On 07-09-18 10:13, Alexander Bokovoy wrote:
> On pe, 07 syys 2018, Kees Bakker via FreeIPA-users wrote:
>> On 06-09-18 15:16, Kees Bakker via FreeIPA-users wrote:
>>> [...]
>>>
>>> Also, when I access the IPA server using a browser it fails with
>>> Login failed due to an unknown reason.
>>>
>>> In /var/log/apache2/error.log there is this:
>>> ---------------------8X-----------------8X------------------
>>> [Thu Sep 06 12:00:28.720410 2018] [wsgi:error] [pid 6137:tid 140075658061568]
[remote 10.83.0.11:38596] ipa: INFO: [jsonserver_kerb] host/usrv1.ijtest.nl(a)IJTEST.NL:
schema(version=u'2.170'): SUCCESS
>>> [Thu Sep 06 12:01:00.010427 2018] [:warn] [pid 6140:tid 140076243191552]
[client 10.83.0.11:38608] failed to set perms (3140) on file
(/var/run/ipa/ccaches/host~usrv1.ijtest.nl(a)IJTEST.NL)!, referer:
https://usrv1.ijtest.nl/ipa/xml
>>> [Thu Sep 06 12:01:00.099271 2018] [wsgi:error] [pid 6138:tid 140075658061568]
[remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] host/usrv1.ijtest.nl(a)IJTEST.NL:
ping(): SUCCESS
>>> [Thu Sep 06 12:01:00.101695 2018] [:warn] [pid 6140:tid 140076130498304]
[client 10.83.0.11:38608] failed to set perms (3140) on file
(/var/run/ipa/ccaches/host~usrv1.ijtest.nl(a)IJTEST.NL)!, referer:
https://usrv1.ijtest.nl/ipa/xml
>>> [Thu Sep 06 12:01:00.273013 2018] [wsgi:error] [pid 6137:tid 140075658061568]
[remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] host/usrv1.ijtest.nl(a)IJTEST.NL:
ca_is_enabled(version=u'2.107'): SUCCESS
>>> [Thu Sep 06 12:01:02.805635 2018] [:warn] [pid 6140:tid 140076234798848]
[client 10.83.0.11:38608] failed to set perms (3140) on file
(/var/run/ipa/ccaches/host~usrv1.ijtest.nl(a)IJTEST.NL)!, referer:
https://usrv1.ijtest.nl/ipa/xml
>>> [Thu Sep 06 12:01:02.999541 2018] [wsgi:error] [pid 6138:tid 140075658061568]
[remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] host/usrv1.ijtest.nl(a)IJTEST.NL:
host_mod(u'usrv1.ijtest.nl', ipasshpubkey=(), updatedns=False,
version=u'2.26'): EmptyModlist
>>> [Thu Sep 06 13:02:22.125841 2018] [wsgi:error] [pid 6138:tid 140075658061568]
[remote 172.16.16.30:38014] mod_wsgi (pid=6138): Exception occurred processing WSGI script
'/usr/share/ipa/wsgi.py'.
>>> [Thu Sep 06 13:02:22.125877 2018] [wsgi:error] [pid 6138:tid 140075658061568]
[remote 172.16.16.30:38014] Traceback (most recent call last):
>>> [Thu Sep 06 13:02:22.125898 2018] [wsgi:error] [pid 6138:tid 140075658061568]
[remote 172.16.16.30:38014] File "/usr/share/ipa/wsgi.py", line 57, in
application
>>> [Thu Sep 06 13:02:22.125961 2018] [wsgi:error] [pid 6138:tid 140075658061568]
[remote 172.16.16.30:38014] return api.Backend.wsgi_dispatch(environ, start_response)
>>> [Thu Sep 06 13:02:22.125972 2018] [wsgi:error] [pid 6138:tid 140075658061568]
[remote 172.16.16.30:38014] File
"/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 265, in
__call__
>>> [Thu Sep 06 13:02:22.128833 2018] [wsgi:error] [pid 6138:tid 140075658061568]
[remote 172.16.16.30:38014] return self.route(environ, start_response)
>>> [Thu Sep 06 13:02:22.128846 2018] [wsgi:error] [pid 6138:tid 140075658061568]
[remote 172.16.16.30:38014] File
"/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 277, in route
>>> [Thu Sep 06 13:02:22.128860 2018] [wsgi:error] [pid 6138:tid 140075658061568]
[remote 172.16.16.30:38014] return app(environ, start_response)
>>> [Thu Sep 06 13:02:22.128872 2018] [wsgi:error] [pid 6138:tid 140075658061568]
[remote 172.16.16.30:38014] File
"/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 935, in
__call__
>>> [Thu Sep 06 13:02:22.128881 2018] [wsgi:error] [pid 6138:tid 140075658061568]
[remote 172.16.16.30:38014] self.kinit(user_principal, password, ipa_ccache_name)
>>> [Thu Sep 06 13:02:22.128886 2018] [wsgi:error] [pid 6138:tid 140075658061568]
[remote 172.16.16.30:38014] File
"/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 971, in kinit
>>> [Thu Sep 06 13:02:22.128892 2018] [wsgi:error] [pid 6138:tid 140075658061568]
[remote 172.16.16.30:38014] pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
>>> [Thu Sep 06 13:02:22.128898 2018] [wsgi:error] [pid 6138:tid 140075658061568]
[remote 172.16.16.30:38014] File
"/usr/lib/python2.7/dist-packages/ipalib/install/kinit.py", line 125, in
kinit_armor
>>> [Thu Sep 06 13:02:22.133878 2018] [wsgi:error] [pid 6138:tid 140075658061568]
[remote 172.16.16.30:38014] run(args, env=env, raiseonerr=True, capture_error=True)
>>> [Thu Sep 06 13:02:22.133892 2018] [wsgi:error] [pid 6138:tid 140075658061568]
[remote 172.16.16.30:38014] File
"/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 572, in run
>>> [Thu Sep 06 13:02:22.138435 2018] [wsgi:error] [pid 6138:tid 140075658061568]
[remote 172.16.16.30:38014] p.returncode, arg_string, output_log, error_log
>>> [Thu Sep 06 13:02:22.138488 2018] [wsgi:error] [pid 6138:tid 140075658061568]
[remote 172.16.16.30:38014] CalledProcessError: CalledProcessError(Command
['/usr/bin/kinit', '-n', '-c',
'/var/run/ipa/ccaches/armor_6138', '-X',
'X509_anchors=FILE:/var/lib/krb5kdc/kdc.crt', '-X',
'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero
exit status 1: "kinit: Pre-authentication failed: Cannot open file
'/var/lib/krb5kdc/kdc.crt': Permission denied while getting initial
credentials\\n")
>>> ---------------------8X-----------------8X------------------
>>>
>>
>> The problem with this seems to be related to the fact that directory
/var/lib/krb5kdc
>> is only readable for root.
>>
>> $ ls -ld /var/lib/krb5kdc
>> drwx------ 2 root root 4096 Feb 5 2018 /var/lib/krb5kdc
>>
>> If I chmod the directory to 711 it is possible to login via the browser.
> I wonder what was used to change it because krb5-server package installs
> it as 755:
>
> # rpm -qlv krb5-server| grep /var/kerberos/krb5kdc
> drwxr-xr-x 2 root root 0 Aug 1 19:19
/var/kerberos/krb5kdc
> -rw------- 1 root root 22 Aug 1 19:13
/var/kerberos/krb5kdc/kadm5.acl
> -rw------- 1 root root 458 Aug 1 19:13
/var/kerberos/krb5kdc/kdc.conf
>
I'm using Ubuntu 18.04, where it is /var/lib/krb5kdc and this directory has chmod
700.
That is true on Ubuntu 16.04 as well. Ubuntu 16.04 has freeipa-server 4.3.1-0ubuntu1
The Ubuntu 18.04 FreeIPA server installation (4.7.0~pre1+git20180411-2ubuntu2) places a
few files in /var/lib/krb5kdc (that's new).
So the question is: what was changed (in freeipa?) that it now wants read access of
/var/lib/krb5kdc ?
We need access to the KDC's public certificate in case we are
dealing
with a KDC certificate issued by a local certmonger (self-signed) which
is not trusted by the machine.
You can read
for
details. A short version is:
--------
When you install 4.5 with --no-pkinit, the installer will generate
self-signed certificate for PKINIT. This certificate is only used and
trusted by IPA Web UI running on the same server to obtain an anonymous
ticket.
--------
That anonymous PKINIT is required right now to enable two-factor
authentication login to web UI because since FreeIPA 4.5 we cannot use
HTTP service keytab anymore: FreeIPA framework lost access to the keytab
due to privilege separation work we did (read
for details)
Since your KDC PKINIT certificate might be issued by a local self-signed
certmonger 'CA' in case you are not using integrated FreeIPA CA, we have
to be able to trust *that* public KDC certificate when running 'kinit
-n', thus we need access to it.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland