Hi,

On Wed, Feb 19, 2025 at 5:43 PM Boris <bb@kervyn.de> wrote:
yes, SELINUX seems to be disabled.

[root@ipa2 ~]# kinit boris@DOMAIN
Passwort für boris@DOMAIN:

[root@ipa2 ~]# ipa pkinit-status
-----------------
2 servers matched
-----------------
  Servername: ipa1.redacted
  PKINIT status: disabled

  Servername: ipa2.redacted
  PKINIT status: enabled
-------------------------------------
Anzahl der zurückgegebenen Einträge 2
-------------------------------------

[root@ipa2 ~]# ipa-pkinit-manage status
PKINIT is enabled
The ipa-pkinit-manage command was successful
[root@ipa2 ~]# kdestroy -A
[root@ipa2 ~]# KRB5_TRACE=/dev/stdout kinit -n -c /tmp/ccache
[55944] 1739982907.606095: Getting initial credentials for WELLKNOWN/ANONYMOUS@DOMAIN
[55944] 1739982907.606097: Sending unauthenticated request
[55944] 1739982907.606098: Sending request (194 bytes) to DOMAIN
...

the kinit command tries to connect to the ipa1, in the /var/lib/sss/pubconf/kdcinfo.your_realm are both addresses. It is the same on the ipa1 host.

On an IPA server, the above file should only contain the server itself. Try to delete the file (it will get re-created by SSSD), and check the content of /etc/sssd/sssd.conf. It should contain a section for the IPA domain (with [domain/$YOUR_SOMAIN]) and inside this section a value ipa_server = $YOUR_SERVER). Make sure that ipa_server has a single value, containing the hostname of the machine. If it contains something like _srv_ it means that the server is automatically discovered using DNS records but that setting should not appear on a server.

HTH,
flo


Am Mi., 19. Feb. 2025 um 17:04 Uhr schrieb Florence Blanc-Renaud <flo@redhat.com>:
Hi,

On Wed, Feb 19, 2025 at 4:07 PM Boris <bb@kervyn.de> wrote:
Hi flo,

certificate and ca looks good. Certificate is signed by the correct ca and just got renewed (Not Before: Feb 15 09:43:26 2025 GMT)

the permissions looks different (the questionmark)

[root@ipa2 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt
-rw-r--r-- 1 root root ? 1671 15. Feb 10:43 /var/kerberos/krb5kdc/kdc.crt
[root@ipa2 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem
-rw-r--r-- 1 root root ? 1294 15. Mär 2023  /var/lib/ipa-client/pki/kdc-ca-bundle.pem

The question mark means that there is no selinux context for those files. The system probably has SELINUX=disabled in /etc/selinux/config.

Can you also check the following:
# kinit admin
# ipa pkinit-status
The above will show you which servers are enabled for PKINIT.

# ipa-pkinit-manage status

# kdestroy -A
# KRB5_TRACE=/dev/stdout kinit -n -c /tmp/ccache

In the logs for kinit -n, double-check that the request is sent to ipa2.
If that's not the case, you may have a wrong config (/var/lib/sss/pubconf/kdcinfo.your_realm should contain the IP address from ipa2).

flo


in comparission to the ipa1
[root@ipa1 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem
-rw-r--r--. 1 root root system_u:object_r:realmd_var_lib_t:s0 1313 Feb 21  2022 /var/lib/ipa-client/pki/kdc-ca-bundle.pem
[root@ipa1 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt
-rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1367 Nov 29 13:19 /var/kerberos/krb5kdc/kdc.crt

The krb5-pkinit is installed
krb5-pkinit-1.19.2-9.fc35.x86_64



Am Mi., 19. Feb. 2025 um 15:46 Uhr schrieb Florence Blanc-Renaud <flo@redhat.com>:
Hi,


On Wed, Feb 19, 2025 at 1:50 PM Boris via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Hi list,
as I am currently sorting out our freeipa problems we stumbled across another problem.
After the last reboot of our 2ndary IPA host, we can no longer login into the webui on the 2nd host.

The webui on the first host works.

I've checked some logs but was only able to find meaningful entries in the httpd log which is this:

mod_wsgi (pid=1137): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
Traceback (most recent call last):
 File "/usr/lib/python3.10/site-packages/ipaserver/wsgi.py", line 71, in application
   return api.Backend.wsgi_dispatch(environ, start_response)
 File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 301, in __call__
   return self.route(environ, start_response)
 File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 313, in route
   return app(environ, start_response)
 File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 1066, in __call__
   result = attempt_kinit(user_principal, password,
 File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 996, in attempt_kinit
   self.kinit(user_principal, password,
 File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 1094, in kinit
   kinit_armor(
 File "/usr/lib/python3.10/site-packages/ipalib/install/kinit.py", line 129, in kinit_armor
   run(args, env=env, raiseonerr=True, capture_error=True)
 File "/usr/lib/python3.10/site-packages/ipapython/ipautil.py", line 599, in run
   raise CalledProcessError(
ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_1137', '-X', 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero exit status 1: 'kinit: Cannot read password while getting initial credentials\\n')

What is the content of this kdc.crt certificate?
openssl x509 -noout -text -in /var/kerberos/krb5kdc/kdc.crt
The output will tell us if it's a self-signed PKINIT cert or signed by IPA CA (look for the Issuer: value in the output).

Does the kdc-ca-bundle.pem contain the CA that signed this certificate?
openssl crl2pkcs7 -nocrl -certfile /var/lib/ipa-client/pki/kdc-ca-bundle.pem | openssl pkcs7 -print_certs -text -noout

On a working system I see the following permissions for the above files:
# ls -lZ /var/kerberos/krb5kdc/kdc.crt
-rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1866 Feb 19 14:02 /var/kerberos/krb5kdc/kdc.crt
# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem
-rw-r--r--. 1 root root unconfined_u:object_r:realmd_var_lib_t:s0 3266 Feb 19 14:05 /var/lib/ipa-client/pki/kdc-ca-bundle.pem

Do you have the package krb5-pkinit installed on your machine?

flo

Does someone know in which direction I need to debug further?

Cheers
 Boris
--
Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal.
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue


--
Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal.


--
Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal.