5:04 a.m.
Hi all,
After I upgraded to FreeIPA 4.5 (on CentOS 7), I get an error "Login failed due to an
unknown reason" on the web UI, no matter if I use the admin user or my personal user.
From what I can tell, all the ipa commands work fine on the command line, and kinit also
works fine.
I have included some output from /var/log/httpd/error_log below. It would be great if
someone could make a guess (or better) at what is going wrong, or which logs to look at,
etc.
When I run the command in the CalledProcessError, I get a password prompt for
WELLKNOWN/ANONYMOUS(a)OUS.NSC.LOCAL (the second part is the realm name).
Thanks,
Marius
[Thu Oct 05 11:36:34.898930 2017] [core:notice] [pid 7417] SELinux policy enabled; httpd
running as context system_u:system_r:httpd_t:s0
[Thu Oct 05 11:36:34.899649 2017] [suexec:notice] [pid 7417] AH01232: suEXEC mechanism
enabled (wrapper: /usr/sbin/suexec)
[Thu Oct 05 11:36:34.899669 2017] [:warn] [pid 7417] NSSSessionCacheTimeout is deprecated.
Ignoring.
[Thu Oct 05 11:36:35.065273 2017] [auth_digest:notice] [pid 7417] AH01757: generating
secret for digest authentication ...
[Thu Oct 05 11:36:35.065933 2017] [lbmethod_heartbeat:notice] [pid 7417] AH02282: No
slotmem from mod_heartmonitor
[Thu Oct 05 11:36:35.065947 2017] [:warn] [pid 7417] NSSSessionCacheTimeout is deprecated.
Ignoring.
[Thu Oct 05 11:36:35.100828 2017] [mpm_prefork:notice] [pid 7417] AH00163: Apache/2.4.6
(CentOS) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 PHP/5.4.16 mod_wsgi/3.4
Python/2.7.5 configured -- resuming normal operations
[Thu Oct 05 11:36:35.100849 2017] [core:notice] [pid 7417] AH00094: Command line:
'/usr/sbin/httpd -D FOREGROUND'
[Thu Oct 05 11:36:36.676629 2017] [:error] [pid 7424] ipa: INFO: *** PROCESS START ***
[Thu Oct 05 11:36:36.695362 2017] [:error] [pid 7425] ipa: INFO: *** PROCESS START ***
--- login attempt performed now ---
[Thu Oct 05 11:36:38.504718 2017] [:error] [pid 7424] [remote 192.168.1.48:244] mod_wsgi
(pid=7424): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Thu Oct 05 11:36:38.504758 2017] [:error] [pid 7424] [remote 192.168.1.48:244] Traceback
(most recent call last):
[Thu Oct 05 11:36:38.504776 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File
"/usr/share/ipa/wsgi.py", line 51, in application
[Thu Oct 05 11:36:38.504845 2017] [:error] [pid 7424] [remote 192.168.1.48:244] return
api.Backend.wsgi_dispatch(environ, start_response)
[Thu Oct 05 11:36:38.504855 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 262, in
__call__
[Thu Oct 05 11:36:38.505045 2017] [:error] [pid 7424] [remote 192.168.1.48:244] return
self.route(environ, start_response)
[Thu Oct 05 11:36:38.505054 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 274, in route
[Thu Oct 05 11:36:38.505067 2017] [:error] [pid 7424] [remote 192.168.1.48:244] return
app(environ, start_response)
[Thu Oct 05 11:36:38.505072 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 929, in
__call__
[Thu Oct 05 11:36:38.505079 2017] [:error] [pid 7424] [remote 192.168.1.48:244]
self.kinit(user_principal, password, ipa_ccache_name)
[Thu Oct 05 11:36:38.505083 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 965, in kinit
[Thu Oct 05 11:36:38.505089 2017] [:error] [pid 7424] [remote 192.168.1.48:244]
pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
[Thu Oct 05 11:36:38.505094 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File
"/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 125, in
kinit_armor
[Thu Oct 05 11:36:38.505135 2017] [:error] [pid 7424] [remote 192.168.1.48:244]
run(args, env=env, raiseonerr=True, capture_error=True)
[Thu Oct 05 11:36:38.505143 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File
"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 511, in run
[Thu Oct 05 11:36:38.505346 2017] [:error] [pid 7424] [remote 192.168.1.48:244] raise
CalledProcessError(p.returncode, arg_string, str(output))
[Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote 192.168.1.48:244]
CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_7424 -X
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit
status 1
11:37 a.m.
Marius Bjørnstad via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> writes:
After I upgraded to FreeIPA 4.5 (on CentOS 7), I get an error
"Login
failed due to an unknown reason" on the web UI, no matter if I use the
admin user or my personal user.
...
[Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote
192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit -n -c
/var/run/ipa/ccaches/armor_7424 -X
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
non-zero exit status 1
Do you have krb5-pkinit installed? I think there is a dependency
missing. And I ran "ipa-pkinit-manage enable", but I don't remember if
it's needed for WebUI login.
Jochen
--
This space is intentionally left blank.
11:44 a.m.
On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote:
Marius Bjørnstad via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> writes:
> After I upgraded to FreeIPA 4.5 (on CentOS 7), I get an error "Login
> failed due to an unknown reason" on the web UI, no matter if I use the
> admin user or my personal user.
...
> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote
> 192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit -n -c
> /var/run/ipa/ccaches/armor_7424 -X
> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
> X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
> non-zero exit status 1
Do you have krb5-pkinit installed? I think there is a dependency
missing. And I ran "ipa-pkinit-manage enable", but I don't remember if
it's needed for WebUI login.
Looking into RHEL/CentOS spec file, I see:
.....
%package server
Summary: The IPA authentication server
Group: System Environment/Base
.....
Requires(post): krb5-server >= %{krb5_version}
Requires(post): krb5-server >= %{krb5_base_version}, krb5-server <
%{krb5_base_version}.100
Requires: krb5-pkinit-openssl >= %{krb5_version}
.....
So there is an explicit dependency to krb5-pkinit-openssl which is
provided by krb5-pkinit.
--
/ Alexander Bokovoy
1:37 p.m.
New subject: Valid Sender ? - Re: Re: Web UI login fails after upgrading to 4.5
Alexander Bokovoy <abokovoy(a)redhat.com> writes:
On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote:
>> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424]
[remote
>> 192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit -n -c
>> /var/run/ipa/ccaches/armor_7424 -X
>> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>> X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
>> non-zero exit status 1
>
>Do you have krb5-pkinit installed? I think there is a dependency
>missing. And I ran "ipa-pkinit-manage enable", but I don't remember if
>it's needed for WebUI login.
Looking into RHEL/CentOS spec file, I see:
Hm, then the dependency was missing for the client pakages for Debian/Ubuntu.
Thanks for checking.
Jochen
--
This space is intentionally left blank.
2:11 p.m.
New subject: Valid Sender ? - Re: Re: Web UI login fails after upgrading to 4.5
On to, 05 loka 2017, Jochen Hein wrote:
Alexander Bokovoy <abokovoy(a)redhat.com> writes:
> On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote:
>>> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote
>>> 192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit -n -c
>>> /var/run/ipa/ccaches/armor_7424 -X
>>> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>>> X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
>>> non-zero exit status 1
>>
>>Do you have krb5-pkinit installed? I think there is a dependency
>>missing. And I ran "ipa-pkinit-manage enable", but I don't remember
if
>>it's needed for WebUI login.
> Looking into RHEL/CentOS spec file, I see:
Hm, then the dependency was missing for the client pakages for Debian/Ubuntu.
This
should not be a problem for the case above because it is IPA
master, not a client here.
--
/ Alexander Bokovoy
4:38 a.m.
New subject: Valid Sender ? - Re: Re: Web UI login fails after upgrading to 4.5
Thanks for the replies! I do have the krb5-pkinit package installed.
ipa-pkinit-manage status was disabled, but enabling it with ipa-pkinit-manage enable
didn't fix the problem.
$ ipa pkinit-status --server=SERVER_NAME
says PKINIT is disabled.
# ipa-pkinit-manage status
now says it is enabled.
$ ipa config-show
does not list any IPA masters supporting PKINIT.
If I disable then re-enable using ipa-pkinit-manage, nothing changes.
I should note that we now have one server on 4.4, which I daren't touch, and this one
on 4.5 which is having issues.
This is the output from kinit -n as my user, with KRB5_TRACE on. I terminated it at the
password prompt. So there is something wrong with the KDC?
[3790] 1507282499.679169: Resolving unique ccache of type KEYRING
[3790] 1507282499.679205: Getting initial credentials for
WELLKNOWN/ANONYMOUS(a)OUS.NSC.LOCAL
[3790] 1507282499.681014: Sending request (190 bytes) to OUS.NSC.LOCAL
[3790] 1507282499.681128: Initiating TCP connection to stream 192.168.1.248:88
[3790] 1507282499.681311: Sending TCP request to stream 192.168.1.248:88
[3790] 1507282499.683001: Received answer (296 bytes) from stream 192.168.1.248:88
[3790] 1507282499.683008: Terminating TCP connection to stream 192.168.1.248:88
[3790] 1507282499.683039: Response was from master KDC
[3790] 1507282499.683053: Received error from KDC: -1765328359/Additional
pre-authentication required
[3790] 1507282499.683072: Processing preauth types: 136, 19, 2, 133
[3790] 1507282499.683079: Selected etype info: etype aes256-cts, salt
"OUS.NSC.LOCALWELLKNOWNANONYMOUS", params ""
[3790] 1507282499.683081: Received cookie: MIT
[3790] 1507282501.423154: Preauth module encrypted_timestamp (2) (real) returned:
-1765328252/Password read interrupted
5. okt. 2017 kl. 21.11 skrev Alexander Bokovoy
<abokovoy(a)redhat.com>:
On to, 05 loka 2017, Jochen Hein wrote:
> Alexander Bokovoy <abokovoy(a)redhat.com> writes:
>
>> On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote:
>
>>>> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote
>>>> 192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit -n -c
>>>> /var/run/ipa/ccaches/armor_7424 -X
>>>> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>>>> X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'
returned
>>>> non-zero exit status 1
>>>
>>> Do you have krb5-pkinit installed? I think there is a dependency
>>> missing. And I ran "ipa-pkinit-manage enable", but I don't
remember if
>>> it's needed for WebUI login.
>> Looking into RHEL/CentOS spec file, I see:
>
> Hm, then the dependency was missing for the client pakages for Debian/Ubuntu.
This should not be a problem for the case above because it is IPA
master, not a client here.
--
/ Alexander Bokovoy
4:56 a.m.
New subject: Valid Sender ? - Re: Re: Web UI login fails after upgrading to 4.5
On pe, 06 loka 2017, Marius Bjørnstad via FreeIPA-users wrote:
Thanks for the replies! I do have the krb5-pkinit package installed.
ipa-pkinit-manage status was disabled, but enabling it with ipa-pkinit-manage enable
didn't fix the problem.
$ ipa pkinit-status --server=SERVER_NAME
says PKINIT is disabled.
# ipa-pkinit-manage status
now says it is enabled.
$ ipa config-show
does not list any IPA masters supporting PKINIT.
If I disable then re-enable using ipa-pkinit-manage, nothing changes.
I should note that we now have one server on 4.4, which I daren't touch, and this one
on 4.5 which is having issues.
This is the output from kinit -n as my user, with KRB5_TRACE on. I terminated it at the
password prompt. So there is something wrong with the KDC?
[3790] 1507282499.679169: Resolving unique ccache of type KEYRING
[3790] 1507282499.679205: Getting initial credentials for
WELLKNOWN/ANONYMOUS(a)OUS.NSC.LOCAL
[3790] 1507282499.681014: Sending request (190 bytes) to OUS.NSC.LOCAL
[3790] 1507282499.681128: Initiating TCP connection to stream 192.168.1.248:88
[3790] 1507282499.681311: Sending TCP request to stream 192.168.1.248:88
[3790] 1507282499.683001: Received answer (296 bytes) from stream 192.168.1.248:88
[3790] 1507282499.683008: Terminating TCP connection to stream 192.168.1.248:88
[3790] 1507282499.683039: Response was from master KDC
[3790] 1507282499.683053: Received error from KDC: -1765328359/Additional
pre-authentication required
[3790] 1507282499.683072: Processing preauth types: 136, 19, 2, 133
[3790] 1507282499.683079: Selected etype info: etype aes256-cts, salt
"OUS.NSC.LOCALWELLKNOWNANONYMOUS", params ""
[3790] 1507282499.683081: Received cookie: MIT
[3790] 1507282501.423154: Preauth module encrypted_timestamp (2) (real) returned:
-1765328252/Password read interrupted
192.168.1.248 -- which KDC is this? 4.4 or 4.5?
> 5. okt. 2017 kl. 21.11 skrev Alexander Bokovoy <abokovoy(a)redhat.com>:
>
> On to, 05 loka 2017, Jochen Hein wrote:
>> Alexander Bokovoy <abokovoy(a)redhat.com> writes:
>>
>>> On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote:
>>
>>>>> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote
>>>>> 192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit -n
-c
>>>>> /var/run/ipa/ccaches/armor_7424 -X
>>>>> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>>>>> X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'
returned
>>>>> non-zero exit status 1
>>>>
>>>> Do you have krb5-pkinit installed? I think there is a dependency
>>>> missing. And I ran "ipa-pkinit-manage enable", but I don't
remember if
>>>> it's needed for WebUI login.
>>> Looking into RHEL/CentOS spec file, I see:
>>
>> Hm, then the dependency was missing for the client pakages for Debian/Ubuntu.
> This should not be a problem for the case above because it is IPA
> master, not a client here.
>
> --
> / Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
--
/ Alexander Bokovoy
5:24 a.m.
New subject: Valid Sender ? - Re: Re: Web UI login fails after upgrading to 4.5
Wow that's well spotted! That IP is the 4.4 server (I just blindly assumed that it
would use the value in krb5.conf, which is the 4.5 server). It goes to 248 every time.
strace showed me that kinit gets the IP address from
/var/lib/sss/pubconf/kdcinfo.OUS.NSC.LOCAL. This file contains only the IP address of the
other master. I changed it to 192.168.1.249, the 4.5 master, and it works!
6. okt. 2017 kl. 11.56 skrev Alexander Bokovoy
<abokovoy(a)redhat.com>:
On pe, 06 loka 2017, Marius Bjørnstad via FreeIPA-users wrote:
> Thanks for the replies! I do have the krb5-pkinit package installed.
> ipa-pkinit-manage status was disabled, but enabling it with ipa-pkinit-manage enable
didn't fix the problem.
>
> $ ipa pkinit-status --server=SERVER_NAME
> says PKINIT is disabled.
> # ipa-pkinit-manage status
> now says it is enabled.
> $ ipa config-show
> does not list any IPA masters supporting PKINIT.
>
> If I disable then re-enable using ipa-pkinit-manage, nothing changes.
>
> I should note that we now have one server on 4.4, which I daren't touch, and this
one on 4.5 which is having issues.
>
> This is the output from kinit -n as my user, with KRB5_TRACE on. I terminated it at
the password prompt. So there is something wrong with the KDC?
>
> [3790] 1507282499.679169: Resolving unique ccache of type KEYRING
> [3790] 1507282499.679205: Getting initial credentials for
WELLKNOWN/ANONYMOUS(a)OUS.NSC.LOCAL
> [3790] 1507282499.681014: Sending request (190 bytes) to OUS.NSC.LOCAL
> [3790] 1507282499.681128: Initiating TCP connection to stream 192.168.1.248:88
> [3790] 1507282499.681311: Sending TCP request to stream 192.168.1.248:88
> [3790] 1507282499.683001: Received answer (296 bytes) from stream 192.168.1.248:88
> [3790] 1507282499.683008: Terminating TCP connection to stream 192.168.1.248:88
> [3790] 1507282499.683039: Response was from master KDC
> [3790] 1507282499.683053: Received error from KDC: -1765328359/Additional
pre-authentication required
> [3790] 1507282499.683072: Processing preauth types: 136, 19, 2, 133
> [3790] 1507282499.683079: Selected etype info: etype aes256-cts, salt
"OUS.NSC.LOCALWELLKNOWNANONYMOUS", params ""
> [3790] 1507282499.683081: Received cookie: MIT
> [3790] 1507282501.423154: Preauth module encrypted_timestamp (2) (real) returned:
-1765328252/Password read interrupted
192.168.1.248 -- which KDC is this? 4.4 or 4.5?
>
>
>
>> 5. okt. 2017 kl. 21.11 skrev Alexander Bokovoy <abokovoy(a)redhat.com>:
>>
>> On to, 05 loka 2017, Jochen Hein wrote:
>>> Alexander Bokovoy <abokovoy(a)redhat.com> writes:
>>>
>>>> On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote:
>>>
>>>>>> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote
>>>>>> 192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit
-n -c
>>>>>> /var/run/ipa/ccaches/armor_7424 -X
>>>>>> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>>>>>> X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'
returned
>>>>>> non-zero exit status 1
>>>>>
>>>>> Do you have krb5-pkinit installed? I think there is a dependency
>>>>> missing. And I ran "ipa-pkinit-manage enable", but I
don't remember if
>>>>> it's needed for WebUI login.
>>>> Looking into RHEL/CentOS spec file, I see:
>>>
>>> Hm, then the dependency was missing for the client pakages for
Debian/Ubuntu.
>> This should not be a problem for the case above because it is IPA
>> master, not a client here.
>>
>> --
>> / Alexander Bokovoy
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
--
/ Alexander Bokovoy
5:27 a.m.
New subject: Valid Sender ? - Re: Re: Web UI login fails after upgrading to 4.5
Just learned a new keyboard shortcut in my mail client. Didn't mean to send without
saying thanks a lot, that was very helpful.
6. okt. 2017 kl. 12.24 skrev Marius Bjørnstad via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org>:
Wow that's well spotted! That IP is the 4.4 server (I just blindly assumed that it
would use the value in krb5.conf, which is the 4.5 server). It goes to 248 every time.
strace showed me that kinit gets the IP address from
/var/lib/sss/pubconf/kdcinfo.OUS.NSC.LOCAL. This file contains only the IP address of the
other master. I changed it to 192.168.1.249, the 4.5 master, and it works!
> 6. okt. 2017 kl. 11.56 skrev Alexander Bokovoy <abokovoy(a)redhat.com
<mailto:abokovoy@redhat.com>>:
>
> On pe, 06 loka 2017, Marius Bjørnstad via FreeIPA-users wrote:
>> Thanks for the replies! I do have the krb5-pkinit package installed.
>> ipa-pkinit-manage status was disabled, but enabling it with ipa-pkinit-manage
enable didn't fix the problem.
>>
>> $ ipa pkinit-status --server=SERVER_NAME
>> says PKINIT is disabled.
>> # ipa-pkinit-manage status
>> now says it is enabled.
>> $ ipa config-show
>> does not list any IPA masters supporting PKINIT.
>>
>> If I disable then re-enable using ipa-pkinit-manage, nothing changes.
>>
>> I should note that we now have one server on 4.4, which I daren't touch, and
this one on 4.5 which is having issues.
>>
>> This is the output from kinit -n as my user, with KRB5_TRACE on. I terminated it
at the password prompt. So there is something wrong with the KDC?
>>
>> [3790] 1507282499.679169: Resolving unique ccache of type KEYRING
>> [3790] 1507282499.679205: Getting initial credentials for
WELLKNOWN/ANONYMOUS(a)OUS.NSC.LOCAL <mailto:WELLKNOWN/ANONYMOUS@OUS.NSC.LOCAL>
>> [3790] 1507282499.681014: Sending request (190 bytes) to OUS.NSC.LOCAL
>> [3790] 1507282499.681128: Initiating TCP connection to stream 192.168.1.248:88
>> [3790] 1507282499.681311: Sending TCP request to stream 192.168.1.248:88
>> [3790] 1507282499.683001: Received answer (296 bytes) from stream
192.168.1.248:88
>> [3790] 1507282499.683008: Terminating TCP connection to stream 192.168.1.248:88
>> [3790] 1507282499.683039: Response was from master KDC
>> [3790] 1507282499.683053: Received error from KDC: -1765328359/Additional
pre-authentication required
>> [3790] 1507282499.683072: Processing preauth types: 136, 19, 2, 133
>> [3790] 1507282499.683079: Selected etype info: etype aes256-cts, salt
"OUS.NSC.LOCALWELLKNOWNANONYMOUS", params ""
>> [3790] 1507282499.683081: Received cookie: MIT
>> [3790] 1507282501.423154: Preauth module encrypted_timestamp (2) (real) returned:
-1765328252/Password read interrupted
>
> 192.168.1.248 -- which KDC is this? 4.4 or 4.5?
>
>
>>
>>
>>
>>> 5. okt. 2017 kl. 21.11 skrev Alexander Bokovoy <abokovoy(a)redhat.com
<mailto:abokovoy@redhat.com>>:
>>>
>>> On to, 05 loka 2017, Jochen Hein wrote:
>>>> Alexander Bokovoy <abokovoy(a)redhat.com
<mailto:abokovoy@redhat.com>> writes:
>>>>
>>>>> On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote:
>>>>
>>>>>>> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424]
[remote
>>>>>>> 192.168.1.48:244] CalledProcessError: Command
'/usr/bin/kinit -n -c
>>>>>>> /var/run/ipa/ccaches/armor_7424 -X
>>>>>>> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>>>>>>>
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
>>>>>>> non-zero exit status 1
>>>>>>
>>>>>> Do you have krb5-pkinit installed? I think there is a
dependency
>>>>>> missing. And I ran "ipa-pkinit-manage enable", but I
don't remember if
>>>>>> it's needed for WebUI login.
>>>>> Looking into RHEL/CentOS spec file, I see:
>>>>
>>>> Hm, then the dependency was missing for the client pakages for
Debian/Ubuntu.
>>> This should not be a problem for the case above because it is IPA
>>> master, not a client here.
>>>
>>> --
>>> / Alexander Bokovoy
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
>
> --
> / Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
5:37 a.m.
New subject: Valid Sender ? - Re: Re: Web UI login fails after upgrading to 4.5
On pe, 06 loka 2017, Marius Bjørnstad wrote:
Wow that's well spotted! That IP is the 4.4 server (I just
blindly
assumed that it would use the value in krb5.conf, which is the 4.5
server). It goes to 248 every time.
strace showed me that kinit gets the IP address from
/var/lib/sss/pubconf/kdcinfo.OUS.NSC.LOCAL. This file contains only the
IP address of the other master. I changed it to 192.168.1.249, the 4.5
master, and it works!
This is fixed in 4.6.1 and backported to 4.5. In short, check
/etc/sssd/sssd.conf on the 4.5 master to see if it has _srv_ in
'ipa_server' option. If it does, remove it from there and only leave
this master's fqdn
ipa_server = master.example.com
SSSD also was updated to not write down KDC locator file in case we are
running on IPA master (ipa_server_mode = True).
> 6. okt. 2017 kl. 11.56 skrev Alexander Bokovoy <abokovoy(a)redhat.com>:
>
> On pe, 06 loka 2017, Marius Bjørnstad via FreeIPA-users wrote:
>> Thanks for the replies! I do have the krb5-pkinit package installed.
>> ipa-pkinit-manage status was disabled, but enabling it with ipa-pkinit-manage
enable didn't fix the problem.
>>
>> $ ipa pkinit-status --server=SERVER_NAME
>> says PKINIT is disabled.
>> # ipa-pkinit-manage status
>> now says it is enabled.
>> $ ipa config-show
>> does not list any IPA masters supporting PKINIT.
>>
>> If I disable then re-enable using ipa-pkinit-manage, nothing changes.
>>
>> I should note that we now have one server on 4.4, which I daren't touch, and
this one on 4.5 which is having issues.
>>
>> This is the output from kinit -n as my user, with KRB5_TRACE on. I terminated it
at the password prompt. So there is something wrong with the KDC?
>>
>> [3790] 1507282499.679169: Resolving unique ccache of type KEYRING
>> [3790] 1507282499.679205: Getting initial credentials for
WELLKNOWN/ANONYMOUS(a)OUS.NSC.LOCAL
>> [3790] 1507282499.681014: Sending request (190 bytes) to OUS.NSC.LOCAL
>> [3790] 1507282499.681128: Initiating TCP connection to stream 192.168.1.248:88
>> [3790] 1507282499.681311: Sending TCP request to stream 192.168.1.248:88
>> [3790] 1507282499.683001: Received answer (296 bytes) from stream
192.168.1.248:88
>> [3790] 1507282499.683008: Terminating TCP connection to stream 192.168.1.248:88
>> [3790] 1507282499.683039: Response was from master KDC
>> [3790] 1507282499.683053: Received error from KDC: -1765328359/Additional
pre-authentication required
>> [3790] 1507282499.683072: Processing preauth types: 136, 19, 2, 133
>> [3790] 1507282499.683079: Selected etype info: etype aes256-cts, salt
"OUS.NSC.LOCALWELLKNOWNANONYMOUS", params ""
>> [3790] 1507282499.683081: Received cookie: MIT
>> [3790] 1507282501.423154: Preauth module encrypted_timestamp (2) (real) returned:
-1765328252/Password read interrupted
>
> 192.168.1.248 -- which KDC is this? 4.4 or 4.5?
>
>
>>
>>
>>
>>> 5. okt. 2017 kl. 21.11 skrev Alexander Bokovoy <abokovoy(a)redhat.com>:
>>>
>>> On to, 05 loka 2017, Jochen Hein wrote:
>>>> Alexander Bokovoy <abokovoy(a)redhat.com> writes:
>>>>
>>>>> On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote:
>>>>
>>>>>>> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424]
[remote
>>>>>>> 192.168.1.48:244] CalledProcessError: Command
'/usr/bin/kinit -n -c
>>>>>>> /var/run/ipa/ccaches/armor_7424 -X
>>>>>>> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>>>>>>>
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
>>>>>>> non-zero exit status 1
>>>>>>
>>>>>> Do you have krb5-pkinit installed? I think there is a
dependency
>>>>>> missing. And I ran "ipa-pkinit-manage enable", but I
don't remember if
>>>>>> it's needed for WebUI login.
>>>>> Looking into RHEL/CentOS spec file, I see:
>>>>
>>>> Hm, then the dependency was missing for the client pakages for
Debian/Ubuntu.
>>> This should not be a problem for the case above because it is IPA
>>> master, not a client here.
>>>
>>> --
>>> / Alexander Bokovoy
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
>
> --
> / Alexander Bokovoy
--
/ Alexander Bokovoy
5:42 a.m.
New subject: Valid Sender ? - Re: Re: Web UI login fails after upgrading to 4.5
That's right, I did have ipa_server set to _srv_, must have edited it at one point.
6. okt. 2017 kl. 12.37 skrev Alexander Bokovoy
<abokovoy(a)redhat.com>:
On pe, 06 loka 2017, Marius Bjørnstad wrote:
> Wow that's well spotted! That IP is the 4.4 server (I just blindly
> assumed that it would use the value in krb5.conf, which is the 4.5
> server). It goes to 248 every time.
>
> strace showed me that kinit gets the IP address from
> /var/lib/sss/pubconf/kdcinfo.OUS.NSC.LOCAL. This file contains only the
> IP address of the other master. I changed it to 192.168.1.249, the 4.5
> master, and it works!
This is fixed in 4.6.1 and backported to 4.5. In short, check
/etc/sssd/sssd.conf on the 4.5 master to see if it has _srv_ in
'ipa_server' option. If it does, remove it from there and only leave
this master's fqdn
ipa_server = master.example.com <http://master.example.com/>
SSSD also was updated to not write down KDC locator file in case we are
running on IPA master (ipa_server_mode = True).
>
>
>> 6. okt. 2017 kl. 11.56 skrev Alexander Bokovoy <abokovoy(a)redhat.com>:
>>
>> On pe, 06 loka 2017, Marius Bjørnstad via FreeIPA-users wrote:
>>> Thanks for the replies! I do have the krb5-pkinit package installed.
>>> ipa-pkinit-manage status was disabled, but enabling it with ipa-pkinit-manage
enable didn't fix the problem.
>>>
>>> $ ipa pkinit-status --server=SERVER_NAME
>>> says PKINIT is disabled.
>>> # ipa-pkinit-manage status
>>> now says it is enabled.
>>> $ ipa config-show
>>> does not list any IPA masters supporting PKINIT.
>>>
>>> If I disable then re-enable using ipa-pkinit-manage, nothing changes.
>>>
>>> I should note that we now have one server on 4.4, which I daren't touch,
and this one on 4.5 which is having issues.
>>>
>>> This is the output from kinit -n as my user, with KRB5_TRACE on. I terminated
it at the password prompt. So there is something wrong with the KDC?
>>>
>>> [3790] 1507282499.679169: Resolving unique ccache of type KEYRING
>>> [3790] 1507282499.679205: Getting initial credentials for
WELLKNOWN/ANONYMOUS(a)OUS.NSC.LOCAL
>>> [3790] 1507282499.681014: Sending request (190 bytes) to OUS.NSC.LOCAL
>>> [3790] 1507282499.681128: Initiating TCP connection to stream
192.168.1.248:88
>>> [3790] 1507282499.681311: Sending TCP request to stream 192.168.1.248:88
>>> [3790] 1507282499.683001: Received answer (296 bytes) from stream
192.168.1.248:88
>>> [3790] 1507282499.683008: Terminating TCP connection to stream
192.168.1.248:88
>>> [3790] 1507282499.683039: Response was from master KDC
>>> [3790] 1507282499.683053: Received error from KDC: -1765328359/Additional
pre-authentication required
>>> [3790] 1507282499.683072: Processing preauth types: 136, 19, 2, 133
>>> [3790] 1507282499.683079: Selected etype info: etype aes256-cts, salt
"OUS.NSC.LOCALWELLKNOWNANONYMOUS", params ""
>>> [3790] 1507282499.683081: Received cookie: MIT
>>> [3790] 1507282501.423154: Preauth module encrypted_timestamp (2) (real)
returned: -1765328252/Password read interrupted
>>
>> 192.168.1.248 -- which KDC is this? 4.4 or 4.5?
>>
>>
>>>
>>>
>>>
>>>> 5. okt. 2017 kl. 21.11 skrev Alexander Bokovoy
<abokovoy(a)redhat.com>:
>>>>
>>>> On to, 05 loka 2017, Jochen Hein wrote:
>>>>> Alexander Bokovoy <abokovoy(a)redhat.com> writes:
>>>>>
>>>>>> On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote:
>>>>>
>>>>>>>> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424]
[remote
>>>>>>>> 192.168.1.48:244] CalledProcessError: Command
'/usr/bin/kinit -n -c
>>>>>>>> /var/run/ipa/ccaches/armor_7424 -X
>>>>>>>> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>>>>>>>>
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
>>>>>>>> non-zero exit status 1
>>>>>>>
>>>>>>> Do you have krb5-pkinit installed? I think there is a
dependency
>>>>>>> missing. And I ran "ipa-pkinit-manage enable", but
I don't remember if
>>>>>>> it's needed for WebUI login.
>>>>>> Looking into RHEL/CentOS spec file, I see:
>>>>>
>>>>> Hm, then the dependency was missing for the client pakages for
Debian/Ubuntu.
>>>> This should not be a problem for the case above because it is IPA
>>>> master, not a client here.
>>>>
>>>> --
>>>> / Alexander Bokovoy
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>
>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>>
>>
>> --
>> / Alexander Bokovoy
>
--
/ Alexander Bokovoy
5:15 p.m.
New subject: Valid Sender ? - Re: Re: Web UI login fails after upgrading to 4.5
On pe, 06 loka 2017, Marius Bjørnstad via FreeIPA-users wrote:
That's right, I did have ipa_server set to _srv_, must have edited
it at one point.
If you added this master through replica promotion, _srv_ might
have
been left from the previous ipa-client-install.
> 6. okt. 2017 kl. 12.37 skrev Alexander Bokovoy <abokovoy(a)redhat.com>:
>
> On pe, 06 loka 2017, Marius Bjørnstad wrote:
>> Wow that's well spotted! That IP is the 4.4 server (I just blindly
>> assumed that it would use the value in krb5.conf, which is the 4.5
>> server). It goes to 248 every time.
>>
>> strace showed me that kinit gets the IP address from
>> /var/lib/sss/pubconf/kdcinfo.OUS.NSC.LOCAL. This file contains only the
>> IP address of the other master. I changed it to 192.168.1.249, the 4.5
>> master, and it works!
> This is fixed in 4.6.1 and backported to 4.5. In short, check
> /etc/sssd/sssd.conf on the 4.5 master to see if it has _srv_ in
> 'ipa_server' option. If it does, remove it from there and only leave
> this master's fqdn
> ipa_server = master.example.com <http://master.example.com/>
>
> SSSD also was updated to not write down KDC locator file in case we are
> running on IPA master (ipa_server_mode = True).
>
>
>>
>>
>>> 6. okt. 2017 kl. 11.56 skrev Alexander Bokovoy <abokovoy(a)redhat.com>:
>>>
>>> On pe, 06 loka 2017, Marius Bjørnstad via FreeIPA-users wrote:
>>>> Thanks for the replies! I do have the krb5-pkinit package installed.
>>>> ipa-pkinit-manage status was disabled, but enabling it with
ipa-pkinit-manage enable didn't fix the problem.
>>>>
>>>> $ ipa pkinit-status --server=SERVER_NAME
>>>> says PKINIT is disabled.
>>>> # ipa-pkinit-manage status
>>>> now says it is enabled.
>>>> $ ipa config-show
>>>> does not list any IPA masters supporting PKINIT.
>>>>
>>>> If I disable then re-enable using ipa-pkinit-manage, nothing changes.
>>>>
>>>> I should note that we now have one server on 4.4, which I daren't
touch, and this one on 4.5 which is having issues.
>>>>
>>>> This is the output from kinit -n as my user, with KRB5_TRACE on. I
terminated it at the password prompt. So there is something wrong with the KDC?
>>>>
>>>> [3790] 1507282499.679169: Resolving unique ccache of type KEYRING
>>>> [3790] 1507282499.679205: Getting initial credentials for
WELLKNOWN/ANONYMOUS(a)OUS.NSC.LOCAL
>>>> [3790] 1507282499.681014: Sending request (190 bytes) to OUS.NSC.LOCAL
>>>> [3790] 1507282499.681128: Initiating TCP connection to stream
192.168.1.248:88
>>>> [3790] 1507282499.681311: Sending TCP request to stream 192.168.1.248:88
>>>> [3790] 1507282499.683001: Received answer (296 bytes) from stream
192.168.1.248:88
>>>> [3790] 1507282499.683008: Terminating TCP connection to stream
192.168.1.248:88
>>>> [3790] 1507282499.683039: Response was from master KDC
>>>> [3790] 1507282499.683053: Received error from KDC: -1765328359/Additional
pre-authentication required
>>>> [3790] 1507282499.683072: Processing preauth types: 136, 19, 2, 133
>>>> [3790] 1507282499.683079: Selected etype info: etype aes256-cts, salt
"OUS.NSC.LOCALWELLKNOWNANONYMOUS", params ""
>>>> [3790] 1507282499.683081: Received cookie: MIT
>>>> [3790] 1507282501.423154: Preauth module encrypted_timestamp (2) (real)
returned: -1765328252/Password read interrupted
>>>
>>> 192.168.1.248 -- which KDC is this? 4.4 or 4.5?
>>>
>>>
>>>>
>>>>
>>>>
>>>>> 5. okt. 2017 kl. 21.11 skrev Alexander Bokovoy
<abokovoy(a)redhat.com>:
>>>>>
>>>>> On to, 05 loka 2017, Jochen Hein wrote:
>>>>>> Alexander Bokovoy <abokovoy(a)redhat.com> writes:
>>>>>>
>>>>>>> On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote:
>>>>>>
>>>>>>>>> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424]
[remote
>>>>>>>>> 192.168.1.48:244] CalledProcessError: Command
'/usr/bin/kinit -n -c
>>>>>>>>> /var/run/ipa/ccaches/armor_7424 -X
>>>>>>>>> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>>>>>>>>>
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
>>>>>>>>> non-zero exit status 1
>>>>>>>>
>>>>>>>> Do you have krb5-pkinit installed? I think there is a
dependency
>>>>>>>> missing. And I ran "ipa-pkinit-manage enable",
but I don't remember if
>>>>>>>> it's needed for WebUI login.
>>>>>>> Looking into RHEL/CentOS spec file, I see:
>>>>>>
>>>>>> Hm, then the dependency was missing for the client pakages for
Debian/Ubuntu.
>>>>> This should not be a problem for the case above because it is IPA
>>>>> master, not a client here.
>>>>>
>>>>> --
>>>>> / Alexander Bokovoy
>>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>
>>>> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>>
>>>
>>> --
>>> / Alexander Bokovoy
>>
>
> --
> / Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
--
/ Alexander Bokovoy
2312
days inactive
2392
days old
freeipa-users@lists.fedorahosted.org
11 comments
3 participants
participants (3)
-
Alexander Bokovoy -
Jochen Hein -
Marius Bjørnstad