ACME service is disabled
by Georgy Safronov
Hello! On one of our ipa masters (alma9.2, ipa 4.10.1, CA renewal master) we have some problems with pki-tomcat, on neighbour master (alma9.2, ipa 4.10.1, ca role) there are no same problems. ipactl status and ipa-healthcheck reports all ok, restarting of services also goes normally. But in pki debug log have some flood about java exeption:
[root@dc1 ~]# tail -n 57 /var/log/pki/pki-tomcat/pki/debug.2023-05-23.log
2023-05-23 14:30:21 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-2] ERROR: RESTEASY002010: Failed to execute
javax.ws.rs.ServiceUnavailableException: ACME service is disabled
at org.dogtagpki.acme.server.ACMERequestFilter.filter(ACMERequestFilter.java:48)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:263)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
at jdk.internal.reflect.GeneratedMethodAccessor49.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:222)
at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:146)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at jdk.internal.reflect.GeneratedMethodAccessor51.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:188)
at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:146)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:83)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:433)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1724)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:833)
Also have some flood in systemctl status pki-tomcatd(a)pki-tomcat.service like:
[root@dc1 ~]# journalctl -u pki-tomcatd(a)pki-tomcat.service --no-pager|tail -n 4
May 23 14:30:17 dc1.id.netrika server[4743]: WARNING: The SHA-1 algorithm used in org.mozilla.jss.netscape.security.util.CertPrettyPrint::X509toString:329 is deprecated. Use a more secure algorithm.
May 23 14:30:17 dc1.id.netrika server[4743]: WARNING: The MD2 algorithm used in org.mozilla.jss.netscape.security.util.CertPrettyPrint::X509toString:329 is deprecated. Use a more secure algorithm.
May 23 14:30:17 dc1.id.netrika server[4743]: WARNING: The MD5 algorithm used in org.mozilla.jss.netscape.security.util.CertPrettyPrint::X509toString:329 is deprecated. Use a more secure algorithm.
May 23 14:30:17 dc1.id.netrika server[4743]: WARNING: The SHA-1 algorithm used in org.mozilla.jss.netscape.security.util.CertPrettyPrint::X509toString:329 is deprecated. Use a more secure algorithm.
What could be the reason for these messages? And how to fix it? Thank you in advance!
11 months
Re: Authentication failures on a RHEL 9.2 IPA server
by Charles Hedrick
I got my test servers working properly. But when I did my first production server, I ran into problems that might affect others:
Unlike the test, for the primary migration I wanted to generate SIDs before doing the upgrade, to minimize downtime after the upgrade. In testing, I used "ipa config-mod --add-sids --enable-sid" on an upgraded (RHEL 9.2) server. It worked fine once I got the necessary idranges set up. However on the production service "ipa config-mod --add-sids --enable-sid" was done under RHEL 9.0 with IPA 4.9.8. It gave an error when there was a UID and GID with the same numeric value. In the new version, it used the secondary SID, but not always with the old version. I had to set the SIDs manually in some cases.
This is simply a warning for people trying the same thing. Error messages occur in /var/log/dirserv/.../errors. There's no sign from the command line of any problems.
________________________________
From: Charles Hedrick via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Sent: Monday, May 15, 2023 4:33 PM
To: Rob Crittenden <rcritten(a)redhat.com>; FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Sam Morris <sam(a)robots.org.uk>; Alexander Bokovoy <abokovoy(a)redhat.com>; Charles Hedrick <hedrick(a)rutgers.edu>
Subject: [Freeipa-users] Re: Authentication failures on a RHEL 9.2 IPA server
ipa id-range-find didn't find the ranges on the other servers after I added them on one. It found the primary ranges (managed by ipa-replica-manage) on all 3 systems, but of course they are different.
