On Чцв, 11 сту 2024, Rasto Rickardt via FreeIPA-users wrote:
Hello,
i have setup of 5 IPA servers on RHEL8. This morning i upgraded with
dnf upgrade IPA components to 4.9.12-11 for example:
ipa-server-4.9.12-11.module+el8.9.0+20824+f2605038.x86_64
ipa-server-common-4.9.12-11.module+el8.9.0+20824+f2605038.noarch
After upgrade finished without errors, i was not able to login to UI
with correct password with message "Your session has expired. Please
log in again."
dirsrv replication looks OK.
I checked logs, everytime i try to login, /var/log/httpd/error_log contain:
[Thu Jan 11 17:30:03.490345 2024] [wsgi:error] [pid 3299146:tid
139867429353216] [remote 185.103.146.26:46292] ipa: INFO: 401
Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more
information (Credential cache is empty)
I can do kinit, without any error. But when i try to use ipa
user-show, not working.
The error below tells that a user ticket did not have a PAC associated:
Jan 11 17:41:35
ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
camellia128-cts-cmac(25)}) 10.112.65.75:
S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes
{rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com(a)id.example.com for
ldap/ipa7.id.example.com(a)id.example.com, KDC policy rejects request
Can you also share your client and server's Kerberos configurations?
configs and which rpms are used.
It looks like either SID is missing in the user account and KDC is
forced to ignore that (disable_pac = true in the realm configuration in
kdc.conf). Or some flags are set on IPA services to force ignoring PAC
checks. PAC presence is required for constrained delegation
operations and we now enforce it for krb5 1.18 as well.
>
>ipaupgrade.log attached, rest inline.
>
>If you have any idea how to fix this please, i will be gratefull.
>
>Thank you,
>
>Rasto
>
>ipa -d user-show
>ipa: DEBUG: Loading Index file from
>'/var/lib/ipa-client/sysrestore/sysrestore.index'
>ipa: DEBUG: Loading StateFile from
>'/var/lib/ipa-client/sysrestore/sysrestore.state'
>ipa: DEBUG: Loading StateFile from
>'/var/lib/ipa-client/sysrestore/sysrestore.state'
>ipa: DEBUG: found session_cookie in persistent storage for principal
>'rrickardt@redacted', cookie:
'ipa_session=MagBearerToken=VsNzXWPFKUTUmXpNpoXBnYn%2f7kaXq3b77Vb1HDzWdZ8u1c3ZAAReJFNMYwMeRLYSv4pggL%2bb3O1YH9lpJuXswOV%2fK%2fs%2bF96bBeIykbO2%2bnklplxnRxGyjo4edYLEo4QvfYIr9P2xGoxPEsCjrDj6m%2bro3UZtiFKGIgrI9KJKfZAhLrk46ooeAZ0HF7IAR5DgI07EdHeXdoP%2bA1T70CoXYA%3d%3d'
>ipa: DEBUG: setting session_cookie into context
'ipa_session=MagBearerToken=VsNzXWPFKUTUmXpNpoXBnYn%2f7kaXq3b77Vb1HDzWdZ8u1c3ZAAReJFNMYwMeRLYSv4pggL%2bb3O1YH9lpJuXswOV%2fK%2fs%2bF96bBeIykbO2%2bnklplxnRxGyjo4edYLEo4QvfYIr9P2xGoxPEsCjrDj6m%2bro3UZtiFKGIgrI9KJKfZAhLrk46ooeAZ0HF7IAR5DgI07EdHeXdoP%2bA1T70CoXYA%3d%3d;'
>ipa: DEBUG: trying
https://ipa2.id.example.com/ipa/session/json
>ipa: DEBUG: New HTTP connection (
ipa2.id.example.com)
>ipa: DEBUG: HTTP connection destroyed (
ipa2.id.example.com)
>Traceback (most recent call last):
> File
"/usr/lib/python3.6/site-packages/ipaclient/remote_plugins/__init__.py",
>line 120, in get_package
> plugins = api._remote_plugins
>AttributeError: 'API' object has no attribute '_remote_plugins'
>
>During handling of the above exception, another exception occurred:
>
>Traceback (most recent call last):
> File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 730, in
>single_request
> response.msg)
>xmlrpc.client.ProtocolError: <ProtocolError for
>ipa2.id.example.com/ipa/session/json: 401 Unauthorized>
>ipa: DEBUG: trying
https://ipa2.id.example.com/ipa/session/json
>ipa: DEBUG: New HTTP connection (
ipa2.id.example.com)
>ipa: DEBUG: HTTP connection destroyed (
ipa2.id.example.com)
>Traceback (most recent call last):
> File
"/usr/lib/python3.6/site-packages/ipaclient/remote_plugins/__init__.py",
>line 120, in get_package
> plugins = api._remote_plugins
>AttributeError: 'API' object has no attribute '_remote_plugins'
>
>During handling of the above exception, another exception occurred:
>
>Traceback (most recent call last):
> File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 730, in
>single_request
> response.msg)
>xmlrpc.client.ProtocolError: <ProtocolError for
>ipa2.id.example.com/ipa/session/json: 401 Unauthorized>
>ipa: INFO: Connection to
https://ipa2.id.example.com/ipa/session/json
>failed with <ProtocolError for
ipa2.id.example.com/ipa/session/json:
>401 Unauthorized>
>
>krb5kdc.log
>Jan 11 17:41:35
ipa7.id.example.com krb5kdc[1230](info): AS_REQ (6
>etypes {aes256-cts-hmac-sha384-192(20),
>aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
>aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
>camellia128-cts-cmac(25)}) 10.112.65.75: NEEDED_PREAUTH:
>rrickardt(a)id.example.com for krbtgt/id.example.com(a)id.example.com,
>Additional pre-authentication required
>Jan 11 17:41:35
ipa7.id.example.com krb5kdc[1230](info): closing down fd 12
>Jan 11 17:41:35
ipa7.id.example.com krb5kdc[1230](info): AS_REQ (6
>etypes {aes256-cts-hmac-sha384-192(20),
>aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
>aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
>camellia128-cts-cmac(25)}) 10.112.65.75: ISSUE: authtime 1704991295,
>etypes {rep=aes256-cts-hmac-sha1-96(18),
>tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
>rrickardt(a)id.example.com for krbtgt/id.example.com(a)id.example.com
>Jan 11 17:41:35
ipa7.id.example.com krb5kdc[1230](info): closing down fd 12
>Jan 11 17:41:35
ipa7.id.example.com krb5kdc[1231](info): TGS_REQ (6
>etypes {aes256-cts-hmac-sha384-192(20),
>aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
>aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
>camellia128-cts-cmac(25)}) 10.112.65.75: ISSUE: authtime 1704991295,
>etypes {rep=aes256-cts-hmac-sha1-96(18),
>tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
>rrickardt(a)id.example.com for HTTP/ipa7.id.example.com(a)id.example.com
>Jan 11 17:41:35
ipa7.id.example.com krb5kdc[1231](info): closing down fd 12
Jan 11 17:41:35
ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
camellia128-cts-cmac(25)}) 10.112.65.75:
S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes
{rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com(a)id.example.com for
ldap/ipa7.id.example.com(a)id.example.com, KDC policy rejects request
>Jan 11
17:41:35
ipa7.id.example.com krb5kdc[1230](info): ...
>CONSTRAINED-DELEGATION s4u-client=<unknown>
>Jan 11 17:41:35
ipa7.id.example.com krb5kdc[1230](info): closing down fd 12
Jan 11 17:41:35
ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
camellia128-cts-cmac(25)}) 10.112.65.75:
S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes
{rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com(a)id.example.com for
ldap/ipa7.id.example.com(a)id.example.com, KDC policy rejects request
>Jan 11
17:41:35
ipa7.id.example.com krb5kdc[1230](info): ...
>CONSTRAINED-DELEGATION s4u-client=<unknown>
>Jan 11 17:41:35
ipa7.id.example.com krb5kdc[1230](info): closing down fd 12
>
>
>
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland