On Чцв, 11 сту 2024, Rasto Rickardt via FreeIPA-users wrote:
Hello,
i have setup of 5 IPA servers on RHEL8. This morning i upgraded with dnf upgrade IPA components to 4.9.12-11 for example:
ipa-server-4.9.12-11.module+el8.9.0+20824+f2605038.x86_64 ipa-server-common-4.9.12-11.module+el8.9.0+20824+f2605038.noarch
After upgrade finished without errors, i was not able to login to UI with correct password with message "Your session has expired. Please log in again."
dirsrv replication looks OK.
I checked logs, everytime i try to login, /var/log/httpd/error_log contain:
[Thu Jan 11 17:30:03.490345 2024] [wsgi:error] [pid 3299146:tid 139867429353216] [remote 185.103.146.26:46292] ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
I can do kinit, without any error. But when i try to use ipa user-show, not working.
The error below tells that a user ticket did not have a PAC associated:
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com@id.example.com for ldap/ipa7.id.example.com@id.example.com, KDC policy rejects request
Can you also share your client and server's Kerberos configurations? configs and which rpms are used.
It looks like either SID is missing in the user account and KDC is forced to ignore that (disable_pac = true in the realm configuration in kdc.conf). Or some flags are set on IPA services to force ignoring PAC checks. PAC presence is required for constrained delegation operations and we now enforce it for krb5 1.18 as well.
ipaupgrade.log attached, rest inline.
If you have any idea how to fix this please, i will be gratefull.
Thank you,
Rasto
ipa -d user-show ipa: DEBUG: Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' ipa: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' ipa: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' ipa: DEBUG: found session_cookie in persistent storage for principal 'rrickardt@redacted', cookie: 'ipa_session=MagBearerToken=VsNzXWPFKUTUmXpNpoXBnYn%2f7kaXq3b77Vb1HDzWdZ8u1c3ZAAReJFNMYwMeRLYSv4pggL%2bb3O1YH9lpJuXswOV%2fK%2fs%2bF96bBeIykbO2%2bnklplxnRxGyjo4edYLEo4QvfYIr9P2xGoxPEsCjrDj6m%2bro3UZtiFKGIgrI9KJKfZAhLrk46ooeAZ0HF7IAR5DgI07EdHeXdoP%2bA1T70CoXYA%3d%3d' ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=VsNzXWPFKUTUmXpNpoXBnYn%2f7kaXq3b77Vb1HDzWdZ8u1c3ZAAReJFNMYwMeRLYSv4pggL%2bb3O1YH9lpJuXswOV%2fK%2fs%2bF96bBeIykbO2%2bnklplxnRxGyjo4edYLEo4QvfYIr9P2xGoxPEsCjrDj6m%2bro3UZtiFKGIgrI9KJKfZAhLrk46ooeAZ0HF7IAR5DgI07EdHeXdoP%2bA1T70CoXYA%3d%3d;' ipa: DEBUG: trying https://ipa2.id.example.com/ipa/session/json ipa: DEBUG: New HTTP connection (ipa2.id.example.com) ipa: DEBUG: HTTP connection destroyed (ipa2.id.example.com) Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaclient/remote_plugins/__init__.py", line 120, in get_package plugins = api._remote_plugins AttributeError: 'API' object has no attribute '_remote_plugins'
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 730, in single_request response.msg) xmlrpc.client.ProtocolError: <ProtocolError for ipa2.id.example.com/ipa/session/json: 401 Unauthorized> ipa: DEBUG: trying https://ipa2.id.example.com/ipa/session/json ipa: DEBUG: New HTTP connection (ipa2.id.example.com) ipa: DEBUG: HTTP connection destroyed (ipa2.id.example.com) Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaclient/remote_plugins/__init__.py", line 120, in get_package plugins = api._remote_plugins AttributeError: 'API' object has no attribute '_remote_plugins'
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 730, in single_request response.msg) xmlrpc.client.ProtocolError: <ProtocolError for ipa2.id.example.com/ipa/session/json: 401 Unauthorized> ipa: INFO: Connection to https://ipa2.id.example.com/ipa/session/json failed with <ProtocolError for ipa2.id.example.com/ipa/session/json: 401 Unauthorized>
krb5kdc.log Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): AS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: NEEDED_PREAUTH: rrickardt@id.example.com for krbtgt/id.example.com@id.example.com, Additional pre-authentication required Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12 Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): AS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: ISSUE: authtime 1704991295, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, rrickardt@id.example.com for krbtgt/id.example.com@id.example.com Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12 Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1231](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: ISSUE: authtime 1704991295, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, rrickardt@id.example.com for HTTP/ipa7.id.example.com@id.example.com Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1231](info): closing down fd 12 Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com@id.example.com for ldap/ipa7.id.example.com@id.example.com, KDC policy rejects request Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): ... CONSTRAINED-DELEGATION s4u-client=<unknown> Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12 Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com@id.example.com for ldap/ipa7.id.example.com@id.example.com, KDC policy rejects request Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): ... CONSTRAINED-DELEGATION s4u-client=<unknown> Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue