Hi,
we have freeipa running as docker container and i am facing the same problem,(Login Failed due to an unknown reason).
This is the output from container shell.

sh-4.2# openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 10 (0xa)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=XXX.COM, CN=Certificate Authority
        Validity
            Not Before: Mar 28 15:30:41 2020 GMT
            Not After : Mar 29 15:30:41 2022 GMT
        Subject: O=XXX.COM, CN=freeipa.XXX.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c6:15:96:06:ec:5e:10:8d:92:a4:c4:29:11:58:
                    eb:47:94:46:b3:e0:92:0b:e1:60:50:ce:50:1b:6a:
                    25:28:88:de:5b:41:c7:3c:92:cf:02:c3:0c:a5:14:
                    37:68:04:c0:c6:e1:1a:c4:ac:6f:8c:04:55:d5:42:
                    3d:3c:78:29:88:3f:a4:81:52:35:88:3f:7e:fc:80:
                    8a:ea:14:2a:f2:a8:49:ab:d6:32:5b:ea:35:d4:3b:
                    4d:14:4f:2c:5a:97:e3:a5:83:be:a6:9e:61:21:0a:
                    e0:2a:37:f8:41:9a:a2:8c:fb:54:a2:b2:9a:9d:32:
                    ff:8a:bb:0d:a4:05:b9:31:db:cd:9e:75:05:b3:bf:
                    7f:f4:d7:84:8e:2e:16:92:db:51:97:01:1e:19:58:
                    93:1b:9b:1c:56:a1:18:10:62:3f:8e:43:84:4f:c5:
                    90:3b:e9:de:2e:71:4e:32:33:52:22:1f:51:a8:7b:
                    fa:46:88:8f:ea:d5:c7:0a:ab:9a:36:ca:ff:e4:d2:
                    fb:04:4a:39:81:06:b1:59:fc:9b:59:d9:2d:91:9d:
                    bc:65:c9:e0:55:37:88:ba:4d:f8:4d:68:7a:4c:70:
                    69:4b:3e:74:aa:d4:c2:65:20:bf:d5:37:5e:73:c6:
                    b3:a8:4b:ca:37:8c:09:ee:cd:23:26:ed:d8:65:e0:
                    3b:bf
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:E2:12:D1:0E:77:B1:9B:A6:5F:96:06:9E:C1:4F:9D:C1:6A:1C:5C:0C

            Authority Information Access:
                OCSP - URI:http://ipa-ca.XXX.com/ca/ocsp

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, 1.3.6.1.5.2.3.5
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://ipa-ca.XXX.com/ipa/crl/MasterCRL.bin
                CRL Issuer:
                  DirName: O = ipaca, CN = Certificate Authority

            X509v3 Subject Key Identifier:
                6B:84:45:F0:3F:20:AA:C9:6A:FE:08:33:A7:4F:4D:F5:07:95:18:31
            X509v3 Subject Alternative Name:
                othername:<unsupported>, othername:<unsupported>
    Signature Algorithm: sha256WithRSAEncryption
         08:97:ce:4f:cf:25:c3:8b:3b:c5:70:b3:1e:57:2d:49:2a:70:
         18:cf:7a:93:01:6a:26:0b:7b:7e:42:0d:8e:77:01:20:cd:41:
         50:9d:03:0d:8b:ad:52:1c:e0:c0:56:3e:2a:de:3c:b4:c5:49:
         63:11:8e:10:04:1a:d9:9a:3d:59:2c:7f:f2:7f:88:37:82:15:
         aa:b7:c0:cc:83:a0:98:22:6f:e8:f9:8e:95:5f:d8:0f:65:ba:
         96:cb:cc:22:ab:fe:e2:54:b5:f3:35:f8:39:4e:3e:7d:55:77:
         4a:79:9e:0e:c0:1c:26:b1:b4:05:a1:92:0c:9c:4c:b8:46:73:
         a4:b2:07:ff:6c:20:c7:e8:cb:44:66:78:e3:68:a5:74:0d:33:
         d3:93:5c:dc:df:46:c9:d7:18:09:a9:8b:d2:02:b2:34:f6:ac:
         2f:10:19:d1:c8:35:d8:4e:94:5a:5f:ac:b3:27:3c:ba:3f:06:
         9c:64:6a:24:72:75:c1:8e:f4:6a:4a:1f:a6:31:93:74:36:78:
         99:89:d0:34:5f:2b:f2:ab:90:5f:ce:46:8e:cf:6a:19:66:31:
         df:57:2f:d5:98:b1:f7:69:a7:a3:f2:9f:80:77:56:d1:ff:22:
         ef:80:25:d0:fd:5f:6a:a6:74:df:4c:3a:99:62:b6:40:64:d5:
         0e:d4:c9:c0

Could you please help .

Thanks,
Anil

On Tue, Dec 29, 2020 at 2:08 AM D R via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
@abokovoy - Thanks for the heads up, the manual fix helped me solving the issue.

On Mon, Dec 28, 2020 at 1:20 AM Alexander Bokovoy <abokovoy@redhat.com> wrote:
On su, 27 joulu 2020, D R via FreeIPA-users wrote:
>Greetings,
>
>After automatic KDC certificate renewal, I'm no longer able to access the
>UI.
>
>[Sun Dec 27 23:33:20.563064 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72] Traceback (most recent call last):
>[Sun Dec 27 23:33:20.563085 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72]   File "/usr/share/ipa/wsgi.py", line 59, in application
>[Sun Dec 27 23:33:20.563121 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72]     return api.Backend.wsgi_dispatch(environ,
>start_response)
>[Sun Dec 27 23:33:20.563129 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72]   File
>"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 267, in
>__call__
>[Sun Dec 27 23:33:20.563142 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72]     return self.route(environ, start_response)
>[Sun Dec 27 23:33:20.563160 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72]   File
>"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 279, in
>route
>[Sun Dec 27 23:33:20.563170 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72]     return app(environ, start_response)
>[Sun Dec 27 23:33:20.563174 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72]   File
>"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 937, in
>__call__
>[Sun Dec 27 23:33:20.563182 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72]     self.kinit(user_principal, password, ipa_ccache_name)
>[Sun Dec 27 23:33:20.563194 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72]   File
>"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 973, in
>kinit
>[Sun Dec 27 23:33:20.563201 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72]     pkinit_anchors=[paths.KDC_CERT,
>paths.KDC_CA_BUNDLE_PEM],
>[Sun Dec 27 23:33:20.563209 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72]   File
>"/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 127, in
>kinit_armor
>[Sun Dec 27 23:33:20.563219 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72]     run(args, env=env, raiseonerr=True, capture_error=True)
>[Sun Dec 27 23:33:20.563225 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72]   File
>"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run
>[Sun Dec 27 23:33:20.563234 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72]     raise CalledProcessError(p.returncode, arg_string,
>str(output))
>[Sun Dec 27 23:33:20.563263 2020] [:error] [pid 6150] [remote
>10.xx.xx.22:72] CalledProcessError: Command '/usr/bin/kinit -n -c
>/var/run/ipa/ccaches/armor_6150 -X
>X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
>non-zero exit status 1
>
>---
>
>KRB5_TRACE=/dev/stdout /usr/bin/kinit -n -c
>/var/run/ipa/ccaches/armor_19265 -X
>X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
>[12904] 1609104974.342210: Getting initial credentials for WELLKNOWN/
>ANONYMOUS@A-LABS.COM
>[12904] 1609104974.342212: Sending unauthenticated request
>[12904] 1609104974.342213: Sending request (184 bytes) to A-LABS.COM
>[12904] 1609104974.342214: Initiating TCP connection to stream
>10.xx.xx.90:88
>[12904] 1609104974.342215: Sending TCP request to stream 10.xx.xx.90:88
>[12904] 1609104974.342216: Received answer (335 bytes) from stream
>10.xx.xx.90:88
>[12904] 1609104974.342217: Terminating TCP connection to stream
>10.xx.xx.90:88
>[12904] 1609104974.342218: Response was from master KDC
>[12904] 1609104974.342219: Received error from KDC: -1765328359/Additional
>pre-authentication required
>[12904] 1609104974.342222: Preauthenticating using KDC method data
>[12904] 1609104974.342223: Processing preauth types: PA-PK-AS-REQ (16),
>PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136),
>PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE
>(133)
>[12904] 1609104974.342224: Selected etype info: etype aes256-cts, salt
>"A-LABS.COMWELLKNOWNANONYMOUS", params ""
>[12904] 1609104974.342225: Received cookie: MIT
>[12904] 1609104974.342226: Preauth module pkinit (147) (info) returned:
>0/Success
>[12904] 1609104974.342227: PKINIT loading CA certs and CRLs from FILE
>[12904] 1609104974.342228: PKINIT loading CA certs and CRLs from FILE
>[12904] 1609104974.342229: PKINIT loading CA certs and CRLs from FILE
>[12904] 1609104974.342230: PKINIT client computed kdc-req-body checksum
>9/D4FAE675E4E8C9664DBE0FAD0EB8C416A639CAF3
>[12904] 1609104974.342232: PKINIT client making DH request
>[12904] 1609104974.342233: Preauth module pkinit (16) (real) returned:
>0/Success
>[12904] 1609104974.342234: Produced preauth for next request: PA-FX-COOKIE
>(133), PA-PK-AS-REQ (16)
>[12904] 1609104974.342235: Sending request (1497 bytes) to A-LABS.COM
>[12904] 1609104974.342236: Initiating TCP connection to stream
>10.xx.xx.90:88
>[12904] 1609104974.342237: Sending TCP request to stream 10.xx.xx.90:88
>[12904] 1609104974.342238: Received answer (1603 bytes) from stream
>10.xx.xx.90:88
>[12904] 1609104974.342239: Terminating TCP connection to stream
>10.xx.xx.90:88
>[12904] 1609104974.342240: Response was from master KDC
>[12904] 1609104974.342241: Processing preauth types: PA-PK-AS-REP (17),
>PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147)
>[12904] 1609104974.342242: Selected etype info: etype aes256-cts, salt
>"A-LABS.COMWELLKNOWNANONYMOUS", params ""
>[12904] 1609104974.342243: Preauth module pkinit (147) (info) returned:
>0/Success
>[12904] 1609104974.342244: PKINIT client verified DH reply
>[12904] 1609104974.342245: Preauth module pkinit (17) (real) returned:
>-1765328308/KDC name mismatch

It says 'KDC name mismatch'.

There are two requirements in the MIT Kerberos PKINIT plugin code on the
client side. After validating signed data and collecting SANs from the
certificate presented by KDC, PKINIT plugin on the client checks:

   - whether list of SANs contains Kerberos principal for
     krbtgt/REALM@REALM, this is enough, no other checks would be needed

   - whether list of SANs contains KDC hostname and whether one of
     EKUs in the certificate match id-pkinit-kdc

See https://pagure.io/freeipa/issue/8532 for a possible manual fix.


>[12904] 1609104974.342246: Produced preauth for next request: (empty)
>[12904] 1609104974.342247: Getting AS key, salt
>"A-LABS.COMWELLKNOWNANONYMOUS", params ""
>Password for WELLKNOWN/ANONYMOUS@A-LABS.COM:
>[12904] 1609104977.873071: AS key obtained from gak_fct: aes256-cts/B8BD
>kinit: Password incorrect while getting initial credentials
>
>--
>
>openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -text -noout
>Certificate:
>    Data:
>        Version: 3 (0x2)
>        Serial Number: 10 (0xa)
>    Signature Algorithm: sha256WithRSAEncryption
>        Issuer: O=DOMAIN.COM, CN=ipa.domain.com

This is a self-issued local certificate, looks like the issue above. The
issuer here should be

Issuer: CN=Certificate Authority,O=DOMAIN.COM

>        Validity
>            Not Before: Dec 27 07:38:54 2020 GMT
>            Not After : Dec 27 07:38:54 2021 GMT
>        Subject: O=DOMAIN.COM, CN=ipa.domain.com
>        Subject Public Key Info:
>            Public Key Algorithm: rsaEncryption
>                Public-Key: (2048 bit)
>                Modulus:
>                    00:cc:6e:b1:b1:2d:05:ab:f1:df:ce:01:43:d5:80:
>                    4a:f6:72:38:3c:50:aa:c7:40:bf:bd:6c:60:5e:8d:
>                    d0:f3:2b:6c:db:fc:8f:48:9f:91:d6:d3:d2:43:f2:
>                    39:35:17:56:37:a8:6f:66:c3:ab:1f:13:8f:d9:48:
>                    c3:be:b9:2b:83:77:78:08:fe:3b:f8:93:83:1c:bb:
>                    d0:e8:eb:49:a5:c1:8c:7f:0c:b5:fa:e7:07:f1:0c:
>                    97:9b:47:e9:a2:a3:ab:9b:c1:70:e3:1b:e9:f2:3d:
>                    2f:96:53:6d:38:eb:57:19:7f:dd:ed:e8:3c:c8:f0:
>                    7c:36:b1:72:03:f1:2f:86:8e:cd:67:fd:fd:85:73:
>                    00:16:60:81:3c:ad:13:4d:19:c0:4d:e7:94:8d:34:
>                    29:99:7a:45:70:db:81:5d:0e:2d:83:7a:9c:19:c7:
>                    ef:0a:79:8d:84:af:74:a3:b9:90:c8:b1:8c:65:d0:
>                    2d:e0:89:98:42:e0:cb:c8:b0:e3:b5:7c:9b:44:01:
>                    a8:31:15:8d:19:79:c5:35:26:4d:3f:e6:83:64:7f:
>                    15:da:50:c1:5e:9c:67:1b:27:e5:35:0c:a8:71:a9:
>                    4e:ee:ef:92:b5:f9:10:f6:31:82:2c:94:04:05:c5:
>                    89:c6:96:1d:48:11:e5:8d:05:92:56:93:99:55:66:
>                    b0:93
>                Exponent: 65537 (0x10001)
>        X509v3 extensions:
>            X509v3 Basic Constraints: critical
>                CA:FALSE
>    Signature Algorithm: sha256WithRSAEncryption
>
>To my understanding, something is wrong with the kdc certificate, it lacks
>some attributes. I'm just not sure how to generate a proper cert.

It would be good to see all extensions and SANs from the cert. You need
to use GnuTLS tools to be able to print Kerberos extensions correctly.

Install gnutls-utils and do
# certtool -i --infile /var/kerberos/krb5kdc/kdc.crt


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org