Alexander Bokovoy via FreeIPA-users wrote:
> On Срд, 25 кас 2023, Kroon PC, Peter via FreeIPA-users wrote:
>> Hi all,
>>
>> After upgrading to Rocky linux 9.2 I'm running into issues with my IPA
>> server (4.10.1-9.el9_2). In particular, my IPA CLI seems FUBARred:
>>
>> $ kinit admin
>> Password for admin(a)EXAMPLE.COM:
>> $ ipa show-user admin
>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
>> Error: No credentials were supplied, or the credentials were
>> unavailable or inaccessible (Credential cache is empty)
>>
>> /var/log/krb5kdc.log:
>> okt 24 16:17:48
freeipa.example.com krb5kdc[10493]: TGS_REQ (4 etypes
>> {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
>> aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)})
>> 192.168.12.57: S4U2PROXY_NO_HEADER_PAC: authtime 0, etypes
>> {rep=UNSUPPORTED:(0)} HTTP/freeipa.example.com(a)EXAMPLE.COM for
>> ldap/freeipa.example.com(a)EXAMPLE.COM, TGT has been revoked
>>
>> As the log shows, the KDC states there is no PAC, and therefore revokes
>> the TGT (note, I had to RTFS to decipher the S4U2PROXY_NO_HEADER_PAC).
>> Because of this, the web gui also doesn't work.
>
> That is correct description of the reason why it does not work.
>
>>
>> $ ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=nl
>> "ipaNTSecurityIdentifier=*" uid ipaNTSecurityIdentifier
>> SASL/GSSAPI authentication started
>> SASL username: admin(a)EXAMPLE.COM
>> SASL SSF: 256
>> SASL data security layer installed.
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=users,cn=accounts,dc=example,dc=com> with scope subtree
>> # filter: ipaNTSecurityIdentifier=*
>> # requesting: uid ipaNTSecurityIdentifier
>> #
>>
>> # admin, users, accounts,
example.com
>> dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
>> uid: admin
>> ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440-500
>>
>> # search result
>> search: 4
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> Out of the ~200 or so users only the admin user has a
>> ipaNTSecurityIdentifier, but I don't know if it's correct...
>> I can't run `ipa config-mod --enable-sid --add-sids`, since my ipa CLI
>> is broken. I do still have LDAP access fortunately.
>
> You can run it, see below. If you'd run, do you have any error messages in
> the dirsrv errors log related to sidgen plugin?
>
>>
>> I tried to set `disable_pac = true` in /var/kerberos/krb5kdc/kdc.conf,
>> but that results in the exact same error. Setting ipaKrbAuthzData=None
>> in cn=ipaConfig also has no effect.
>
> No, one cannot disable PAC globally in FreeIPA. S4U operations
> require PAC presence since last year, so for any real Kerberos service
> that uses S4U (like IPA API or web UI) one cannot disable PAC
> enforcement.
>
> Look at your ID range and SID configuration. You can avoid admin issue
> currently by running 'ipa' tool on IPA server as root with '-e
> in_server=true' option. This will force the tool to simulate direct
> access (as if it is running within httpd) and talk directly to LDAPI
> socket.
>
> Something like below:
>
> # KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show
> ipa: WARNING: API Version number was not sent, forward compatibility not
> guaranteed. Assuming server's API version, 2.253
> Domain: ipa1.test
> Security Identifier: S-1-5-21-790702333-3825749031-3739951824
> NetBIOS name: IPA1
> Domain GUID: 529fcbe9-3e34-436d-a541-6ffa88e7dac1
> Fallback primary group: Default SMB Group
> IPA AD trust agents: master1.ipa1.test
> IPA AD trust controllers: master1.ipa1.test
>
> # KRB5CACHE=/dev/null ipa -e in_server=true idrange-find
> ipa: WARNING: API Version number was not sent, forward compatibility not
> guaranteed. Assuming server's API version, 2.253
> ----------------
> 5 ranges matched
> ----------------
> Range name: IPA1.TEST_id_range
> First Posix ID of the range: 1055600000
> Number of IDs in the range: 200000
> First RID of the corresponding RID range: 1000
> First RID of the secondary RID range: 100000000
> Range type: local domain range
>
> ... [ skip ] ...
>
>
In my testing you can't run config-mod without a principal, and running
in-server does not have a principal.
# KRB5CACHE=/dev/null ipa -e in_server=true config-mod --add-sids
--enable-sid
[snip]
File "/usr/lib/python3.11/site-packages/ipaserver/plugins/config.py",
line 701, in pre_callback
self._enable_sid(ldap, options)
File "/usr/lib/python3.11/site-packages/ipaserver/plugins/config.py",
line 512, in _enable_sid
if not principal_has_privilege(self.api, context.principal, privilege):
^^^^^^^^^^^^^^^^^
AttributeError: '_thread._local' object has no attribute 'principal'
ipa: ERROR: an internal error has occurred
Thank you, Rob. I did not check that part.
On IPA master one can run the oddjobd-activated script directly:
# /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --add-sids
I still need to see ID range and trustconfig-show output to understand
the state of this deployment. Also, dirsrv errors log would be helpful
if there was an attempt to run sidgen in past.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland