Cannot add externally-signed IPA CA certificate
by Dmitry Perets
Hi,
I am trying to configure FreeIPA as a SubCA, and the "RootCA" is self-made with openssl. So I've signed the FreeIPA's request with my self-signed "root ca" certificate, but it looks like FreeIPA doesn't like it:
ipa-server-install --external-cert-file=/root/rootca/rootcacert.pem --external-cert-file=/root/rootca/certs/ipacert.pem
<...skipped...>
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR CA certificate CN=RootCA,OU=PRJ,O=COMPANY,L=Bonn,C=DE in /root/rootca/rootcacert.pem, /root/rootca/certs/ipacert.pem is not valid: not a CA certificate
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The subj above is my self-made root CA cert, so it looks like something is missing in it. But what...?
Here is it below, it has the "Basic Constraint" set with CA:TRUE... What else is required, so that FreeIPA accepts it as a root CA?
Should I add it somewhere first, before running the ipa-server-install?
[root@ipa ~]# openssl x509 -text -noout -in /root/rootca/rootcacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, L=Bonn, O=COMPANY, OU=PRJ, CN=RootCA
Validity
Not Before: Oct 24 11:43:13 2018 GMT
Not After : Oct 21 11:43:13 2028 GMT
Subject: C=DE, L=Bonn, O=COMPANY, OU=PRJ, CN=RootCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
<...skipped...>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
B3:18:3B:CF:29:D2:A5:D4:AE:94:A5:42:65:A2:D8:12:7C:92:78:81
X509v3 Authority Key Identifier:
keyid:B3:18:3B:CF:29:D2:A5:D4:AE:94:A5:42:65:A2:D8:12:7C:92:78:81
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
<...skipped...>
Thanks!!
2 years, 9 months
FreeIPA Upgrade F31 -> F32: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
by Anthony Joseph Messina
After upgrading FreeIPA from F31 to F32, on startup I now see a lot of these errors from certmonger, ns-slapd, java, etc.
May 08 17:57:28 certmonger[38]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
May 08 17:57:30 ns-slapd[67]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
May 08 17:57:33 dogtag-ipa-renew-agent-submit[143]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
May 08 17:57:42 java[640]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
The server seems to come up without issue, but can you point me in the right direction to resolve these errors?
freeipa-server-4.8.6-1.fc32.x86_64
opendnssec-2.1.6-5.fc32.x86_64
opencryptoki-3.13.0-1.fc32.x86_64
I've installed a fresh F32 freeipa-server (on a test domain) and I don't see these errors.
Thanks. -A
--
Anthony - https://messinet.com
F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6
2 years, 10 months
Login failed due to an unknown reason.
by D R
Greetings,
After automatic KDC certificate renewal, I'm no longer able to access the
UI.
[Sun Dec 27 23:33:20.563064 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] Traceback (most recent call last):
[Sun Dec 27 23:33:20.563085 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File "/usr/share/ipa/wsgi.py", line 59, in application
[Sun Dec 27 23:33:20.563121 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return api.Backend.wsgi_dispatch(environ,
start_response)
[Sun Dec 27 23:33:20.563129 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 267, in
__call__
[Sun Dec 27 23:33:20.563142 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return self.route(environ, start_response)
[Sun Dec 27 23:33:20.563160 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 279, in
route
[Sun Dec 27 23:33:20.563170 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return app(environ, start_response)
[Sun Dec 27 23:33:20.563174 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 937, in
__call__
[Sun Dec 27 23:33:20.563182 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] self.kinit(user_principal, password, ipa_ccache_name)
[Sun Dec 27 23:33:20.563194 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 973, in
kinit
[Sun Dec 27 23:33:20.563201 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] pkinit_anchors=[paths.KDC_CERT,
paths.KDC_CA_BUNDLE_PEM],
[Sun Dec 27 23:33:20.563209 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 127, in
kinit_armor
[Sun Dec 27 23:33:20.563219 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] run(args, env=env, raiseonerr=True, capture_error=True)
[Sun Dec 27 23:33:20.563225 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run
[Sun Dec 27 23:33:20.563234 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] raise CalledProcessError(p.returncode, arg_string,
str(output))
[Sun Dec 27 23:33:20.563263 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] CalledProcessError: Command '/usr/bin/kinit -n -c
/var/run/ipa/ccaches/armor_6150 -X
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
non-zero exit status 1
---
KRB5_TRACE=/dev/stdout /usr/bin/kinit -n -c
/var/run/ipa/ccaches/armor_19265 -X
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
[12904] 1609104974.342210: Getting initial credentials for WELLKNOWN/
ANONYMOUS(a)A-LABS.COM
[12904] 1609104974.342212: Sending unauthenticated request
[12904] 1609104974.342213: Sending request (184 bytes) to A-LABS.COM
[12904] 1609104974.342214: Initiating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342215: Sending TCP request to stream 10.xx.xx.90:88
[12904] 1609104974.342216: Received answer (335 bytes) from stream
10.xx.xx.90:88
[12904] 1609104974.342217: Terminating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342218: Response was from master KDC
[12904] 1609104974.342219: Received error from KDC: -1765328359/Additional
pre-authentication required
[12904] 1609104974.342222: Preauthenticating using KDC method data
[12904] 1609104974.342223: Processing preauth types: PA-PK-AS-REQ (16),
PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136),
PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE
(133)
[12904] 1609104974.342224: Selected etype info: etype aes256-cts, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
[12904] 1609104974.342225: Received cookie: MIT
[12904] 1609104974.342226: Preauth module pkinit (147) (info) returned:
0/Success
[12904] 1609104974.342227: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342228: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342229: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342230: PKINIT client computed kdc-req-body checksum
9/D4FAE675E4E8C9664DBE0FAD0EB8C416A639CAF3
[12904] 1609104974.342232: PKINIT client making DH request
[12904] 1609104974.342233: Preauth module pkinit (16) (real) returned:
0/Success
[12904] 1609104974.342234: Produced preauth for next request: PA-FX-COOKIE
(133), PA-PK-AS-REQ (16)
[12904] 1609104974.342235: Sending request (1497 bytes) to A-LABS.COM
[12904] 1609104974.342236: Initiating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342237: Sending TCP request to stream 10.xx.xx.90:88
[12904] 1609104974.342238: Received answer (1603 bytes) from stream
10.xx.xx.90:88
[12904] 1609104974.342239: Terminating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342240: Response was from master KDC
[12904] 1609104974.342241: Processing preauth types: PA-PK-AS-REP (17),
PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147)
[12904] 1609104974.342242: Selected etype info: etype aes256-cts, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
[12904] 1609104974.342243: Preauth module pkinit (147) (info) returned:
0/Success
[12904] 1609104974.342244: PKINIT client verified DH reply
[12904] 1609104974.342245: Preauth module pkinit (17) (real) returned:
-1765328308/KDC name mismatch
[12904] 1609104974.342246: Produced preauth for next request: (empty)
[12904] 1609104974.342247: Getting AS key, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
Password for WELLKNOWN/ANONYMOUS(a)A-LABS.COM:
[12904] 1609104977.873071: AS key obtained from gak_fct: aes256-cts/B8BD
kinit: Password incorrect while getting initial credentials
--
openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=DOMAIN.COM, CN=ipa.domain.com
Validity
Not Before: Dec 27 07:38:54 2020 GMT
Not After : Dec 27 07:38:54 2021 GMT
Subject: O=DOMAIN.COM, CN=ipa.domain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cc:6e:b1:b1:2d:05:ab:f1:df:ce:01:43:d5:80:
4a:f6:72:38:3c:50:aa:c7:40:bf:bd:6c:60:5e:8d:
d0:f3:2b:6c:db:fc:8f:48:9f:91:d6:d3:d2:43:f2:
39:35:17:56:37:a8:6f:66:c3:ab:1f:13:8f:d9:48:
c3:be:b9:2b:83:77:78:08:fe:3b:f8:93:83:1c:bb:
d0:e8:eb:49:a5:c1:8c:7f:0c:b5:fa:e7:07:f1:0c:
97:9b:47:e9:a2:a3:ab:9b:c1:70:e3:1b:e9:f2:3d:
2f:96:53:6d:38:eb:57:19:7f:dd:ed:e8:3c:c8:f0:
7c:36:b1:72:03:f1:2f:86:8e:cd:67:fd:fd:85:73:
00:16:60:81:3c:ad:13:4d:19:c0:4d:e7:94:8d:34:
29:99:7a:45:70:db:81:5d:0e:2d:83:7a:9c:19:c7:
ef:0a:79:8d:84:af:74:a3:b9:90:c8:b1:8c:65:d0:
2d:e0:89:98:42:e0:cb:c8:b0:e3:b5:7c:9b:44:01:
a8:31:15:8d:19:79:c5:35:26:4d:3f:e6:83:64:7f:
15:da:50:c1:5e:9c:67:1b:27:e5:35:0c:a8:71:a9:
4e:ee:ef:92:b5:f9:10:f6:31:82:2c:94:04:05:c5:
89:c6:96:1d:48:11:e5:8d:05:92:56:93:99:55:66:
b0:93
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
To my understanding, something is wrong with the kdc certificate, it lacks
some attributes. I'm just not sure how to generate a proper cert.
2 years, 12 months
dirsrv hangs soon after reboot
by Kees Bakker
Hey,
I'm looking for advice how to analyse/debug this.
On one of the masters the dirsrv is unresponsive. It runs, but every
attempt to connect it hangs.
The command "systemctl status" does not show anything alarming
● dirsrv(a)EXAMPLE-COM.service - 389 Directory Server EXAMPLE-COM.
Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled)
Active: active (running) since vr 2020-04-17 13:46:25 CEST; 1h 33min ago
Process: 3123 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl /etc/dirsrv/slapd-%i/dse.ldif (code=exited, status=0/SUCCESS)
Main PID: 3134 (ns-slapd)
Status: "slapd started: Ready to process requests"
CGroup: /system.slice/system-dirsrv.slice/dirsrv(a)EXAMPLE-COM.service
└─3134 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-EXAMPLE-COM -i /var/run/dirsrv/slapd-EXAMPLE-COM.pid
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 2
apr 17 15:18:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 2
However, an ldapsearch command hangs forever
[root@rotte ~]# ldapsearch -H ldaps://linge.example.com -D uid=keesbtest,cn=users,cn=accounts,dc=example,dc=com -W -LLL -o ldif-wrap=no -b cn=users,cn=accounts,dc=example,dc=com '(&(objectClass=person)(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com))' uid
Enter LDAP Password:
Even if I use the socket (ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket) the ldapsearch
command hangs.
"ipactl status" hangs
"kinit" hangs
--
Kees Bakker
3 years
Something changed regarding enrollment permissions?
by Ronald Wimmer
Today we did not manage to enroll new hosts with our enrollment user.
The only thing we changed is that we added the Permission "System:
Remove hosts" to the "Host Enrollment" role. The error we get is:
Joining realm failed: Failed to parse result: Insufficient access rights
Retrying with pre-4.0 keytab retrieval method...
Failed to parse result: Insufficient access rights
Failed to get keytab!
Failed to get keytab
child exited with 9
When I try to add the same host with my admin user it works without any
problems.
Cheers,
Ronald
3 years, 3 months
Unable to install ipa client centos 7.5.1804 (Core)
by William Graboyes
Hello List,
I have been searching around for the day and have found an answer for
the error I am getting when I am trying to install the client on a brand
new install:
Version:
ipa-client-4.5.4-10.el7.centos.3.x86_64
ipa-client-common-4.5.4-10.el7.centos.3.noarch
The error is below (run as root, not via sudo):
ipa-client-install
Traceback (most recent call last):
File "/sbin/ipa-client-install", line 22, in <module>
from ipaclient.install import ipa_client_install
File
"/usr/lib/python2.7/site-packages/ipaclient/install/ipa_client_install.py",
line 5, in <module>
from ipaclient.install import client
File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py",
line 34, in <module>
from ipalib import api, errors, x509
File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 45, in
<module>
from pyasn1_modules import rfc2315, rfc2459
File "/usr/lib/python2.7/site-packages/pyasn1_modules/rfc2315.py",
line 67, in <module>
class DigestedData(univ.Sequence):
File "/usr/lib/python2.7/site-packages/pyasn1_modules/rfc2315.py",
line 72, in DigestedData
namedtype.NamedType('digest', Digest)
File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py",
line 115, in __init__
self.__ambiguousTypes = 'terminal' not in kwargs and
self.__computeAmbiguousTypes() or {}
File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py",
line 232, in __computeAmbiguousTypes
ambigiousTypes[idx] = NamedTypes(*partialAmbigiousTypes,
**dict(terminal=True))
File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py",
line 114, in __init__
self.__tagToPosMap = self.__computeTagToPosMap()
File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py",
line 205, in __computeTagToPosMap
for _tagSet in tagMap.presentTypes:
AttributeError: 'property' object has no attribute 'presentTypes'
Any help would be greatly appreciated.
Thanks,
Bill G.
3 years, 3 months
FreeIPA certificate doesn't validate in iOS
by Jochen Kellner
Hello,
I'm running IPA on current Fedora 32, freeipa-server-4.8.9-2 and pki-server-10.9.0-0.4
Today the certificate of my IMAP server (running on Debian Buster) was
automatically refreshed:
,----
| Request ID '20181003215953':
| status: MONITORING
| stuck: no
| key pair storage: type=FILE,location='/etc/ssl/private/imap.jochen.org.key'
| certificate: type=FILE,location='/etc/ssl/certs/imap.jochen.org.crt'
| CA: IPA
| issuer: CN=Certificate Authority,O=JOCHEN.ORG
| subject: CN=imap.jochen.org,O=JOCHEN.ORG
| expires: 2022-09-07 09:30:16 CEST
| dns: imap.jochen.org
| principal name: imap/jupiter.jochen.org(a)JOCHEN.ORG
| key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
| eku: id-kp-serverAuth,id-kp-clientAuth
| pre-save command:
| post-save command: /root/refresh_cyrus_certificate.sh
| track: yes
| auto-renew: yes
`----
On an iPhone one of my users gets a message that the certificate is not valid.
Reason seems to be this: https://7402.org/blog/2019/new-self-signed-ssl-cert-ios-13.html
When I look at the certificate with openssl I see:
,----
| X509v3 extensions:
| X509v3 Authority Key Identifier:
| keyid:4F:F8:45:3D:E8:06:4B:8D:BB:9D:D2:D1:8B:00:43:A1:07:16:A1:17
|
| Authority Information Access:
| OCSP - URI:http://ipa-ca.jochen.org/ca/ocsp
|
| X509v3 Key Usage: critical
| Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
| X509v3 Extended Key Usage:
| TLS Web Server Authentication, TLS Web Client Authentication
`----
My current guess is that the "Key Usage: critical" is the reason for the iOS error.
I've looked for the certprofiles and found these files:
,----
| [root@freeipa3 /]# find . -name \*caIPAserviceCert\* -ls
| 8510694 8 -rw-rw---- 1 pkiuser pkiuser 6218 Mär 4 2020 ./var/lib/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg
| 9332162 4 -rw-r--r-- 1 root root 229 Aug 20 12:38 ./usr/lib/python3.8/site-packages/ipaclient/csrgen/profiles/caIPAserviceCert.json
| 26138015 8 -rw-r--r-- 1 root root 7014 Aug 20 12:37 ./usr/share/ipa/profiles/caIPAserviceCert.UPGRADE.cfg
| 26138016 8 -rw-r--r-- 1 root root 7294 Aug 20 12:37 ./usr/share/ipa/profiles/caIPAserviceCert.cfg
| 9323278 8 -rw-r--r-- 1 root root 6272 Jun 25 23:53 ./usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg
`----
These files contain:
,----
| policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
| policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
| policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
| policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
| policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
| policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
`----
So I think this is where the critical comes from and the keyUsage defaults come from.
What I could use help with is the following:
1. I didn't find reports about the problem in pagure or the mailing
list. Am I really alone with this?
2. My FreeIPA has been installed years ago on Fedora, moved to CentOS
and this year back to Fedora by creating replicas. Has there been a
problem with upgrading the certprofiles?
3. How can I remove the options from the certificate request so that
certmonger gets a valid certificate?
Do I miss something else?
--
This space is intentionally left blank.
3 years, 3 months
Concurrent ssh to the same host fails after few successfully open sessions with Additional pre-authentication krb error.
by mir mal
Hi,
As in the title a very odd behaviour if I keep opening new ssh sessions using same IPA user after few successful ones I have ssh authentication failed error and in krb5 logs on freeipa server, I can see the following errors:
Nov 19 07:21:39 lab-ipa.stuxnet.lab krb5kdc[4894](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.64: NEEDED_PREAUTH: c000000(a)STUXNET.LAB for krbtgt/STUXNET.LAB(a)STUXNET.LAB, Additional pre-authentication required
Nov 19 07:21:39 lab-ipa.stuxnet.lab krb5kdc[4894](info): closing down fd 11
At the same time, I can use the same user and connect to other hosts or use kinit or freeipa web portal. It looks like after N successful attempts I'm hitting some kind of time or max concurrent connections limit, but I can't find any related settings. It's standard Fedora-based freeipa 4.8.10 and hosts to connect are ubuntu. If I wait a few minutes I'm allowed to open another connection but then again if I try to open few I hit the error. I've been checking KRB_TRACE for kinit and sshd DEBUG3 level logs but I can't find why would it happen the only error is the one above with pre-auth.
Thanks
3 years, 3 months
problem with AD user login
by Suchismita Panda
Hi,
We have a pair of FreeIPA servers (1 master and 1 replica)
Freeipa server version 4.6.8
Recently when we are trying to enroll any new freeipa client to the server,
the installation goes successful, but AD user login does not work. Even the
client fails to retrieve AD user information using id command. This works
fine on the FreeIPA server.
Freeipa local user login is working fine on the client.
There are other FreeIPA clients, where the AD user login is working fine.
We generally use Ansible to join FreeIPA. So the installation process is
also the same for all servers. Not sure why, recently it does not work. Any
advice would be really helpful.
Freeipa client version 4.8.6
In the logs mostly I am seeing below error -
[ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
Thanks
Suchi
3 years, 4 months