Hello,
i have setup of 5 IPA servers on RHEL8. This morning i upgraded with dnf upgrade IPA components to 4.9.12-11 for example:
ipa-server-4.9.12-11.module+el8.9.0+20824+f2605038.x86_64 ipa-server-common-4.9.12-11.module+el8.9.0+20824+f2605038.noarch
After upgrade finished without errors, i was not able to login to UI with correct password with message "Your session has expired. Please log in again."
dirsrv replication looks OK.
I checked logs, everytime i try to login, /var/log/httpd/error_log contain:
[Thu Jan 11 17:30:03.490345 2024] [wsgi:error] [pid 3299146:tid 139867429353216] [remote 185.103.146.26:46292] ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
I can do kinit, without any error. But when i try to use ipa user-show, not working.
ipaupgrade.log attached, rest inline.
If you have any idea how to fix this please, i will be gratefull.
Thank you,
Rasto
ipa -d user-show ipa: DEBUG: Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' ipa: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' ipa: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' ipa: DEBUG: found session_cookie in persistent storage for principal 'rrickardt@redacted', cookie: 'ipa_session=MagBearerToken=VsNzXWPFKUTUmXpNpoXBnYn%2f7kaXq3b77Vb1HDzWdZ8u1c3ZAAReJFNMYwMeRLYSv4pggL%2bb3O1YH9lpJuXswOV%2fK%2fs%2bF96bBeIykbO2%2bnklplxnRxGyjo4edYLEo4QvfYIr9P2xGoxPEsCjrDj6m%2bro3UZtiFKGIgrI9KJKfZAhLrk46ooeAZ0HF7IAR5DgI07EdHeXdoP%2bA1T70CoXYA%3d%3d' ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=VsNzXWPFKUTUmXpNpoXBnYn%2f7kaXq3b77Vb1HDzWdZ8u1c3ZAAReJFNMYwMeRLYSv4pggL%2bb3O1YH9lpJuXswOV%2fK%2fs%2bF96bBeIykbO2%2bnklplxnRxGyjo4edYLEo4QvfYIr9P2xGoxPEsCjrDj6m%2bro3UZtiFKGIgrI9KJKfZAhLrk46ooeAZ0HF7IAR5DgI07EdHeXdoP%2bA1T70CoXYA%3d%3d;' ipa: DEBUG: trying https://ipa2.id.example.com/ipa/session/json ipa: DEBUG: New HTTP connection (ipa2.id.example.com) ipa: DEBUG: HTTP connection destroyed (ipa2.id.example.com) Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaclient/remote_plugins/__init__.py", line 120, in get_package plugins = api._remote_plugins AttributeError: 'API' object has no attribute '_remote_plugins'
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 730, in single_request response.msg) xmlrpc.client.ProtocolError: <ProtocolError for ipa2.id.example.com/ipa/session/json: 401 Unauthorized> ipa: DEBUG: trying https://ipa2.id.example.com/ipa/session/json ipa: DEBUG: New HTTP connection (ipa2.id.example.com) ipa: DEBUG: HTTP connection destroyed (ipa2.id.example.com) Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaclient/remote_plugins/__init__.py", line 120, in get_package plugins = api._remote_plugins AttributeError: 'API' object has no attribute '_remote_plugins'
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 730, in single_request response.msg) xmlrpc.client.ProtocolError: <ProtocolError for ipa2.id.example.com/ipa/session/json: 401 Unauthorized> ipa: INFO: Connection to https://ipa2.id.example.com/ipa/session/json failed with <ProtocolError for ipa2.id.example.com/ipa/session/json: 401 Unauthorized>
krb5kdc.log Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): AS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: NEEDED_PREAUTH: rrickardt@id.example.com for krbtgt/id.example.com@id.example.com, Additional pre-authentication required Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12 Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): AS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: ISSUE: authtime 1704991295, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, rrickardt@id.example.com for krbtgt/id.example.com@id.example.com Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12 Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1231](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: ISSUE: authtime 1704991295, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, rrickardt@id.example.com for HTTP/ipa7.id.example.com@id.example.com Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1231](info): closing down fd 12 Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com@id.example.com for ldap/ipa7.id.example.com@id.example.com, KDC policy rejects request Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): ... CONSTRAINED-DELEGATION s4u-client=<unknown> Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12 Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com@id.example.com for ldap/ipa7.id.example.com@id.example.com, KDC policy rejects request Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): ... CONSTRAINED-DELEGATION s4u-client=<unknown> Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12