Web UI login/certificate issues, IPA 4.5.4
by dbischof@hrz.uni-kassel.de
Hi,
my IPA system consists of 2 masters with their own self-signed CAs, one of
them being the certificate renewal master (ipa1). The system has been
running for years and has been migrated from an IPA 3 system.
Since a while, the Web UI logins on ipa1 don't work anymore ("Login failed
due to an unknown reason.").
Web UI logins on the other server (ipa2) work and everything else is
working fine, too, ipactl status reports all services running.
On login attempt:
--- httpd log
[...]
[:error] [pid 15551] [remote 141.51.X.X:0] mod_wsgi (pid=15551): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[...]
[:error] [pid 15551] [remote 141.51.X.X:0] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_15551 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1
---
--- krb5kdc.log
[...]
Dec 20 16:06:54 ipa1.example.com krb5kdc[15517](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.X.Y: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS(a)EXAMPLE.COM for krbtgt/EXAMPLE.COM(a)EXAMPLE.COM, Additional pre-authentication required
Dec 20 16:06:54 ipa1.example.com krb5kdc[15517](info): closing down fd 11
Dec 20 16:06:54 ipa1.example.com krb5kdc[15518](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.X.Y: KDC_RETURN_PADATA: WELLKNOWN/ANONYMOUS(a)EXAMPLE.COM for krbtgt/EXAMPLE.COM(a)EXAMPLE.COM, Failed to verify own certificate (depth 0): certificate has expired
Dec 20 16:06:54 ipa1.example.com krb5kdc[15518](info): closing down fd 11
---
--- ipa-checkcerts.py
IPA version 4.5.4-10.el7.centos.3
Check CA status
Check tracking
Check NSS trust
Check dates
Checking certificates in CS.cfg
Comparing certificates to requests in LDAP
Checking RA certificate
Checking authorities
Checking host keytab
Validating certificates
Checking renewal master
End-to-end cert API test
Checking permissions and ownership
Failures:
Unable to find request for serial 268304391
Unable to find request for serial 268304394
Unable to find request for serial 268304393
Unable to find request for serial 268304392
Subject O=EXAMPLE.COM,CN=ipa2.example.com and template subject CN=ipa1.example.com,O=EXAMPLE.COM do not match for serial 57
---
--- ipa pkinit-status --all
-----------------
2 servers matched
-----------------
Server name: ipa2.example.com
PKINIT status: enabled
Server name: ipa1.example.com
PKINIT status: enabled
----------------------------
Number of entries returned 2
----------------------------
To my understanding, proper certificate exchange between my two servers
ceased working at some point. How do i track this down and fix it?
Mit freundlichen Gruessen/With best regards,
--Daniel.
5 years, 2 months
kinit: Password incorrect while getting initial credentials
by nandha kumar
Hi Team,
I am running redhat 7.5 with freeipa 4.5 . I have established AD one way sync using password.
I am able to ssh the ipa client and ipa server with windows administrator account , But when I try to login with normal AD user I am
receiving the error " kinit: Password incorrect while getting initial credentials"
ipa --version
VERSION: 4.5.4, API_VERSION: 2.228
KRB5_TRACE=/dev/stdout kinit -V nandha.kumaravel(a)apxxx.xxx
[28904] 1546967107.58765: Resolving unique ccache of type KEYRING
Using new cache: persistent:0:krb_ccache_nLG0yqq
[28904] 1546967107.58777: Response was not from master KDC
[28904] 1546967107.58778: Received error from KDC: -1765328359/Additional pre-authentication required
[28904] 1546967107.58781: Processing preauth types: 16, 15, 19, 2
[28904] 1546967107.58782: Selected etype info: etype aes256-cts, salt "APRIM.XXX nandha.kumaravel", params ""
[28904] 1546967107.58783: PKINIT client has no configured identity; giving up
[28904] 1546967107.58784: PKINIT client has no configured identity; giving up
[28904] 1546967107.58785: Preauth module pkinit (16) (real) returned: 22/Invalid argument
[28904] 1546967107.58786: PKINIT client has no configured identity; giving up
[28904] 1546967107.58787: Preauth module pkinit (14) (real) returned: 22/Invalid argument
Password for nandha.kumaravel(a)aprim.xxx:
[28904] 1546967125.768563: AS key obtained for encrypted timestamp: aes256-cts/675E
[28904] 1546967125.768565: Encrypted timestamp (for 1546967099.435765): plain 301AA011180F32303139303130383137303435395AA105020306A635, encrypted D03014021DFD2120B8EC876B6A6568CEC53DFFE6AB5003028B81A18173717C2C14259C5002A41900A974FF0E2F372EECB9E7F4836AE0DD43
[28904] 1546967125.768566: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[28904] 1546967125.768567: Produced preauth for next request: 2
[
[28904] 1546967125.768577: Response was not from master KDC
[28904] 1546967125.768578: Received error from KDC: -1765328360/Preauthentication failed
[28904] 1546967125.768580: Preauth tryagain input types: 16, 14, 19, 2
[28904] 1546967125.768581: Retrying AS request with master KDC
[28904] 1546967125.768582: Getting initial credentials for nandha.kumaravel(a)aprim.xxx
[28904] 1546967125.768584: Sending request (182 bytes) to aprim.xxx (master)
kinit: Password incorrect while getting initial credentials
5 years, 2 months
Re: Testing requested - certificate checking tool
by SOLER SANGUESA Miguel
Hello,
I have run the tool on an environment where I've installed my own certificate for HTTPS (following this tutorial: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP), and it complains when find the root certificate of my certificate:
# python2 ipa-checkcerts.py
ipa: INFO: IPA version 4.6.4-10.el7
IPA version 4.6.4-10.el7
ipa: INFO: Check CA status
Check CA status
ipa: INFO: Check tracking
Check tracking
ipa: INFO: Check NSS trust
Check NSS trust
Traceback (most recent call last):
File "ipa-checkcerts.py", line 931, in <module>
sys.exit(c.run())
File "ipa-checkcerts.py", line 190, in run
self.check_trust()
File "ipa-checkcerts.py", line 439, in check_trust
expected = expected_trust[nickname]
KeyError: 'ICC-root'
Is this normal?
Because I have tried to add a RHEL 6 client and I get the error:
" Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
Valid From: Mon Jan 30 10:52:18 2017 UTC
Valid Until: Fri Jan 30 10:52:18 2037 UTC
Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates"
Thanks & Regards.
5 years, 2 months
dirsrv replicas crashing with FD errors
by xcorvis@gmail.com
I recently reinstalled a couple of our freeipa replicas and they're both falling over with the same error. They run for a few minutes - as little as one, or up to an hour, and then fall over with thousands of errors like this:
> ERR - accept_and_configure - PR_Accept() failed, Netscape Portable Runtime error -5971 (Process open FD table is full.)
Eventually we get some db errors and dirsrv crashes (which presumably is related to the FD table being full). I'm unable to determine why the table is filling.
While they're up, the 2 failing replicas work fine (web, ldap) and seem to have all the appropriate info. The server they're being replicated from is fine, no notable errors, but it only has about 180 servers hitting it. There's another replica with no clients that works fine, no issues. These two servers used to work fine before I reinstalled the replicas (I have not changed the OS). It's a pretty small directory and we've got a couple thousand servers hitting the two failing replicas. They were recently updated from ipa-server 4.4 to 4.6, and used to work fine, the errors started after I rebuilt them. (BTW, I'm not the person who built the originals.)
The logs are not very giving me much in the way of clues. File handles are set in /etc/sysconfig/dirsrv to 32k, which should be more than enough, it was previously set to 16k. It hasn't gotten any busier than it used to be, so I don't feel like the file handle issue is simply due to being sized wrong. Debug logging generated a lot of output but nothing I could clearly identify as being an issue.
I'm at a loss. What should I be checking?
Versions:
CentOS Linux release 7.6.1810 (Core)
ipa-common-4.6.4-10.el7.centos.noarch
ipa-server-4.6.4-10.el7.centos.x86_64
ipa-client-4.6.4-10.el7.centos.x86_64
python2-ipalib-4.6.4-10.el7.centos.noarch
ipa-client-common-4.6.4-10.el7.centos.noarch
python2-ipaserver-4.6.4-10.el7.centos.noarch
ipa-server-common-4.6.4-10.el7.centos.noarch
sssd-ipa-1.16.2-13.el7.x86_64
389-ds-base-libs-1.3.8.4-18.el7_6.x86_64
389-ds-base-1.3.8.4-18.el7_6.x86_64
Thanks,
--Adam
5 years, 2 months
Freeipa fails to renew CA certificate with external CA.
by Pedro Perdido
Hello,
I'm trying to renew the CA certificate and I keep getting the error "CA certificate chain in ipaRenew.crt, extCA.crt is incomplete: missing certificate with subject 'CN=pedroperdido.com'".
