rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import ipa-4.10.0-8.el9_1

Browse Source
This commit is contained in:
CentOS Sources 2023-01-23 09:34:18 -05:00 committed by Stepan Oksanichenko
parent 5a872dd20c
commit d43259bde1
3 changed files with 611 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

475
SOURCES/0016-Defer-creating-the-final-krb5.conf-on-clients.patch Normal file
View File

@ -0,0 +1,475 @@
From 3cbf2b25422100cc4105dfb09ee8c7bf87232198 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 22 Aug 2022 10:57:14 -0400
Subject: [PATCH] Defer creating the final krb5.conf on clients
A temporary krb5.conf is created early during client enrollment
and was previously used only during the initial ipa-join call.
The final krb5.conf was written soon afterward.
If there are multiple servers it is possible that the client
may then choose a different KDC to connect. If the client
is faster than replication then the client may not exist
on all servers and therefore enrollment will fail.
This was seen in performance testing of how many simultaneous
client enrollments are possible.
Use a decorator to wrap the _install() method to ensure the
temporary files created during installation are cleaned up.
https://pagure.io/freeipa/issue/9228
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaclient/install/client.py | 377 +++++++++++++++++++-----------------
1 file changed, 196 insertions(+), 181 deletions(-)
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 920c517d4f2b5414d8d2af63d029949cb4f02dc6..93bc7400805dafffcb3909771f0458e5b7e4a764 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -101,6 +101,37 @@ cli_basedn = None
# end of global variables
+def cleanup(func):
+ def inner(options, tdict):
+ # Add some additional options which contain the temporary files
+ # needed during installation.
+ fd, krb_name = tempfile.mkstemp()
+ os.close(fd)
+ ccache_dir = tempfile.mkdtemp(prefix='krbcc')
+
+ tdict['krb_name'] = krb_name
+ tdict['ccache_dir'] = ccache_dir
+
+ func(options, tdict)
+
+ os.environ.pop('KRB5_CONFIG', None)
+
+ try:
+ os.remove(krb_name)
+ except OSError:
+ logger.error("Could not remove %s", krb_name)
+ try:
+ os.rmdir(ccache_dir)
+ except OSError:
+ pass
+ try:
+ os.remove(krb_name + ".ipabkp")
+ except OSError:
+ logger.error("Could not remove %s.ipabkp", krb_name)
+
+ return inner
+
+
def remove_file(filename):
"""
Deletes a file. If the file does not exist (OSError 2) does nothing.
@@ -2652,7 +2683,7 @@ def restore_time_sync(statestore, fstore):
def install(options):
try:
- _install(options)
+ _install(options, dict())
except ScriptError as e:
if e.rval == CLIENT_INSTALL_ERROR:
if options.force:
@@ -2679,7 +2710,8 @@ def install(options):
pass
-def _install(options):
+@cleanup
+def _install(options, tdict):
env = {'PATH': SECURE_PATH}
fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
@@ -2687,6 +2719,9 @@ def _install(options):
statestore.backup_state('installation', 'complete', False)
+ krb_name = tdict['krb_name']
+ ccache_dir = tdict['ccache_dir']
+
if not options.on_master:
# Try removing old principals from the keytab
purge_host_keytab(cli_realm)
@@ -2719,182 +2754,162 @@ def _install(options):
host_principal = 'host/%s@%s' % (hostname, cli_realm)
if not options.on_master:
nolog = tuple()
- # First test out the kerberos configuration
- fd, krb_name = tempfile.mkstemp()
- os.close(fd)
- ccache_dir = tempfile.mkdtemp(prefix='krbcc')
- try:
- configure_krb5_conf(
- cli_realm=cli_realm,
- cli_domain=cli_domain,
- cli_server=cli_server,
- cli_kdc=cli_kdc,
- dnsok=False,
- filename=krb_name,
- client_domain=client_domain,
- client_hostname=hostname,
- configure_sssd=options.sssd,
- force=options.force)
- env['KRB5_CONFIG'] = krb_name
- ccache_name = os.path.join(ccache_dir, 'ccache')
- join_args = [
- paths.SBIN_IPA_JOIN,
- "-s", cli_server[0],
- "-b", str(realm_to_suffix(cli_realm)),
- "-h", hostname,
- "-k", paths.KRB5_KEYTAB
- ]
- if options.debug:
- join_args.append("-d")
- env['XMLRPC_TRACE_CURL'] = 'yes'
- if options.force_join:
- join_args.append("-f")
- if options.principal is not None:
- stdin = None
- principal = options.principal
- if principal.find('@') == -1:
- principal = '%s@%s' % (principal, cli_realm)
- if options.password is not None:
- stdin = options.password
+ configure_krb5_conf(
+ cli_realm=cli_realm,
+ cli_domain=cli_domain,
+ cli_server=cli_server,
+ cli_kdc=cli_kdc,
+ dnsok=False,
+ filename=krb_name,
+ client_domain=client_domain,
+ client_hostname=hostname,
+ configure_sssd=options.sssd,
+ force=options.force)
+ env['KRB5_CONFIG'] = krb_name
+ ccache_name = os.path.join(ccache_dir, 'ccache')
+ join_args = [
+ paths.SBIN_IPA_JOIN,
+ "-s", cli_server[0],
+ "-b", str(realm_to_suffix(cli_realm)),
+ "-h", hostname,
+ "-k", paths.KRB5_KEYTAB
+ ]
+ if options.debug:
+ join_args.append("-d")
+ env['XMLRPC_TRACE_CURL'] = 'yes'
+ if options.force_join:
+ join_args.append("-f")
+ if options.principal is not None:
+ stdin = None
+ principal = options.principal
+ if principal.find('@') == -1:
+ principal = '%s@%s' % (principal, cli_realm)
+ if options.password is not None:
+ stdin = options.password
+ else:
+ if not options.unattended:
+ try:
+ stdin = getpass.getpass(
+ "Password for %s: " % principal)
+ except EOFError:
+ stdin = None
+ if not stdin:
+ raise ScriptError(
+ "Password must be provided for {}.".format(
+ principal),
+ rval=CLIENT_INSTALL_ERROR)
else:
- if not options.unattended:
- try:
- stdin = getpass.getpass(
- "Password for %s: " % principal)
- except EOFError:
- stdin = None
- if not stdin:
- raise ScriptError(
- "Password must be provided for {}.".format(
- principal),
- rval=CLIENT_INSTALL_ERROR)
+ if sys.stdin.isatty():
+ logger.error(
+ "Password must be provided in "
+ "non-interactive mode.")
+ logger.info(
+ "This can be done via "
+ "echo password | ipa-client-install ... "
+ "or with the -w option.")
+ raise ScriptError(rval=CLIENT_INSTALL_ERROR)
else:
- if sys.stdin.isatty():
- logger.error(
- "Password must be provided in "
- "non-interactive mode.")
- logger.info(
- "This can be done via "
- "echo password | ipa-client-install ... "
- "or with the -w option.")
- raise ScriptError(rval=CLIENT_INSTALL_ERROR)
- else:
- stdin = sys.stdin.readline()
+ stdin = sys.stdin.readline()
+ try:
+ kinit_password(principal, stdin, ccache_name,
+ config=krb_name)
+ except RuntimeError as e:
+ print_port_conf_info()
+ raise ScriptError(
+ "Kerberos authentication failed: {}".format(e),
+ rval=CLIENT_INSTALL_ERROR)
+ elif options.keytab:
+ join_args.append("-f")
+ if os.path.exists(options.keytab):
try:
- kinit_password(principal, stdin, ccache_name,
- config=krb_name)
- except RuntimeError as e:
+ kinit_keytab(host_principal,
+ options.keytab,
+ ccache_name,
+ config=krb_name,
+ attempts=options.kinit_attempts)
+ except gssapi.exceptions.GSSError as e:
print_port_conf_info()
raise ScriptError(
"Kerberos authentication failed: {}".format(e),
rval=CLIENT_INSTALL_ERROR)
- elif options.keytab:
- join_args.append("-f")
- if os.path.exists(options.keytab):
- try:
- kinit_keytab(host_principal,
- options.keytab,
- ccache_name,
- config=krb_name,
- attempts=options.kinit_attempts)
- except gssapi.exceptions.GSSError as e:
- print_port_conf_info()
- raise ScriptError(
- "Kerberos authentication failed: {}".format(e),
- rval=CLIENT_INSTALL_ERROR)
- else:
- raise ScriptError(
- "Keytab file could not be found: {}".format(
- options.keytab),
- rval=CLIENT_INSTALL_ERROR)
- elif options.password:
- nolog = (options.password,)
- join_args.append("-w")
- join_args.append(options.password)
- elif options.prompt_password:
- if options.unattended:
- raise ScriptError(
- "Password must be provided in non-interactive mode",
- rval=CLIENT_INSTALL_ERROR)
- try:
- password = getpass.getpass("Password: ")
- except EOFError:
- password = None
- if not password:
- raise ScriptError(
- "Password must be provided.",
- rval=CLIENT_INSTALL_ERROR)
- join_args.append("-w")
- join_args.append(password)
- nolog = (password,)
-
- env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = ccache_name
- # Get the CA certificate
+ else:
+ raise ScriptError(
+ "Keytab file could not be found: {}".format(
+ options.keytab),
+ rval=CLIENT_INSTALL_ERROR)
+ elif options.password:
+ nolog = (options.password,)
+ join_args.append("-w")
+ join_args.append(options.password)
+ elif options.prompt_password:
+ if options.unattended:
+ raise ScriptError(
+ "Password must be provided in non-interactive mode",
+ rval=CLIENT_INSTALL_ERROR)
try:
- os.environ['KRB5_CONFIG'] = env['KRB5_CONFIG']
- get_ca_certs(fstore, options, cli_server[0], cli_basedn,
- cli_realm)
- del os.environ['KRB5_CONFIG']
- except errors.FileError as e:
- logger.error('%s', e)
- raise ScriptError(rval=CLIENT_INSTALL_ERROR)
- except Exception as e:
- logger.error("Cannot obtain CA certificate\n%s", e)
- raise ScriptError(rval=CLIENT_INSTALL_ERROR)
-
- # Now join the domain
- result = run(
- join_args, raiseonerr=False, env=env, nolog=nolog,
- capture_error=True)
- stderr = result.error_output
+ password = getpass.getpass("Password: ")
+ except EOFError:
+ password = None
+ if not password:
+ raise ScriptError(
+ "Password must be provided.",
+ rval=CLIENT_INSTALL_ERROR)
+ join_args.append("-w")
+ join_args.append(password)
+ nolog = (password,)
- if result.returncode != 0:
- logger.error("Joining realm failed: %s", stderr)
- if not options.force:
- if result.returncode == 13:
- logger.info(
- "Use --force-join option to override the host "
- "entry on the server and force client enrollment.")
- raise ScriptError(rval=CLIENT_INSTALL_ERROR)
- logger.info(
- "Use ipa-getkeytab to obtain a host "
- "principal for this server.")
- else:
- logger.info("Enrolled in IPA realm %s", cli_realm)
+ env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = ccache_name
+ # Get the CA certificate
+ try:
+ os.environ['KRB5_CONFIG'] = env['KRB5_CONFIG']
+ get_ca_certs(fstore, options, cli_server[0], cli_basedn,
+ cli_realm)
+ except errors.FileError as e:
+ logger.error('%s', e)
+ raise ScriptError(rval=CLIENT_INSTALL_ERROR)
+ except Exception as e:
+ logger.error("Cannot obtain CA certificate\n%s", e)
+ raise ScriptError(rval=CLIENT_INSTALL_ERROR)
- if options.principal is not None:
- run([paths.KDESTROY], raiseonerr=False, env=env)
+ # Now join the domain
+ result = run(
+ join_args, raiseonerr=False, env=env, nolog=nolog,
+ capture_error=True)
+ stderr = result.error_output
- # Obtain the TGT. We do it with the temporary krb5.conf, so that
- # only the KDC we're installing under is contacted.
- # Other KDCs might not have replicated the principal yet.
- # Once we have the TGT, it's usable on any server.
- try:
- kinit_keytab(host_principal, paths.KRB5_KEYTAB, CCACHE_FILE,
- config=krb_name,
- attempts=options.kinit_attempts)
- env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = CCACHE_FILE
- except gssapi.exceptions.GSSError as e:
- print_port_conf_info()
- logger.error("Failed to obtain host TGT: %s", e)
- # failure to get ticket makes it impossible to login and bind
- # from sssd to LDAP, abort installation and rollback changes
+ if result.returncode != 0:
+ logger.error("Joining realm failed: %s", stderr)
+ if not options.force:
+ if result.returncode == 13:
+ logger.info(
+ "Use --force-join option to override the host "
+ "entry on the server and force client enrollment.")
raise ScriptError(rval=CLIENT_INSTALL_ERROR)
+ logger.info(
+ "Use ipa-getkeytab to obtain a host "
+ "principal for this server.")
+ else:
+ logger.info("Enrolled in IPA realm %s", cli_realm)
- finally:
- try:
- os.remove(krb_name)
- except OSError:
- logger.error("Could not remove %s", krb_name)
- try:
- os.rmdir(ccache_dir)
- except OSError:
- pass
- try:
- os.remove(krb_name + ".ipabkp")
- except OSError:
- logger.error("Could not remove %s.ipabkp", krb_name)
+ if options.principal is not None:
+ run([paths.KDESTROY], raiseonerr=False, env=env)
+
+ # Obtain the TGT. We do it with the temporary krb5.conf, so that
+ # only the KDC we're installing under is contacted.
+ # Other KDCs might not have replicated the principal yet.
+ # Once we have the TGT, it's usable on any server.
+ try:
+ kinit_keytab(host_principal, paths.KRB5_KEYTAB, CCACHE_FILE,
+ config=krb_name,
+ attempts=options.kinit_attempts)
+ env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = CCACHE_FILE
+ except gssapi.exceptions.GSSError as e:
+ print_port_conf_info()
+ logger.error("Failed to obtain host TGT: %s", e)
+ # failure to get ticket makes it impossible to login and bind
+ # from sssd to LDAP, abort installation and rollback changes
+ raise ScriptError(rval=CLIENT_INSTALL_ERROR)
# Configure ipa.conf
if not options.on_master:
@@ -2931,23 +2946,6 @@ def _install(options):
except gssapi.exceptions.GSSError as e:
logger.error("Failed to obtain host TGT: %s", e)
raise ScriptError(rval=CLIENT_INSTALL_ERROR)
- else:
- # Configure krb5.conf
- fstore.backup_file(paths.KRB5_CONF)
- configure_krb5_conf(
- cli_realm=cli_realm,
- cli_domain=cli_domain,
- cli_server=cli_server,
- cli_kdc=cli_kdc,
- dnsok=dnsok,
- filename=paths.KRB5_CONF,
- client_domain=client_domain,
- client_hostname=hostname,
- configure_sssd=options.sssd,
- force=options.force)
-
- logger.info(
- "Configured /etc/krb5.conf for IPA realm %s", cli_realm)
# Clear out any current session keyring information
try:
@@ -3274,6 +3272,23 @@ def _install(options):
configure_nisdomain(
options=options, domain=cli_domain, statestore=statestore)
+ # Configure the final krb5.conf
+ if not options.on_master:
+ fstore.backup_file(paths.KRB5_CONF)
+ configure_krb5_conf(
+ cli_realm=cli_realm,
+ cli_domain=cli_domain,
+ cli_server=cli_server,
+ cli_kdc=cli_kdc,
+ dnsok=dnsok,
+ filename=paths.KRB5_CONF,
+ client_domain=client_domain,
+ client_hostname=hostname,
+ configure_sssd=options.sssd,
+ force=options.force)
+
+ logger.info("Configured /etc/krb5.conf for IPA realm %s", cli_realm)
+
statestore.delete_state('installation', 'complete')
statestore.backup_state('installation', 'complete', True)
logger.info('Client configuration complete.')
--
2.38.1

129
SOURCES/0017-Vault-fix-interoperability-issues-with-older-RHEL-sy.patch Normal file
View File

@ -0,0 +1,129 @@
From ba962632cd008edd057f61e7e6fadbf464ff94f2 Mon Sep 17 00:00:00 2001
From: Francisco Trivino <ftrivino@redhat.com>
Date: Tue, 4 Oct 2022 17:26:51 +0200
Subject: [PATCH] Vault: fix interoperability issues with older RHEL systems
AES-128-CBC was recently enabled as default wrapping algorithm for transport of secrets.
This change was done in favor of FIPS as crypto-policies disabled 3DES in RHEL9, but
setting AES as default ended-up breaking backwards compatibility with older RHEL systems.
This commit is tuning some defaults so that interoperability with older RHEL systems
works again. The new logic reflects:
- when an old client is calling a new server, it doesn't send any value for wrapping_algo
and the old value is used (3DES), so that the client can decrypt using 3DES.
- when a new client is calling a new server, it sends wrapping_algo = AES128_CBC
- when a new client is calling an old server, it doesn't send any value and the default is
to use 3DES.
Finally, as this logic is able to handle overlapping wrapping algorithm between server and
client, the Option "--wrapping-algo" is hidden from "ipa vault-archive --help" and "ipa
vault-retrieve --help" commands.
Fixes: https://pagure.io/freeipa/issue/9259
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
API.txt | 4 ++--
VERSION.m4 | 4 ++--
ipaclient/plugins/vault.py | 7 ++++---
ipaserver/plugins/vault.py | 4 ++--
4 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/API.txt b/API.txt
index 814124f600111e46c117a0c925e33a27a19b38e0..062a6c756babea6b091c5aaec7d0eaa908b41911 100644
--- a/API.txt
+++ b/API.txt
@@ -6667,7 +6667,7 @@ option: Flag('shared?', autofill=True, default=False)
option: Str('username?', cli_name='user')
option: Bytes('vault_data')
option: Str('version?')
-option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
@@ -6767,7 +6767,7 @@ option: Bytes('session_key')
option: Flag('shared?', autofill=True, default=False)
option: Str('username?', cli_name='user')
option: Str('version?')
-option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
diff --git a/VERSION.m4 b/VERSION.m4
index 0f02d48979e4af3ad737e377545c4951d5dece02..d628c69a09a43b01aad4ac1bd3a6912bef27a7fe 100644
--- a/VERSION.m4
+++ b/VERSION.m4
@@ -86,8 +86,8 @@ define(IPA_DATA_VERSION, 20100614120000)
# #
########################################################
define(IPA_API_VERSION_MAJOR, 2)
-# Last change: add Random Serial Numbers v3
-define(IPA_API_VERSION_MINOR, 249)
+# Last change: fix vault interoperability issues.
+define(IPA_API_VERSION_MINOR, 251)
########################################################
# Following values are auto-generated from values above
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index 115171c7768d44251c17d0bcdac9c37b3a25db99..d4c84eb6bfb4cc119c599d494171b0a2417ce0ba 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -687,7 +687,7 @@ class ModVaultData(Local):
default_algo = config.get('wrapping_default_algorithm')
if default_algo is None:
# old server
- wrapping_algo = constants.VAULT_WRAPPING_AES128_CBC
+ wrapping_algo = constants.VAULT_WRAPPING_3DES
elif default_algo in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:
# try to use server default
wrapping_algo = default_algo
@@ -801,7 +801,8 @@ class vault_archive(ModVaultData):
if option.name not in ('nonce',
'session_key',
'vault_data',
- 'version'):
+ 'version',
+ 'wrapping_algo'):
yield option
for option in super(vault_archive, self).get_options():
yield option
@@ -1053,7 +1054,7 @@ class vault_retrieve(ModVaultData):
def get_options(self):
for option in self.api.Command.vault_retrieve_internal.options():
- if option.name not in ('session_key', 'version'):
+ if option.name not in ('session_key', 'version', 'wrapping_algo'):
yield option
for option in super(vault_retrieve, self).get_options():
yield option
diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py
index 4d40f66c6a793a831e91c5fe25c8b5277cbd1972..574c83a9aaa64b6a4774400ea7af25343b445c03 100644
--- a/ipaserver/plugins/vault.py
+++ b/ipaserver/plugins/vault.py
@@ -1051,7 +1051,7 @@ class vault_archive_internal(PKQuery):
'wrapping_algo?',
doc=_('Key wrapping algorithm'),
values=VAULT_WRAPPING_SUPPORTED_ALGOS,
- default=VAULT_WRAPPING_DEFAULT_ALGO,
+ default=VAULT_WRAPPING_3DES,
autofill=True,
),
)
@@ -1130,7 +1130,7 @@ class vault_retrieve_internal(PKQuery):
'wrapping_algo?',
doc=_('Key wrapping algorithm'),
values=VAULT_WRAPPING_SUPPORTED_ALGOS,
- default=VAULT_WRAPPING_DEFAULT_ALGO,
+ default=VAULT_WRAPPING_3DES,
autofill=True,
),
)
--
2.38.1

8
SPECS/freeipa.spec
View File

@ -198,7 +198,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 7%{?rc_version:.%rc_version}%{?dist}
Release: 8%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -233,6 +233,8 @@ Patch0012: 0012-doc-Update-LDAP-grace-period-design-with-default-val.patch
Patch0013: 0013-Set-default-gracelimit-on-group-password-policies-to.patch
Patch0014: 0014-Set-default-on-group-pwpolicy-with-no-grace-limit-in.patch
Patch0015: 0015-fix-canonicalization-issue-in-Web-UI.patch
Patch0016: 0016-Defer-creating-the-final-krb5.conf-on-clients.patch
Patch0017: 0017-Vault-fix-interoperability-issues-with-older-RHEL-sy.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -1741,6 +1743,10 @@ fi
%endif
%changelog
* Fri Dec 2 2022 Florence Blanc-Renaud <flo@redhat.com> - 4.10.0-8
- Resolves: rhbz#2149274 vault interoperability with older RHEL systems is broken [rhel-9.1.0.z]
- Resolves: rhbz#2150270 ipa-client-install does not maintain server affinity during installation [rhel-9.1.0.z]
* Tue Oct 25 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.10.0-7
- Resolves: rhbz#2124547 Attempt to log in as "root" user with admin's password in Web UI does not properly fail
- Resolves: rhbz#2137555 Attempt to log in as "root" user with admin's password in Web UI does not properly fail [rhel-9.1.0.z]