On Чцв, 29 лют 2024, Grant Janssen via FreeIPA-users wrote:
It appears I have resolved my certificate expiration issuehttps://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/KFQXY6V4UKYOWCGD4YCZTCSGFWVL3QK7/ https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
But I have a another issue
grant@ef-idm01:~[20240229-10:11][#772]$ klist Ticket cache: KCM:555 Default principal: grant@PRODUCTION.EFILM.COMmailto:grant@PRODUCTION.EFILM.COM
Is this user has UID 555?
Can you look at your KDC's krb5kdc.log and see if there is an issue with HANDLE_AUTHDATA or PAC or S4U operations at the time you run 'ipa user-find' or similar commands?
Basically, I think you have users with UID/GIDs outside of your ID ranges and therefore those users have no SIDs associated with them and hence cannot be used for constrained delegation (S4U extensions in Kerberos) anymore. In addition, most likely your existing ID ranges have no support for generating SIDs as they most likely lack RID bases.
There were plenty of discussions about it on the list in past few months. You can look at these articles on the Red Hat's Customer Portal:
https://access.redhat.com/articles/7027037 https://access.redhat.com/solutions/7052703 https://access.redhat.com/solutions/7014959
Valid starting Expires Service principal 02/29/2024 10:11:56 03/01/2024 09:42:34 krbtgt/PRODUCTION.EFILM.COM@PRODUCTION.EFILM.COMmailto:krbtgt/PRODUCTION.EFILM.COM@PRODUCTION.EFILM.COM grant@ef-idm01:~[20240229-10:12][#773]$ ipa user-find roland ipa: ERROR: No valid Negotiate header in server response grant@ef-idm01:~[20240229-10:12][#774]$ ipa server-find ipa: ERROR: No valid Negotiate header in server response grant@ef-idm01:~[20240229-10:18][#775]$ sudo systemctl status gssproxy.service [sudo] password for grant: ● gssproxy.service - GSSAPI Proxy Daemon Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2024-02-20 13:57:40 PST; 1 weeks 1 days ago Process: 2158008 ExecStart=/usr/sbin/gssproxy -D (code=exited, status=0/SUCCESS) Main PID: 2158009 (gssproxy) Tasks: 6 (limit: 74714) Memory: 10.5M CGroup: /system.slice/gssproxy.service └─2158009 /usr/sbin/gssproxy -D
Feb 20 13:57:40 ef-idm01.production.efilm.comhttp://ef-idm01.production.efilm.com systemd[1]: gssproxy.service: Succeeded. Feb 20 13:57:40 ef-idm01.production.efilm.comhttp://ef-idm01.production.efilm.com systemd[1]: Stopped GSSAPI Proxy Daemon. Feb 20 13:57:40 ef-idm01.production.efilm.comhttp://ef-idm01.production.efilm.com systemd[1]: Starting GSSAPI Proxy Daemon... Feb 20 13:57:40 ef-idm01.production.efilm.comhttp://ef-idm01.production.efilm.com systemd[1]: Started GSSAPI Proxy Daemon. grant@ef-idm01:~[20240229-10:18][#776]$
I searched online for some references and it was suggested I generate the /var/lib/ipa/gssproxy/http.keytab The keytab file appears OKAY to me though.
I would like to get this issue behind me thanx
- grant