I have found some people complaining about DN encode mismatch during the renewal process, so I installed a test server and made sure the trustchain had PRINTABLESTRING encoding. No problem there, FreeIPA accepted the certificate and everything is working great, but when I try to renew it the error comes back:
==============================================================================================
# ipa-cacert-manage renew --external-cert-file=ipaRenew.crt --external-cert-file=extCA.crt
Importing the renewed CA certificate, please wait
CA certificate chain in ipaRenew.crt, extCA.crt is incomplete: missing certificate with subject 'CN=pedroperdido.com'
==============================================================================================
Both the new certificate and the external CA cert have the PRINTABLESTRING encoding:
==============================================================================================
# openssl x509 -in extCARenew.crt -subject -issuer -nameopt multiline,show_type -noout -subject_hash -issuer_hash
subject=
commonName = PRINTABLESTRING:pedroperdido.com
issuer=
commonName = PRINTABLESTRING:pedroperdido.com
a5851e5b
a5851e5b
==============================================================================================
==============================================================================================
# openssl x509 -in ipaRenew.crt -subject -issuer -nameopt multiline,show_type -noout -subject_hash -issuer_hash
subject=
organizationName = PRINTABLESTRING:TESTCA.ETUX
commonName = PRINTABLESTRING:Certificate Authority
issuer=
commonName = PRINTABLESTRING:pedroperdido.com
48a8b126
a5851e5b
==============================================================================================
And the certs I used during the installation also have PRINTABLESTRING encoding:
==============================================================================================
# openssl x509 -in ipaInstall.crt -subject -issuer -nameopt multiline,show_type -noout -subject_hash -issuer_hash
subject=
organizationName = PRINTABLESTRING:TESTCA.ETUX
commonName = PRINTABLESTRING:Certificate Authority
issuer=
commonName = PRINTABLESTRING:pedroperdido.com
48a8b126
a5851e5b
==============================================================================================
==============================================================================================
# openssl x509 -in extCAInstall.crt -subject -issuer -nameopt multiline,show_type -noout -subject_hash -issuer_hash
subject=
commonName = PRINTABLESTRING:pedroperdido.com
issuer=
commonName = PRINTABLESTRING:pedroperdido.com
a5851e5b
a5851e5b
==============================================================================================
Also as you can see the CN is the same.
Can someone please help me figuring out what seems to be the problem?
Some more info:
FreeIPA, version: 4.6.4
OS: CentOS7
5 years, 2 months
system time
by Md. Khairul Hasan
Hi Experts,
I want to change the system time for my IPA server from UTC time to local time. Is it mandatory to restart the service after changing the system time ?
Regards,
Khairul
+8801962400409
sojib2bd(a)gmail.com
5 years, 2 months
PAM OTP login requirements
by Brian Topping
Hi all, I hope this is the best place to ask this, please let me know if not.
I am setting up a PAM client (libreswan, using the `pluto` service). When I log in with a non-OTP account, everything works fine, but not with an OTP account. I have tested the OTP account by logging into the node with SSH and the OTP user and it works fine, so I know both that the token works and that the client configuration are both correct. I’ve tried a few different PAM stacks to see if I could get around this, including the sshd stack to no avail. In all cases, the FreeIPA server logs state `Additional pre-authentication required` and then `Preauthentication failed`.
Preauthentication makes sense, I just don’t understand why sshd works fine with both password factors concatenated in the first factor and libreswan (and xl2tpd when I was testing it) both fail with preauth issues. What am I missing? Are there good docs on this somewhere? [1] was the best I could come up with and it seems to be out-of-date (pam_sss takes different parameters for some of the same functions in the final form).
Cheers! Brian
[1] https://docs.pagure.org/SSSD.sssd/design_pages/pam_conversation_for_otp.html
5 years, 2 months
uid/gid mapping from windows to IPA
by Charles Hedrick
We’re in the process of setting up Windows machines to authenticate against IPA and use home directories from our NFS servers with Kerberized NFS.
The process is not easy, but possible. One thing I’ve found frustrating is that documentation on Windows NFS is terrible. In particular, when you do a mount, it’s critical to get it mounted with the right UID and GID. The procedure most people are using is to set the UID and GID in the registry. That’s fine if the same person always uses the system, but it won’t work for us.
In older versions of windows, you could set up /windows/system32/drivers/etc/passwd. But in Windows 10 they no longer seem to pay attention. The only real way to do it is with active directory lookup. Fortunately, IPA can handle that. The query is
GSSAPI authenticate as machine$
ldapsearch -Y GSSAPI -b dc=cs,dc=rutgers,dc=edu '(sAMAccountName=clh)’ uidnumber gidnumber
To get the GSSAPI authentication to work, you need MACHINE$ set as an alias for the host. And you need to configure Windows to use principal canonicalization. Otherwise Kerberos ignores the alias. That means doing "ksetup /setrealmflags DOMAIN ncsupported” on Windows.
You also need to add samaccountname as an attribute for users, populate it, and make it readable and searchable.
With this, mapping works.
Off course this assumes that Windows Kerberos is set up pointing to IPA as the KDC, but there are plenty of other instructions on how to do that.
5 years, 2 months