________________________________
From: Rob Crittenden <rcritten(a)redhat.com>
Sent: Monday, May 15, 2023 4:15 PM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Sam Morris <sam(a)robots.org.uk>; Alexander Bokovoy <abokovoy(a)redhat.com>; Charles Hedrick <hedrick(a)rutgers.edu>
Subject: Re: [Freeipa-users] Re: Authentication failures on a RHEL 9.2 IPA server
Charles Hedrick via FreeIPA-users wrote:
> OK, so I see the answer to my problem is to run
>
> ipa config-mod --add-sids --enable-sid
>
> But we have old UIDs that with low numbers. It looks like I need to do
>
> ipa idrange-add CS.RUTGERS.EDU_low_id_range --base-id=1
> --range-size=200000 --rid-base=200000000 --secondary-rid-base=300000000
> ipa idrange-add CS.RUTGERS.EDU_mid_id_range --base-id=600000
> --range-size=200000 --rid-base=400000000 --secondary-rid-base=500000000
>
> In order for ipa user-add for those UIDs to work on any system,
> presumably I have to do that on all IPA servers. Is that OK? I'm
> assuming new id's where we don't specify a UID will be put in the same
> range before, which is different on each server.
Ranges are global, not per-server. So assuming your ranges are ok and
there are no overlaps for the IDs or RID ranges this is probably ok, but
I'm not a PAC expert.
I think what you're seeing is the DNA (Distributed Numeric Assignment)
plugin at work.
On the first installed server, DNA has the full range of id_range values
to generate UIDs and GIDs. The first time a replica needs to generate a
UID/GID it requests a range and gets half of the allocation. A replica
does not automatically get a range on install. The more servers you have
AND the more replicas you've added entries on, the smaller the available
ranges may be. You can use ipa-replica-manage to display and manipulate
the ranges.
rob
>
>
>
>
>
> ------------------------------------------------------------------------
> *From:* Sam Morris via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
> *Sent:* Monday, May 15, 2023 8:08 AM
> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> *Cc:* Alexander Bokovoy <abokovoy(a)redhat.com>; Sam Morris
> <sam(a)robots.org.uk>
> *Subject:* [Freeipa-users] Re: Authentication failures on a RHEL 9.2 IPA
> server
>
> On Mon, May 15, 2023 at 09:28:22AM +0300, Alexander Bokovoy via
> FreeIPA-users wrote:
>> On su, 14 touko 2023, Sam Morris wrote:
>> > On Fri, May 12, 2023 at 06:19:44PM +0100, Sam Morris via FreeIPA-users wrote:
>> > > I wonder about the root cause; is this because MIT Kerberos 1.20 always
>> > > wants to include a PAC in its issued TGTs, and it gives up if it can't
>> > > retrieve a user's SID from the directory? (If so I wonder if setting
>> > > disable_pac = true in the realm section of krb5.conf would have worked
>> > > around the problem?)
>> >
>> > This seems to be the case. Specifically I:
>> >
>> > 1. Removed the ipantsecurityidentifier attribute from a user, and
>> > removed ipantuserattrs from the user's objectclass
>> > 2. Tried to log in as the user & got the same failures + 'No such file
>> > or directory' message in /var/log/krb5kdc.log
>> > 3. Edited /var/kerberos/krb5kdc/kdc.conf, adding 'disable_pac = true'
>> > within the realm-specific configuration in the realms section
>> > 4. Restarted krb5kdc
>> > 5. Tried to log in as the user and it worked!
>> >
>> > The docs for disable_pac say:
>> >
>> > If true, the KDC will not issue PACs for this realm, and S4U2Self
>> > and S4U2Proxy operations will be disabled. The default is false,
>> > which will permit the KDC to issue PACs. New in release 1.20.
>> >
>> > ... which doesn't explain that if the KDC can't issue a PAC for some
>> > reason then the KDC will fail to issue the TGT. But at least I've gotten
>> > to the bottom of things now. :)
>>
>> RHEL IdM documentation has a separate chapter related to it.
>>
>> RHEL 9:
>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/...
>>
>> RHEL 8:
>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
>>
>> This documentation is in place since summer 2022.
>
> Brilliant. It's interesting that the docs say "As of RHEL 8.6, Kerberos
> in IdM requires that your IdM objects have SIDs, which are necessary for
> security based on Privilege Access Certificate (PAC) information.", but
> I had no problems with authentication on my RHEL 8.6/8.7 servers...
>
>> > > "After upgrading, krb5kdc may fail to issue TGTs to users who have not
>> > > had a SID assigned to their accounts ('ipa user-show user --all' will
>> > > not include an ipantsecurityidentifier attribute). In this case
>> > > krb5kdc.log will log a message "HANDLE_AUTHDATA: user(a)EXAMPLE.COM for
>> > > krbtgt/EXAMPLE.COM(a)EXAMPLE.COM, No such file or directory". This can be
>> > > fixed by running 'ipa config-mod --enable-sid --add-sids' as an IPA
>> > > admin on another IPA server."
>> >
>> > ... "or on the same server after temporarily setting "disable_pac =
>> > true" in kdc.conf, and restarting krb5kdc."
>>
>> You should not be disabling PAC because you are really setting yourself
>> up to an attack with a known exploit out in a wild.
>
> Absolutely--I just wanted to document what I'd found out, because there
> isn't a clear connection documented between the behaviour in RHEL 9.2
> with MIT Kerberos 1.20 and the behaviour seen when your IPA users don't
> have SIDs assigned.
>
> --
> Sam Morris <https://robots.org.uk/>
> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
>
11 months, 1 week
New primary rid range overlaps with existing primary rid range
by Andreas Binapfl
Greetings, we also upgraded to RHEL9.2 and got the auth problems.
following the advice here i wanted to use "ipa config-mod --enable-sid --add-sids" but unfortunately i get an error in /etc/messages
ERR - ipa_range_check_pre_op - [file ipa_range_check.c, line 670]: New primary rid range overlaps with existing primary rid range.
Using ipa idrange-find
----------------
3 ranges matched
----------------
Range name: DOMAIN.LOCAL_id_range
First Posix ID of the range: 512800000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
Range name: DOMAIN.LOCAL_new_range
First Posix ID of the range: 1600
Number of IDs in the range: 2000
Range type: local domain range
Range name: DOMAIN.LOCAL_subid_range
First Posix ID of the range: 2147483648
Number of IDs in the range: 2147352576
First RID of the corresponding RID range: 2147283648
Domain SID of the trusted domain: S-1-5-21-738065-838566-2958400175
Range type: Active Directory domain range
----------------------------
Number of entries returned 3
On a first glance they seems not to overlap. Can someone help me how i can troubleshoot that problem further?
11 months, 1 week
Disabled Domain fills IPA client sssd logs
by Ronald Wimmer
We do face the problem that we disabled a domain we do not need and that
this particular domain fills up sssd logs on the client side. Especially
sssd_nss.log. How could we possibly avoid this behavior?
Cheers,
Ronald
11 months, 1 week
Eliminating Basic Auth Prompt When Accessing FreeIPA Direct
by Jeff Hochberg
Hello!
Having only used it once...it's fair to say I'm a relatively new FreeIPA user.
I'm seeing undesirable behavior that I am unsure of how to disable.
Any time I use a browser to connect to the FreeIPA server, I see a Basic Auth prompt challenging me for username/password. I have to click cancel twice, then I see the forms-based login prompt - which is what I want to see by default.
Interestingly enough, I do not see the basic auth prompt when using Firefox. It only seems to happen with Chromium-based browsers.
I've tried searching for info on how to disable the basic auth prompt, but have not found anything as of yet.
Would someone please provide some guidance?
Thanks in advance!
Best Regards,
-JeffH
11 months, 1 week
failed to create/enable SID
by alexey safonov
After upgrading to RHEL 9.2 it seems I must enable SID in my prod setup.
So when I tried I'm getting an error message
[18/May/2023:23:09:46.570447195 +0800] - ERR - get_ranges - [file
ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range
struct.
[18/May/2023:23:09:46.571579606 +0800] - ERR - sidgen_task_add - [file
ipa_sidgen_task.c, line 283]: Cannot find ranges.
After investigating/search forum it seems like an error with my ID
range. But I can't get why. I have no overlaps
----------------
4 ranges matched
----------------
dn: cn=INT.LHFT.IO_id_range,cn=ranges,cn=etc,dc=int,dc=lhft,dc=io
cn: INT.LHFT.IO_id_range
ipabaseid: 1368600000
ipaidrangesize: 200000
ipabaserid: 100000
iparangetype: ipa-local
objectclass: top
objectclass: ipaIDrange
objectclass: ipaDomainIDRange
dn: cn=INT.LHFT.IO_subid_range,cn=ranges,cn=etc,dc=int,dc=lhft,dc=io
cn: INT.LHFT.IO_subid_range
ipabaseid: 2147483648
ipaidrangesize: 2147352576
ipabaserid: 2147283648
ipanttrusteddomainsid: S-1-5-21-738065-838566-328754306
iparangetype: ipa-ad-trust
objectclass: top
objectclass: ipaIDrange
objectclass: ipaTrustedADDomainRange
dn: cn=LHFT_1,cn=ranges,cn=etc,dc=int,dc=lhft,dc=io
cn: LHFT_1
ipabaseid: 10000
ipaidrangesize: 10000
ipabaserid: 10000
iparangetype: ipa-local
objectclass: ipaIDrange
objectclass: ipadomainidrange
dn: cn=LHFT_2,cn=ranges,cn=etc,dc=int,dc=lhft,dc=io
cn: LHFT_2
ipabaseid: 4000
ipaidrangesize: 5000
ipabaserid: 1000
iparangetype: ipa-local
objectclass: ipaIDrange
objectclass: ipadomainidrange
----------------------------
Number of entries returned 4
----------------------------
[root@lt-hk1-avm01 asafonov]#
Any ideas why I can't enable/generate SIDs?
11 months, 1 week
Authentication failures on a RHEL 9.2 IPA server
by Sam Morris
Hi folks. This morning I found that one of my IPA servers no longer
wants to authenticate any users (specifically, it doesn't want to issue
any TGTs to users).
It's a fully updated RHEL 9 server; I am sure this has only been a
problem since upgrading to RHEL 9.2 (see my remarks about krb5kdc.log
below); my other servers are on RHEL 8 and are working fine.
Package versions:
ipa-client-common-4.10.1-6.el9.noarch
ipa-server-common-4.10.1-6.el9.noarch
ipa-healthcheck-core-0.12-1.el9.noarch
ipa-selinux-4.10.1-6.el9.noarch
ipa-common-4.10.1-6.el9.noarch
ipa-client-4.10.1-6.el9.x86_64
ipa-server-4.10.1-6.el9.x86_64
ipa-server-dns-4.10.1-6.el9.noarch
ipa-healthcheck-0.12-1.el9.noarch
I see the following syslog messages when trying to SSH in to the server:
May 12 08:34:52 sshd[2207]: main: sshd: ssh-rsa algorithm is disabled
May 12 08:34:52 sshd[2207]: Postponed keyboard-interactive for user from 192.168.0.23 port 42210 ssh2 [preauth]
May 12 08:34:56 sshd[2207]: Postponed keyboard-interactive/pam for user from 192.168.0.23 port 42210 ssh2 [preauth]
May 12 08:35:02 ipa-otpd[2200]: user(a)EXAMPLE.COM: request received
May 12 08:35:02 ipa-otpd[2200]: user(a)EXAMPLE.COM: user query start
May 12 08:35:02 ipa-otpd[2200]: user(a)EXAMPLE.COM: user query end: uid=user,cn=users,cn=accounts,dc=ipa,dc=example,dc=com
May 12 08:35:02 ipa-otpd[2200]: user(a)EXAMPLE.COM: bind start: uid=user,cn=users,cn=accounts,dc=ipa,dc=example,dc=com
May 12 08:35:02 ipa-otpd[2200]: user(a)EXAMPLE.COM: bind end: success
May 12 08:35:02 ipa-otpd[2200]: user(a)EXAMPLE.COM: sent: 0 data: 20
May 12 08:35:02 ipa-otpd[2200]: user(a)EXAMPLE.COM: ..sent: 20 data: 20
May 12 08:35:02 ipa-otpd[2200]: user(a)EXAMPLE.COM: response sent: Access-Accept
May 12 08:35:02 krb5_child[2213]: Generic error (see e-text)
May 12 08:35:02 krb5_child[2213]: Generic error (see e-text)
May 12 08:35:02 sshd[2211]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.23 user=user
May 12 08:35:02 sshd[2211]: pam_sss(sshd:auth): received for user user: 4 (System error)
May 12 08:35:04 sshd[2207]: error: PAM: Authentication failure for user from 192.168.0.23
/var/log/sssd/krb5_child.log gives me:
(2023-05-12 8:39:50): [krb5_child[2271]] [get_and_save_tgt] (0x0020): [RID#79] 2009: [-1765328324][Generic error (see e-text)]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
* (2023-05-12 8:39:50): [krb5_child[2271]] [main] (0x0400): [RID#79] krb5_child started.
* (2023-05-12 8:39:50): [krb5_child[2271]] [unpack_buffer] (0x1000): [RID#79] total buffer size: [140]
* (2023-05-12 8:39:50): [krb5_child[2271]] [unpack_buffer] (0x0100): [RID#79] cmd [241 (auth)] uid [2000000503] gid [2000000503] validate [true] enterprise principal [false] offline [false] UPN [user(a)EXAMPLE.COM]
* (2023-05-12 8:39:50): [krb5_child[2271]] [unpack_buffer] (0x0100): [RID#79] ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab]
* (2023-05-12 8:39:50): [krb5_child[2271]] [switch_creds] (0x0200): [RID#79] Switch user to [2000000503][2000000503].
* (2023-05-12 8:39:50): [krb5_child[2271]] [switch_creds] (0x0200): [RID#79] Switch user to [0][0].
* (2023-05-12 8:39:50): [krb5_child[2271]] [k5c_check_old_ccache] (0x4000): [RID#79] Ccache_file is [KCM:] and is active and TGT is valid.
* (2023-05-12 8:39:50): [krb5_child[2271]] [k5c_setup_fast] (0x0100): [RID#79] Fast principal is set to [host/ipa6.example.com(a)EXAMPLE.COM]
* (2023-05-12 8:39:50): [krb5_child[2271]] [find_principal_in_keytab] (0x4000): [RID#79] Trying to find principal host/ipa6.example.com(a)EXAMPLE.COM in keytab.
* (2023-05-12 8:39:50): [krb5_child[2271]] [match_principal] (0x1000): [RID#79] Principal matched to the sample (host/ipa6.example.com(a)EXAMPLE.COM).
* (2023-05-12 8:39:50): [krb5_child[2271]] [check_fast_ccache] (0x0200): [RID#79] FAST TGT is still valid.
* (2023-05-12 8:39:50): [krb5_child[2271]] [become_user] (0x0200): [RID#79] Trying to become user [2000000503][2000000503].
* (2023-05-12 8:39:50): [krb5_child[2271]] [main] (0x2000): [RID#79] Running as [2000000503][2000000503].
* (2023-05-12 8:39:50): [krb5_child[2271]] [set_lifetime_options] (0x0100): [RID#79] No specific renewable lifetime requested.
* (2023-05-12 8:39:50): [krb5_child[2271]] [set_lifetime_options] (0x0100): [RID#79] No specific lifetime requested.
* (2023-05-12 8:39:50): [krb5_child[2271]] [set_canonicalize_option] (0x0100): [RID#79] Canonicalization is set to [true]
* (2023-05-12 8:39:50): [krb5_child[2271]] [main] (0x0400): [RID#79] Will perform auth
* (2023-05-12 8:39:50): [krb5_child[2271]] [main] (0x0400): [RID#79] Will perform online auth
* (2023-05-12 8:39:50): [krb5_child[2271]] [tgt_req_child] (0x1000): [RID#79] Attempting to get a TGT
* (2023-05-12 8:39:50): [krb5_child[2271]] [get_and_save_tgt] (0x0400): [RID#79] Attempting kinit for realm [EXAMPLE.COM]
* (2023-05-12 8:39:50): [krb5_child[2271]] [sss_krb5_responder] (0x4000): [RID#79] Got question [otp].
* (2023-05-12 8:39:50): [krb5_child[2271]] [get_and_save_tgt] (0x0020): [RID#79] 2009: [-1765328324][Generic error (see e-text)]
********************** BACKTRACE DUMP ENDS HERE *********************************
(2023-05-12 8:39:50): [krb5_child[2271]] [map_krb5_error] (0x0020): [RID#79] 2138: [-1765328324][Generic error (see e-text)]
/var/log/krb5kdc.log gives me a "No such file or directory" error:
May 12 08:41:31 ipa6.example.com krb5kdc[1575](info): AS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 192.168.0.6: NEEDED_PREAUTH: user(a)EXAMPLE.COM for krbtgt/EXAMPLE.COM(a)EXAMPLE.COM, Additional pre-authentication required
May 12 08:41:31 ipa6.example.com krb5kdc[1575](info): closing down fd 11
May 12 08:41:31 ipa6.example.com krb5kdc[1575](info): AS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 192.168.0.6: NEEDED_PREAUTH: user(a)EXAMPLE.COM for krbtgt/EXAMPLE.COM(a)EXAMPLE.COM, Additional pre-authentication required
May 12 08:41:31 ipa6.example.com krb5kdc[1575](info): closing down fd 11
May 12 08:41:42 ipa6.example.com krb5kdc[1575](info): AS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 192.168.0.6: NEEDED_PREAUTH: user(a)EXAMPLE.COM for krbtgt/EXAMPLE.COM(a)EXAMPLE.COM, Additional pre-authentication required
May 12 08:41:42 ipa6.example.com krb5kdc[1575](info): closing down fd 11
May 12 08:41:42 ipa6.example.com krb5kdc[1573](info): AS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 192.168.0.6: NEEDED_PREAUTH: user(a)EXAMPLE.COM for krbtgt/EXAMPLE.COM(a)EXAMPLE.COM, Additional pre-authentication required
May 12 08:41:42 ipa6.example.com krb5kdc[1573](info): closing down fd 11
May 12 08:41:42 ipa6.example.com krb5kdc[1573](info): AS_REQ : handle_authdata (2)
May 12 08:41:42 ipa6.example.com krb5kdc[1573](info): AS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 192.168.0.6: HANDLE_AUTHDATA: user(a)EXAMPLE.COM for krbtgt/EXAMPLE.COM(a)EXAMPLE.COM, No such file or directory
May 12 08:41:42 ipa6.example.com krb5kdc[1573](info): closing down fd 11
There's no instance of this 'No such file or directory' message in
krb5kdc.log before this morning, and I did the RHEL 9.2 upgrade on 9th
May, just a couple of days ago. So it's possible that this is a problem
introduced by the upgrade a couple of days ago, that has been noticed
today (perhaps IPA clients were talking to other servers until this
morning).
Other IPA servers log an ISSUE message at the same point, so I guess the
problem is with krb5kdc, I just don't know what to check next.
Here's the relevant code (I think) in krb5kdc:
<https://github.com/krb5/krb5/blob/e806d1223329fe4b6d9738237893dda27b616bb...>.
The user is able to log in to the directory server with a simple bind:
# ldapwhoami -H ldapi://%2frun%2fslapd-EXAMPLE-COM.socket -D uid=user,cn=users,cn=accounts,dc=ipa,dc=example,dc=com -W
Enter LDAP Password:
dn: uid=user,cn=users,cn=accounts,dc=ipa,dc=example,dc=com
... so dirsrv seems to be working fine.
'ipactl status' reports all services are running. ipa-healthcheck is
giving me one failure, I don't think it's relevant to the krb5kdc errors
but it's something I'll look into after:
{
"source": "pki.server.healthcheck.clones.connectivity_and_data",
"check": "ClonesConnectivyAndDataCheck",
"result": "ERROR",
"uuid": "eb35c2fd-d292-4426-a1ad-8d1adfc5349a",
"when": "20230512084503Z",
"duration": "10.003213",
"kw": {
"status": "ERROR: pki-tomcat : Unable to reach KRA at https://ipa6.example.com:443: Request timed out"
}
},
I am able to run 'kinit -k', e.g,. get a TGT as host/ipa6.example.com,
so it's not like krb5kdc is totally busted. It just doesn't work for
users any more!
As always I'd be grateful for any assistance. :)
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
11 months, 1 week
http redirect rules - ?
by lejeczek
Hi guys.
With default/main redirect rule removed/disabled when I go to:
https://swir.mine.priv/ipa
I get a broken anchor page (thumbnail is not there), that
uti/link points to:
https://swir.mine.priv/ui/index.html
which, obsviously(?) is not there, does not exist.
Would not there be a safe redir rule to fix that? And if yes
so, then why (@devel) not have it included in
vanilla-default configs?
many thanks, L.
11 months, 1 week
