Hi,
On Wed, Feb 19, 2025 at 4:07 PM Boris bb@kervyn.de wrote:
Hi flo,
certificate and ca looks good. Certificate is signed by the correct ca and just got renewed (Not Before: Feb 15 09:43:26 2025 GMT)
the permissions looks different (the questionmark)
[root@ipa2 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r-- 1 root root ? 1671 15. Feb 10:43 /var/kerberos/krb5kdc/kdc.crt [root@ipa2 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r-- 1 root root ? 1294 15. Mär 2023 /var/lib/ipa-client/pki/kdc-ca-bundle.pem
The question mark means that there is no selinux context for those files. The system probably has SELINUX=disabled in /etc/selinux/config.
Can you also check the following: # kinit admin # ipa pkinit-status The above will show you which servers are enabled for PKINIT.
# ipa-pkinit-manage status
# kdestroy -A # KRB5_TRACE=/dev/stdout kinit -n -c /tmp/ccache
In the logs for kinit -n, double-check that the request is sent to ipa2. If that's not the case, you may have a wrong config (/var/lib/sss/pubconf/kdcinfo.your_realm should contain the IP address from ipa2).
flo
in comparission to the ipa1 [root@ipa1 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r--. 1 root root system_u:object_r:realmd_var_lib_t:s0 1313 Feb 21 2022 /var/lib/ipa-client/pki/kdc-ca-bundle.pem [root@ipa1 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1367 Nov 29 13:19 /var/kerberos/krb5kdc/kdc.crt
The krb5-pkinit is installed krb5-pkinit-1.19.2-9.fc35.x86_64
Am Mi., 19. Feb. 2025 um 15:46 Uhr schrieb Florence Blanc-Renaud < flo@redhat.com>:
Hi,
On Wed, Feb 19, 2025 at 1:50 PM Boris via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi list, as I am currently sorting out our freeipa problems we stumbled across another problem. After the last reboot of our 2ndary IPA host, we can no longer login into the webui on the 2nd host.
The webui on the first host works.
I've checked some logs but was only able to find meaningful entries in the httpd log which is this:
mod_wsgi (pid=1137): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/ipaserver/wsgi.py", line 71, in application return api.Backend.wsgi_dispatch(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 301, in __call__ return self.route(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 313, in route return app(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 1066, in __call__ result = attempt_kinit(user_principal, password, File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 996, in attempt_kinit self.kinit(user_principal, password, File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 1094, in kinit kinit_armor( File "/usr/lib/python3.10/site-packages/ipalib/install/kinit.py", line 129, in kinit_armor run(args, env=env, raiseonerr=True, capture_error=True) File "/usr/lib/python3.10/site-packages/ipapython/ipautil.py", line 599, in run raise CalledProcessError( ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_1137', '-X', 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero exit status 1: 'kinit: Cannot read password while getting initial credentials\n')
What is the content of this kdc.crt certificate?
openssl x509 -noout -text -in /var/kerberos/krb5kdc/kdc.crt The output will tell us if it's a self-signed PKINIT cert or signed by IPA CA (look for the Issuer: value in the output).
Does the kdc-ca-bundle.pem contain the CA that signed this certificate? openssl crl2pkcs7 -nocrl -certfile /var/lib/ipa-client/pki/kdc-ca-bundle.pem | openssl pkcs7 -print_certs -text -noout
On a working system I see the following permissions for the above files: # ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1866 Feb 19 14:02 /var/kerberos/krb5kdc/kdc.crt # ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r--. 1 root root unconfined_u:object_r:realmd_var_lib_t:s0 3266 Feb 19 14:05 /var/lib/ipa-client/pki/kdc-ca-bundle.pem
Do you have the package krb5-pkinit installed on your machine?
flo
Does someone know in which direction I need to debug further?
Cheers Boris -- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal.