time_t  
[Tue May 19 22:02:06.382180 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807] Traceback (most recent call last):  
[Tue May 19 22:02:06.382248 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]   File "/usr/lib/python3.7/site-packages/ipaserver/rpcserver.py", line 368, in wsgi_execute  
[Tue May 19 22:02:06.382269 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]     result = command(*args, **options)  
[Tue May 19 22:02:06.382288 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]   File "/usr/lib/python3.7/site-packages/ipalib/frontend.py", line 450, in __call  
[Tue May 19 22:02:06.382307 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]     return self.__do_call(*args, **options)  
[Tue May 19 22:02:06.382324 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]   File "/usr/lib/python3.7/site-packages/ipalib/frontend.py", line 478, in __do_call  
[Tue May 19 22:02:06.382343 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]     ret = self.run(*args, **options)  
[Tue May 19 22:02:06.382361 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]   File "/usr/lib/python3.7/site-packages/ipalib/frontend.py", line 800, in run  
[Tue May 19 22:02:06.382379 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]     return self.execute(*args, **options)  
[Tue May 19 22:02:06.382397 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]   File "/usr/lib/python3.7/site-packages/ipaserver/plugins/cert.py", line 1835, in execute  
[Tue May 19 22:02:06.382415 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]     **options)  
[Tue May 19 22:02:06.382433 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]   File "/usr/lib/python3.7/site-packages/ipaserver/plugins/cert.py", line 1701, in _ca_search  
[Tue May 19 22:02:06.382453 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]     convert_pkidatetime(obj['valid_not_after']))  
[Tue May 19 22:02:06.382471 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]   File "/usr/lib/python3.7/site-packages/ipaserver/plugins/cert.py", line 257, in convert_pkidatetime  
[Tue May 19 22:02:06.382490 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807]     value = datetime.datetime.fromtimestamp(int(value) // 1000)  
[Tue May 19 22:02:06.382508 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807] OverflowError: timestamp out of range for platform time_t  
[Tue May 19 22:02:06.383531 2020] [wsgi:error] [pid 1363:tid 2941485888] [remote IP.119:53807] ipa: INFO: [jsonserver_session] admin@ARONETICS.COM: cert_find(None, version='2.236'): InternalError  

[root@flash ~]# ipactl status  
Directory Service: RUNNING  
krb5kdc Service: RUNNING  
kadmin Service: RUNNING  
httpd Service: RUNNING  
ipa-custodia Service: RUNNING  
pki-tomcatd Service: RUNNING  
ipa-otpd Service: RUNNING  
ipa: INFO: The ipactl command was successful  

我必须修改sytemd环境，这有点危险(imho?!)或者延长这个超时时间。

Answer 1

您的CA证书有效期为2038年，也就是说，在UNIX中，时间戳超过32位边界。因此，在32位平台上处理Python的datetime模块中的时间的尝试失败了。

请在https://pagure.io/freeipa/new_问题开一张带有这张书签的票。代码需要采用一些方法来避免使用抛出OverflowError的# throws时间戳()方法。