Hi,
On Wed, Feb 19, 2025 at 1:50 PM Boris via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi list, as I am currently sorting out our freeipa problems we stumbled across another problem. After the last reboot of our 2ndary IPA host, we can no longer login into the webui on the 2nd host.
The webui on the first host works.
I've checked some logs but was only able to find meaningful entries in the httpd log which is this:
mod_wsgi (pid=1137): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/ipaserver/wsgi.py", line 71, in application return api.Backend.wsgi_dispatch(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 301, in __call__ return self.route(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 313, in route return app(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 1066, in __call__ result = attempt_kinit(user_principal, password, File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 996, in attempt_kinit self.kinit(user_principal, password, File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 1094, in kinit kinit_armor( File "/usr/lib/python3.10/site-packages/ipalib/install/kinit.py", line 129, in kinit_armor run(args, env=env, raiseonerr=True, capture_error=True) File "/usr/lib/python3.10/site-packages/ipapython/ipautil.py", line 599, in run raise CalledProcessError( ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_1137', '-X', 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero exit status 1: 'kinit: Cannot read password while getting initial credentials\n')
What is the content of this kdc.crt certificate?
openssl x509 -noout -text -in /var/kerberos/krb5kdc/kdc.crt The output will tell us if it's a self-signed PKINIT cert or signed by IPA CA (look for the Issuer: value in the output).
Does the kdc-ca-bundle.pem contain the CA that signed this certificate? openssl crl2pkcs7 -nocrl -certfile /var/lib/ipa-client/pki/kdc-ca-bundle.pem | openssl pkcs7 -print_certs -text -noout
On a working system I see the following permissions for the above files: # ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1866 Feb 19 14:02 /var/kerberos/krb5kdc/kdc.crt # ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r--. 1 root root unconfined_u:object_r:realmd_var_lib_t:s0 3266 Feb 19 14:05 /var/lib/ipa-client/pki/kdc-ca-bundle.pem
Do you have the package krb5-pkinit installed on your machine?
flo
Does someone know in which direction I need to debug further?
Cheers Boris -- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue