certgmonger not able to renew a certificate: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)).
by Sam Morris
Hi folks, I've got a machine where certmonger is unable to renew a
certificate request:
# getcert list -i 20220519165212
Number of certificates and requests being tracked: 2.
Request ID '20220519165212':
status: MONITORING
ca-error: Server at https://ipa5.ipa.example.com/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)).
stuck: no
key pair storage: type=FILE,location='/etc/cockpit/ws-certs.d/51-xoanon.key'
certificate: type=FILE,location='/etc/cockpit/ws-certs.d/51-xoanon.crt'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM
subject: CN=xoanon.ipa.example.com,O=IPA.EXAMPLE.COM
issued: 2023-06-21 07:49:49 UTC
expires: 2023-09-19 07:49:49 UTC
dns: xoanon.ipa.example.com
principal name: host/xoanon.ipa.example.com(a)IPA.EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
I'm manually attempting to renew the certificate with:
[root@xoanon ~]# getcert resubmit -w -v -i 20220519165212
Resubmitting "20220519165212" to "IPA".
State GENERATING_CSR, stuck: no.
State SUBMITTING, stuck: no.
State MONITORING, stuck: no.
On the server side, I'm unable to find any errors being logged anywhere.
Even after I set 'debug = true' in /etc/ipa/default.conf & restarted
httpd.service, the only log messages are:
==> /var/log/httpd/error_log <==
[Wed Aug 23 10:59:50.765980 2023] [wsgi:error] [pid 124570:tid 140295030843136] [remote 192.168.88.3:52224] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Wed Aug 23 10:59:50.766232 2023] [wsgi:error] [pid 124570:tid 140295030843136] [remote 192.168.88.3:52224] ipa: DEBUG: WSGI jsonserver.__call__:
[Wed Aug 23 10:59:50.766352 2023] [wsgi:error] [pid 124570:tid 140295030843136] [remote 192.168.88.3:52224] ipa: DEBUG: KerberosWSGIExecutioner.__call__:
==> /var/log/httpd/access_log <==
192.168.88.3 - host/xoanon.ipa.example.com(a)IPA.EXAMPLE.COM [23/Aug/2023:10:59:50 +0000] "POST /ipa/json HTTP/1.1" 200 526
... which show that the API call was successful. On the other hand,
according to 'ipa cert-find --subject=xoanon.ipa.example.com', no
certificates have been issued.
It looks like the API isn't calling out to PKI/Dogtag, since nothing is
logged to /var/log/pki/pki-tomcat/localhost_access_log.*.txt or
/var/log/pki/pki-tomcat/ca/debug.*.log.
I also looked for AVC denials and didn't see anything in /var/log/audit.
So, back to the client. certmonger logs the following:
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_REQ_SUBJECT" to "CN=xoanon.ipa.example.com" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_REQ_HOSTNAME" to "xoanon.ipa.example.com" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_REQ_PRINCIPAL" to "host/xoanon.ipa.example.com(a)IPA.EXAMPLE.COM" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_OPERATION" to "SUBMIT" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_CSR" to "-----BEGIN CERTIFICATE REQUEST-----
MIIEpzCCAw8CAQAwIzEhMB8GA1UEAxMYeG9hbm9uLmlwYS5yb2JvdHMub3JnLnVr
[...]
4d6BlUMScGAgCAxfxEb1eXymTxVm/Do/liHaOqnHGVIr+1OjZNftrUODFQ==
-----END CERTIFICATE REQUEST-----
" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_SPKAC" to "[...]" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_SPKI" to "[...]" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_LOCAL_CA_DIR" to "/var/lib/certmonger/local" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_KEY_TYPE" to "RSA" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_CA_NICKNAME" to "IPA" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_CERTIFICATE" to "-----BEGIN CERTIFICATE-----
MIIFajCCBFKgAwIBAgIET/8AJDANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKDBFJ
[...]
dF6L+2tIIpjYylCxKQISWaexKkv1jVQaIPB1foIKyLGaf9YtyaIwyoM9G80UaQ==
-----END CERTIFICATE-----
" for child.
2023-08-23 11:15:50 [836073] Redirecting stdin to /dev/null, leaving stdout and stderr open for child "/usr/libexec/certmonger/ipa-submit".
2023-08-23 11:15:50 [836073] Running enrollment helper "/usr/libexec/certmonger/ipa-submit".
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
Submitting request to "https://ipa5.ipa.example.com/ipa/json".
JSON-RPC error: 2100: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
2023-08-23 11:15:50 [834693] Certificate submission still ongoing.
2023-08-23 11:15:50 [834693] Certificate submission attempt complete.
2023-08-23 11:15:50 [834693] Child status = 2.
2023-08-23 11:15:50 [834693] Child output:
"Server at https://ipa5.ipa.example.com/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)).
"
2023-08-23 11:15:50 [834693] Server at https://ipa5.ipa.example.com/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)).
2023-08-23 11:15:50 [834693] Certificate not (yet?) issued.
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
I found that I could add 'OPTS=-d9' to /etc/sysconfig/certmonger &
restart certmonger.service, which does cause it to log more, but it
doesn't give any further insight into the messages exchanged with the
server.
Does anyone know where I can look next?
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
1 day, 15 hours
Re: Issues with password based authentication on IPA
by Alexander Bokovoy
Please don't drop mailing list.
On Аўт, 28 ліс 2023, Pradeep KNS wrote:
>Hey Alexander,
>
>Thanks For the Reply.
>
>But in my case i have fixed it by recreating the user on Ipa web UI and
>observing ipantuserattrs created password logins are working fine.
>
>But do I face any issues if I try to modify the base id range manually? as
>per redhat docs which is not recommended to modify.
If you have re-created your user and that new one works, it means
underlying infrastructure works properly. Older user entries need to be
fixed. Preferrably through a new ID range, if those entries use IDs
which are outside of the main ID range.
>
>Also on ipa 4.11 they support dedicated ssh key based
>authentication.Ofcourse now also its working.
>
>My setup is that I have internal dns which is handled by a puppet and
>slowly will move it to a dedicated internal dns server so that's why i
>opted for ipa installation without dns.
>
>On Tue, Nov 28, 2023 at 1:06 PM Alexander Bokovoy <abokovoy(a)redhat.com>
>wrote:
>
>> On Пан, 27 ліс 2023, Pradeep KNS via FreeIPA-users wrote:
>> >Hi Rob,
>> >Thank you for your email. I've identified the issue.
>> >When attempting to create a user using the 'ipa user-add' command and
>> >defining the UID and GID according to my specifications, the UID falls
>> >within the 4-digit range, for instance, 4141. The
>> >IPA IDs range during installation was set to 770000. Users created within
>> >this range are accepted with their passwords. However, users created with
>> >UIDs like 4141 or 4142 encounter issues.
>> >
>> >Looks like attributes, were not creating
>> >
>> >objectclass: top, person, organizationalperson, inetorgperson, inetuser,
>> >posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser,
>> >ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs
>> >
>> >If i mention uid and gid using ipa user-add command
>> >ipantuserattrs is not getting create.
>> >
>> >I tried to modify default range but it dint happened.
>>
>> See my answers in a parallel thread 'kinit fails on freeipa master: File
>> or directory not found'.
>>
>> >
>> >
>> >
>> >On Mon, 27 Nov 2023 at 9:41 PM, Rob Crittenden <rcritten(a)redhat.com>
>> wrote:
>> >
>> >> Pradeep KNS wrote:
>> >> > Hi,
>> >> > I have installed an ipa with internal dns.After installing updated
>> >> > entries on dns as well.
>> >> >
>> >> > My main criteria is to communicate with ipa clients with ssh keybased
>> >> > authentication which is working fine.
>> >> >
>> >> > Today i tot of i want to test with password based authentication which
>> >> > is not happening.I dont know where i am missing
>> >> >
>> >> >
>> >> > [root(a)example.com <mailto:root@example.com>]# ipa --version
>> >> > VERSION: 4.10.1, API_VERSION: 2.251
>> >> > [root(a)example.com <mailto:root@example.com>]#
>> >> >
>> >> > ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
>> >> > BACKTRACE:
>> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] [tgt_req_child]
>> >> > (0x1000): [RID#15] Password was expired
>> >>
>> >> The user's password is expired.
>> >>
>> >> IPA intends that only the end-user knows their password. So if it is set
>> >> or reset by an administrator the user will need to change it.
>> >>
>> >> Is the user not prompted to reset it?
>> >>
>> >> rob
>> >>
>> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] [sss_krb5_responder]
>> >> > (0x4000): [RID#15] Got question [password].
>> >> > * (2023-11-23 19:33:16): [krb5_child[11588]] [map_krb5_error]
>> >> > (0x0020): [RID#15] 2138: [-1765328324][Generic error (see e-text)]
>> >> > ********************** BACKTRACE DUMP ENDS HERE
>> >> > *********************************
>> >> >
>> >> > ssh log
>> >> >
>> >> > Nov 23 19:33:16 test-example.com <http://test-example.com>
>> sshd[11586]:
>> >> > pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
>> >> > tty=ssh ruser= rhost=10.10.1.1 user=harsh
>> >> > Nov 23 19:33:16 test-example.com <http://test-example.com>
>> sshd[11586]:
>> >> > pam_sss(sshd:auth): received for user harsh: 4 (System error)
>> >> > Nov 23 19:33:18test-example.com <http://18test-example.com>
>> sshd[11584]:
>> >> > error: PAM: Authentication failure for harsh from 10.10.1.1
>> >> > Nov 23 19:33:20 test-example.com <http://test-example.com>
>> sshd[11584]:
>> >> > Connection closed by authenticating user harsh 10.10.1.1 port 47724
>> >> > [preauth]
>> >>
>> >>
>> >>
>>
>>
>>
>>
>> --
>> / Alexander Bokovoy
>> Sr. Principal Software Engineer
>> Security / Identity Management Engineering
>> Red Hat Limited, Finland
>>
>>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
1 day, 18 hours
Password policy by ip
by Francis Augusto Medeiros-Logeay
Hi,
I recently started to use FreeIPA for ldap login for my mail server (dovecot).
I wonder if it is possible to disable user locking when fail requests come from dovecot. That’s because it already has fail2ban enabled there, and I feel that it should block logins from a particular ip, not user login per se.
At the same time, I’d like to keep user lock for the other logins.
Is this doable?
Best,
Francis
1 day, 19 hours
Issues with password based authentication on IPA
by Pradeep KNS
Hi,
I have installed an ipa with internal dns.After installing updated entries
on dns as well.
My main criteria is to communicate with ipa clients with ssh keybased
authentication which is working fine.
Today i tot of i want to test with password based authentication which is
not happening.I dont know where i am missing
[root(a)example.com]# ipa --version
VERSION: 4.10.1, API_VERSION: 2.251
[root(a)example.com]#
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
* (2023-11-23 19:33:16): [krb5_child[11588]] [tgt_req_child] (0x1000):
[RID#15] Password was expired
* (2023-11-23 19:33:16): [krb5_child[11588]] [sss_krb5_responder]
(0x4000): [RID#15] Got question [password].
* (2023-11-23 19:33:16): [krb5_child[11588]] [map_krb5_error] (0x0020):
[RID#15] 2138: [-1765328324][Generic error (see e-text)]
********************** BACKTRACE DUMP ENDS HERE
*********************************
ssh log
Nov 23 19:33:16 test-example.com sshd[11586]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.10.1.1 user=harsh
Nov 23 19:33:16 test-example.com sshd[11586]: pam_sss(sshd:auth): received
for user harsh: 4 (System error)
Nov 23 19:33:18test-example.com sshd[11584]: error: PAM: Authentication
failure for harsh from 10.10.1.1
Nov 23 19:33:20 test-example.com sshd[11584]: Connection closed by
authenticating user harsh 10.10.1.1 port 47724 [preauth]
1 day, 22 hours
kinit fails on freeipa master: File or directory not found
by David Leeuwestein
Dear IPA users,
I need your help on an issue. An upgrade from Fedora 36 to Fedora 38 has
completely broken Kerberos authentication in our Freeipa realm.
kinit <username>
fails for every user but our domain admin. Hosts can't authenticate
themselves, too.
Everything works fine if I add disable_pac = true in the /etc/krb5.conf.
However, this isn't a recommended setting from a security point of view.
Therefore, we can't accept that as a workaround.
I found several posts suggesting generating sids for the users. So I did
that by calling ipa config-mod --enable-sid --add-sids. The job run
without any error and assigned a sid to each user. I confirmed this with
ipa user show --all.
I also verified that the firewall configuration matches the
recommondations of freeipa:
https://www.freeipa.org/page/Active_Directory_trust_setup#iptables
I also thought this issue could be caused by a Freeipa version mismatch
between our two master servers. Therefore, I updated both servers to
Fedora 38, but the problem still exists.
I tried to collect the vital system information.
$ kinit user
Passwort für user(a)INTERN.EXAMPLE.DE:
kinit: allgemeiner Fehler (siehe E-Text) bei Anfängliche Anmeldedaten
werden geholt.
the `/var/log/krb5kdc.log` contains the following entries for an
authentication attempt:
Nov 25 20:22:35 id.intern.example.de krb5kdc[2858](Information): AS_REQ
(6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha256-128(19),
aes128-cts-hmac-sha1-96(17), camellia128-cts-cmac(25)}) 141.83.153.180:
HANDLE_AUTHDATA: user(a)INTERN.EXAMPLE.DE für
krbtgt/INTERN.EXAMPLE.DE(a)INTERN.EXAMPLE.DE, Datei oder Verzeichnis nicht
gefunden
The content of our `/etc/krb5.conf` is:
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = INTERN.EXAMPLE.DE
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
INTERN.EXAMPLE.DE = {
kdc = id.intern.example.de:88
master_kdc = id.intern.example.de:88
kpasswd_server = id.intern.example.de:464
admin_server = id.intern.example.de:749
default_domain = intern.example.de
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.intern.example.de = INTERN.EXAMPLE.DE
intern.example.de = INTERN.EXAMPLE.DE
id.intern.example.de = INTERN.EXAMPLE.DE
[dbmodules]
INTERN.EXAMPLE.DE = {
db_library = ipadb.so
}
[plugins]
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}
IPA diagnostics show no error:
$ ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
I also asked this question on serverfault:
https://serverfault.com/posts/1148566
Please let me know, if I forgot to include anything vital. I never
posted to a user mailing list before. Please let me know if I failed to
follow a best practice. I'd appreciate any help since I am stuck here.
Have a nice day!
David Leeuwestein
1 day, 22 hours
Diff between giving User direct membership vs a User Group to a Posix or NON-Posix User Group?
by Finn Fysj
I have a running IPA server which has both POSIX and NON-POSIX User Groups. However, I'm not using FreeIPA in a classic manner, mostly just as a LDAP server with GUI making it easier for end users to manage their stuff.
I'm curious if there's a difference between Users or Users Groups when assigning these to a POSIX or NON-POSIX user group?
E.g
A user was not able to SSH into a machine because the user couldn't be found as a member of the group:
$ getent group test-group
test-group:*:5010:
In the example above, I have attached memebership to another User Group: end_users --> test-group. However, if give a user in end_users direct access to the test-group, they can successfully SSH and they're shown in the getent command:
$ getent group test-group
test-group:*:5010:userX
Of course, with NON-POSIX group I'm not able to run any commands, but I haven't had any problems when I
2 days, 13 hours
Install FreeIPA with own CA and SUBCA
by KERVELLEC Joseph
Hello,
I am trying to install FreeIPA with my own CA and certutil reject my RootCA (Certificate type not approuved for application).
The issue is when certutil verifies the RootCA with the certusage SSL CA (option -u L). My rootCA does not include sslCA in nsscertype.
There is a way to install FreeIPA and change the certutil verification (option -u to A instead of L) ?
I have tried multpile install:
- FreeIPA with all certificates (httpd, dirsrv, kerberos), reject me with 'Certificate type not approuved for application'
- FreeIPA with external-ca and update the subject, reject me with the emailAddress object
- FreeIPA with no certificate options and added my ROOTCA with ipa-ca-install, reject me with 'Certificate type not approuved for application'
Best regards,
Joseph KERVELEC
6 days, 20 hours
Re: ipa CLI doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC
by Alexander Bokovoy
On Пан, 20 ліс 2023, Kroon PC, Peter wrote:
>Hi all,
>
>I went for option B and deleted some offending groups and users, and adjusted the gidNumber of those that remained. Running `/usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --add-sids` produces the following logs:
>[20/Nov/2023:14:39:00.414065260 +0100] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ...
>[20/Nov/2023:14:39:00.472454841 +0100] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [0].
>
>which to me means good news.
>
>However, `kinit admin`, confirming success with `klist`, and then trying `ipa user-show admin` gives:
>ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible (Credential cache is empty)
>
>krb5kdc.log:
>Nov 20 14:56:04 freeipa.example.com krb5kdc[427](info): TGS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 192.168.12.57: S4U2PROXY_NO_HEADER_PAC: authtime 0, etypes {rep=UNSUPPORTED:(0)} HTTP/freeipa.example.com(a)EXAMPLE.COM for ldap/freeipa.example.com(a)EXAMPLE.COM, TGT has been revoked
>
>Further advise would be most welcome while I try to figure out how to have outlook behave nicely with inline responses...
admin already has the SID assigned manually, so theoretically it should
already have a ticket with PAC issued.
I suspect you have some misconfiguration that disables PAC issuance at
all. Can you check your kdc.conf that it doesn't have 'disable_pac' set
in it? It is in /var/kerberos/krb5kdc/kdc.conf
Alternatively, it might be something with the default configuration:
# ipa -e in_server=True config-show --raw |grep ipakrbauthzdata
This should return
ipakrbauthzdata: MS-PAC
ipakrbauthzdata: nfs:NONE
>
>Peter
>
>
>________________________________________
>Van: Alexander Bokovoy <abokovoy(a)redhat.com>
>Verzonden: donderdag 9 november 2023 14:32
>Aan: Kroon PC, Peter
>CC: Rob Crittenden; FreeIPA users list
>Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC
>
>On Чцв, 09 ліс 2023, Kroon PC, Peter wrote:
>>Hi all,
>>
>>to confirm, both uidNumber and gidNumber must be within the ID range
>>right? I have 1 user and 22 groups that got assigned numbers outside
>>the range. Would it be possible to constrain these at an ldap level?
>
>Correct, they must be within the range.
>You can use approach outlined in the following discussion from 2017 to
>create the range:
>https://listman.redhat.com/archives/freeipa-users/2017-February/026913.html
>
>>
>>Peter
>>
>>________________________________________
>>Van: Alexander Bokovoy <abokovoy(a)redhat.com>
>>Verzonden: dinsdag 7 november 2023 09:34
>>Aan: Kroon PC, Peter
>>CC: Rob Crittenden; FreeIPA users list
>>Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC
>>
>>On Пан, 06 ліс 2023, Kroon PC, Peter wrote:
>>>Hi all,
>>>
>>>thanks for the response, and my apologies for my slow reply -- life happened.
>>>I put my responses inline. It seems that the ldapupdate file you provided generated a SID config.
>>
>>Thanks. It is hard to read your inline responses as they went without
>>proper quoting but I think I understood what you wanted to show.
>>
>>You still need to add an ID range that covers your actual POSIX IDs. Without
>>that we wouldn't able to generate SIDs either.
>>
>>After an ID range is added, `ipa config-mod --enable-sid --add-sids`
>>should fix the rest.
>>
>>
>>>
>>>Peter
>>>
>>>
>>>________________________________________
>>>Van: Alexander Bokovoy <abokovoy(a)redhat.com>
>>>Verzonden: donderdag 26 oktober 2023 16:59
>>>Aan: Kroon PC, Peter
>>>CC: Rob Crittenden; FreeIPA users list
>>>Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC
>>>
>>>On Чцв, 26 кас 2023, Kroon PC, Peter wrote:
>>>>Hi Alexander and Rob,
>>>>
>>>>many thanks for your prompt responses :)
>>>>I made a new lxc machine and restored a backup so at least I have a working environment again. I kept the borken one for further investigation which I'll use to provide more information.
>>>>I'm not super comfortable using mailing lists, and I'm not sure whether my mail client (outlook) will mangle my inline responses.
>>>>
>>>>Peter
>>>>
>>>>________________________________________
>>>>Van: Alexander Bokovoy <abokovoy(a)redhat.com>
>>>>Verzonden: woensdag 25 oktober 2023 20:49
>>>>Aan: Rob Crittenden
>>>>CC: FreeIPA users list; Kroon PC, Peter
>>>>Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC
>>>>
>>>>On ���, 25 ��� 2023, Rob Crittenden wrote:
>>>>>Alexander Bokovoy via FreeIPA-users wrote:
>>>>>> On ���, 25 ��� 2023, Kroon PC, Peter via FreeIPA-users wrote:
>>>>>>> Hi all,
>>>>>>>
>>>>>>> After upgrading to Rocky linux 9.2 I'm running into issues with my IPA
>>>>>>> server (4.10.1-9.el9_2). In particular, my IPA CLI seems FUBARred:
>>>>>>>
>>>>>>> $ kinit admin
>>>>>>> Password for admin(a)EXAMPLE.COM:
>>>>>>> $ ipa show-user admin
>>>>>>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
>>>>>>> Error: No credentials were supplied, or the credentials were
>>>>>>> unavailable or inaccessible (Credential cache is empty)
>>>>>>>
>>>>>>> /var/log/krb5kdc.log:
>>>>>>> okt 24 16:17:48 freeipa.example.com krb5kdc[10493]: TGS_REQ (4 etypes
>>>>>>> {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
>>>>>>> aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)})
>>>>>>> 192.168.12.57: S4U2PROXY_NO_HEADER_PAC: authtime 0, etypes
>>>>>>> {rep=UNSUPPORTED:(0)} HTTP/freeipa.example.com(a)EXAMPLE.COM for
>>>>>>> ldap/freeipa.example.com(a)EXAMPLE.COM, TGT has been revoked
>>>>>>>
>>>>>>> As the log shows, the KDC states there is no PAC, and therefore revokes
>>>>>>> the TGT (note, I had to RTFS to decipher the S4U2PROXY_NO_HEADER_PAC).
>>>>>>> Because of this, the web gui also doesn't work.
>>>>>>
>>>>>> That is correct description of the reason why it does not work.
>>>>>>
>>>>>>>
>>>>>>> $ ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=nl
>>>>>>> "ipaNTSecurityIdentifier=*" uid ipaNTSecurityIdentifier
>>>>>>> SASL/GSSAPI authentication started
>>>>>>> SASL username: admin(a)EXAMPLE.COM
>>>>>>> SASL SSF: 256
>>>>>>> SASL data security layer installed.
>>>>>>> # extended LDIF
>>>>>>> #
>>>>>>> # LDAPv3
>>>>>>> # base <cn=users,cn=accounts,dc=example,dc=com> with scope subtree
>>>>>>> # filter: ipaNTSecurityIdentifier=*
>>>>>>> # requesting: uid ipaNTSecurityIdentifier
>>>>>>> #
>>>>>>>
>>>>>>> # admin, users, accounts, example.com
>>>>>>> dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
>>>>>>> uid: admin
>>>>>>> ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440-500
>>>>>>>
>>>>>>> # search result
>>>>>>> search: 4
>>>>>>> result: 0 Success
>>>>>>>
>>>>>>> # numResponses: 2
>>>>>>> # numEntries: 1
>>>>>>>
>>>>>>> Out of the ~200 or so users only the admin user has a
>>>>>>> ipaNTSecurityIdentifier, but I don't know if it's correct...
>>>>>>> I can't run `ipa config-mod --enable-sid --add-sids`, since my ipa CLI
>>>>>>> is broken. I do still have LDAP access fortunately.
>>>>>>
>>>>>> You can run it, see below. If you'd run, do you have any error messages in
>>>>>> the dirsrv errors log related to sidgen plugin?
>>>>>>
>>>>>>>
>>>>>>> I tried to set `disable_pac = true` in /var/kerberos/krb5kdc/kdc.conf,
>>>>>>> but that results in the exact same error. Setting ipaKrbAuthzData=None
>>>>>>> in cn=ipaConfig also has no effect.
>>>>>>
>>>>>> No, one cannot disable PAC globally in FreeIPA. S4U operations
>>>>>> require PAC presence since last year, so for any real Kerberos service
>>>>>> that uses S4U (like IPA API or web UI) one cannot disable PAC
>>>>>> enforcement.
>>>>
>>>>This is useful information :)
>>>>
>>>>>>
>>>>>> Look at your ID range and SID configuration. You can avoid admin issue
>>>>>> currently by running 'ipa' tool on IPA server as root with '-e
>>>>>> in_server=true' option. This will force the tool to simulate direct
>>>>>> access (as if it is running within httpd) and talk directly to LDAPI
>>>>>> socket.
>>>>>>
>>>>>> Something like below:
>>>>>>
>>>>>> # KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show
>>>>>> ipa: WARNING: API Version number was not sent, forward compatibility not
>>>>>> guaranteed. Assuming server's API version, 2.253
>>>>>> Domain: ipa1.test
>>>>>> Security Identifier: S-1-5-21-790702333-3825749031-3739951824
>>>>>> NetBIOS name: IPA1
>>>>>> Domain GUID: 529fcbe9-3e34-436d-a541-6ffa88e7dac1
>>>>>> Fallback primary group: Default SMB Group
>>>>>> IPA AD trust agents: master1.ipa1.test
>>>>>> IPA AD trust controllers: master1.ipa1.test
>>>>
>>>>KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show
>>>>ipa: ERROR: : trust configuration not found
>>>
>>>Ok, let's try differently. Can you provide output of
>>>
>>># ldapsearch -Y EXTERNAL -H ldapi://%2Frun%2Fslapd-EXAMPLE-COM.socket \
>>> -b cn=ad,cn=etc,dc=example,dc=com
>>>
>>>(replace EXAMPLE-COM and dc=example,dc=com by your domain data)
>>>
>>>dn: cn=ad,cn=etc,dc=example,dc=com
>>>objectClass: nsContainer
>>>objectClass: top
>>>cn: cn
>>>cn: ad
>>>>
>>>>
>>>>>>
>>>>>> # KRB5CACHE=/dev/null ipa -e in_server=true idrange-find
>>>>>> ipa: WARNING: API Version number was not sent, forward compatibility not
>>>>>> guaranteed. Assuming server's API version, 2.253
>>>>>> ----------------
>>>>>> 5 ranges matched
>>>>>> ----------------
>>>>>> Range name: IPA1.TEST_id_range
>>>>>> First Posix ID of the range: 1055600000
>>>>>> Number of IDs in the range: 200000
>>>>>> First RID of the corresponding RID range: 1000
>>>>>> First RID of the secondary RID range: 100000000
>>>>>> Range type: local domain range
>>>>>>
>>>>>> ... [ skip ] ...
>>>>>>
>>>>>>
>>>>
>>>>ipa: WARNING: API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.251
>>>>----------------
>>>>2 ranges matched
>>>>----------------
>>>> Range name: EXAMPLE.COM_id_range
>>>> First Posix ID of the range: 1000
>>>> Number of IDs in the range: 4000
>>>> Range type: local domain range
>>>
>>>This one is definitely not configured to handle SIDs. Also, see my
>>>comment at the bottom of this email.
>>>
>>>>
>>>> Range name: EXAMPLE.COM_subid_range
>>>> First Posix ID of the range: 2147483648
>>>> Number of IDs in the range: 2147352576
>>>> First RID of the corresponding RID range: 2147479648
>>>> Domain SID of the trusted domain: S-1-5-21-738065-838566-2966017632
>>>> Range type: Active Directory domain range
>>>>----------------------------
>>>>Number of entries returned 2
>>>>----------------------------
>>>>
>>>>>
>>>>>In my testing you can't run config-mod without a principal, and running
>>>>>in-server does not have a principal.
>>>>>
>>>>># KRB5CACHE=/dev/null ipa -e in_server=true config-mod --add-sids
>>>>>--enable-sid
>>>>>[snip]
>>>>> File "/usr/lib/python3.11/site-packages/ipaserver/plugins/config.py",
>>>>>line 701, in pre_callback
>>>>> self._enable_sid(ldap, options)
>>>>> File "/usr/lib/python3.11/site-packages/ipaserver/plugins/config.py",
>>>>>line 512, in _enable_sid
>>>>> if not principal_has_privilege(self.api, context.principal, privilege):
>>>>> ^^^^^^^^^^^^^^^^^
>>>>>AttributeError: '_thread._local' object has no attribute 'principal'
>>>>>ipa: ERROR: an internal error has occurred
>>>>
>>>>Thank you, Rob. I did not check that part.
>>>>
>>>>On IPA master one can run the oddjobd-activated script directly:
>>>>
>>>># /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --add-sids
>>>>
>>>>$ /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --add-sids
>>>>Configuring SID generation
>>>> [1/8]: creating samba domain object
>>>> [error] TypeError: ('Tuple_to_LDAPMod(): expected a byte string in the list', None)
>>>>('Tuple_to_LDAPMod(): expected a byte string in the list', None)
>>>>The ipa-enable-sid command failed. See /var/log/ipaserver-enable-sid.log for more information
>>>>
>>>>Python traceback from the log:
>>>>2023-10-26T13:24:21Z DEBUG Traceback (most recent call last):
>>>> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 686, in start_creation
>>>> run_step(full_msg, method)
>>>> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 672, in run_step
>>>> method()
>>>> File "/usr/lib/python3.9/site-packages/ipaserver/install/adtrustinstance.py", line 485, in __create_samba_domain_object
>>>> api.Backend.ldap2.add_entry(entry)
>>>> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1893, in add_entry
>>>> super(LDAPCache, self).add_entry(entry)
>>>> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1659, in add_entry
>>>> self.conn.add_s(str(entry.dn), list(attrs.items()))
>>>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 236, in add_s
>>>> return self.add_ext_s(dn,modlist,None,None)
>>>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 221, in add_ext_s
>>>> msgid = self.add_ext(dn,modlist,serverctrls,clientctrls)
>>>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 218, in add_ext
>>>> return self._ldap_call(self._l.add_ext,dn,modlist,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
>>>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 128, in _ldap_call
>>>> result = func(*args,**kwargs)
>>>>TypeError: ('Tuple_to_LDAPMod(): expected a byte string in the list', None)
>>>>
>>>>2023-10-26T13:24:21Z DEBUG [error] TypeError: ('Tuple_to_LDAPMod(): expected a byte string in the list', None)
>>>>2023-10-26T13:24:21Z DEBUG Destroyed connection context.ldap2_140617190554016
>>>>2023-10-26T13:24:21Z DEBUG File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute
>>>> return_value = self.run()
>>>> File "/usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid", line 68, in run
>>>> smb.create_instance()
>>>> File "/usr/lib/python3.9/site-packages/ipaserver/install/adtrustinstance.py", line 913, in create_instance
>>>> self.start_creation(show_service_name=False)
>>>> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 686, in start_creation
>>>> run_step(full_msg, method)
>>>> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 672, in run_step
>>>> method()
>>>> File "/usr/lib/python3.9/site-packages/ipaserver/install/adtrustinstance.py", line 485, in __create_samba_domain_object
>>>> api.Backend.ldap2.add_entry(entry)
>>>> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1893, in add_entry
>>>> super(LDAPCache, self).add_entry(entry)
>>>> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1659, in add_entry
>>>> self.conn.add_s(str(entry.dn), list(attrs.items()))
>>>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 236, in add_s
>>>> return self.add_ext_s(dn,modlist,None,None)
>>>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 221, in add_ext_s
>>>> msgid = self.add_ext(dn,modlist,serverctrls,clientctrls)
>>>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 218, in add_ext
>>>> return self._ldap_call(self._l.add_ext,dn,modlist,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
>>>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 128, in _ldap_call
>>>> result = func(*args,**kwargs)
>>>>
>>>>2023-10-26T13:24:21Z DEBUG The ipa-enable-sid command failed, exception: TypeError: ('Tuple_to_LDAPMod(): expected a byte string in the list', None)
>>>>
>>>>
>>>>I still need to see ID range and trustconfig-show output to understand
>>>>the state of this deployment. Also, dirsrv errors log would be helpful
>>>>if there was an attempt to run sidgen in past.
>>>>
>>>>I went through the dirsrv logs, and found the following:
>>>>[24/Oct/2023:10:25:34.071341978 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ...
>>>>[24/Oct/2023:10:25:34.300104111 +0000] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [52021] into an unused SID.
>>>>[24/Oct/2023:10:25:34.300266490 +0000] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry.
>>>>[24/Oct/2023:10:25:34.303536359 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32].
>>>
>>>You have a range that defines UID/GID space of [1000...5000] but IDs are
>>>outside this range. This is pretty much wrong regardless of whether we
>>>enforce SIDs or not ;)
>>>
>>>You need to create a separate ID range that would cover your existing
>>>IDs. Before that, we need to create a configuration to be used for SID
>>>generation -- if the ldapsearch above would show us that the entry in
>>>cn=ad,cn=etc,$SUFFIX does not exist.
>>>
>>>Since ipa-enable-sid has failed, probably the entry indeed does not exist and
>>>it would be easier to construct it with ipa-ldap-updater tool:
>>>
>>>----
>>>dn: cn=${DOMAIN},cn=ad,cn=etc,${SUFFIX}
>>>default:objectClass: ipaNTDomainAttrs
>>>default:objectClass: nsContainer
>>>default:objectClass: top
>>>default:cn: ${DOMAIN}
>>>default:ipaNTFlatName: NETBIOSNAME
>>>default:ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440
>>>default:ipaNTDomainGUID: 529fcbe9-3e34-3122-a541-6786236014c1
>>>default:ipaNTFallbackPrimaryGroup: cn=Default SMB Group,cn=groups,cn=accounts,${SUFFIX}
>>>----
>>>
>>>Change 'NETBIOSNAME' above to some name. By default that would be a
>>>first part of your Kerberos realm, e.g. for IPA1.TEST that would be
>>>IPA.
>>>
>>>The SID value (S-1-5-21-...) is the one that your admin user has,
>>>without the last part (relative identifier, RID, which is -500 for
>>>administrator case).
>>>
>>>Save this to a file named '90-somefile.update' and run as root
>>>
>>># ipa-ldap-updater ./90-somefile.update
>>>
>>>
>>>Alright, it said "update successful". The ldapsearch above now produces:
>>># ad, etc, example.com
>>>dn: cn=ad,cn=etc,dc=example,dc=com
>>>objectClass: nsContainer
>>>objectClass: top
>>>cn: cn
>>>cn: ad
>>>
>>># example.com, ad, etc, example.com
>>>dn: cn=example.com,cn=ad,cn=etc,dc=example,dc=com
>>>objectClass: ipaNTDomainAttrs
>>>objectClass: nsContainer
>>>objectClass: top
>>>cn: example.com
>>>ipaNTFlatName: MYNETBIOSNAME
>>>ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440
>>>ipaNTDomainGUID: 529fcbe9-3e34-3122-a541-6786236014c1
>>>ipaNTFallbackPrimaryGroup: cn=Default SMB Group,cn=groups,cn=accounts,dc=example,dc=com
>>>
>>>--
>>>/ Alexander Bokovoy
>>>Sr. Principal Software Engineer
>>>Security / Identity Management Engineering
>>>Red Hat Limited, Finland
>>>
>>
>>
>>
>>--
>>/ Alexander Bokovoy
>>Sr. Principal Software Engineer
>>Security / Identity Management Engineering
>>Red Hat Limited, Finland
>>
>
>
>
>
>--
>/ Alexander Bokovoy
>Sr. Principal Software Engineer
>Security / Identity Management Engineering
>Red Hat Limited, Finland
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
1 week
Can you automount the home folders on San Storage via free ipa?
by Alper AYKUT
Hello, I can automatically add home folders in nfs environment to users
via automount and autofs. We have a plan to buy a SAN Powervault Me series
storage from Dell company in the near future.
Our 4 Servers will not have local disks except for the operating system,
these disks will be connected with 32gb fiber channel on SAN Powervault
SAN. The home folder will be on San Storage and users connecting to the
server will automatically connect to their home directories on the Storage.
How can I do this ? As I did in Free ipa via nfs. There was no problem in
connection with nfs with automount and autofs.
But now there is no nfs in the environment and the disks will be connected
with fiber channel. I need your help and valuable guidance on this issue.
thankyou for support.
Alper
1 week, 2 days
