Running a clone of RHEL (Springdale Linux), and recently upgraded to 7.4 and all its ensuing surprises. Todays is strange because it affects one of three servers.
If a user tries to login to the web UI on 2/3 of the servers, they get the same error listed in this ticket:
https://pagure.io/freeipa/issue/6739
One of the three servers works fine, and getting a Kerberos ticket first also works (assuming the browser is configured properly, etc).
I noticed an error in the messages file on one of the failing machines:
Sep 5 13:22:59 ipa ipa-httpd-kdcproxy: ipa : WARNING Unable to connect to dirsrv: cannot connect to 'ldapi://%2Fvar%2Frun%2Fslapd-ASTRO-PRINCETON-EDU.socket': Sep 5 13:22:59 ipa ipa-httpd-kdcproxy: ipa : WARNING Disabling KDC proxy
So I ran an 'ipactl restart' on that machine, and saw it successfully connected later:
Sep 5 13:33:36 ipa systemd: Stopping The Apache HTTP Server... Sep 5 13:33:37 ipa systemd: Starting The Apache HTTP Server... Sep 5 13:33:38 ipa ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabled Sep 5 13:33:38 ipa systemd: Started The Apache HTTP Server.
But that did not solve the problem. I'm happy to provide more information, but as this is all new to me I don't know where to begin to debug. Thanks for any pointers you can send my way.
Steve,
What version of IPA are you running? Is SELinux in permissive mode? What are the permissions on: /var/lib/ipa-client/pki/kdc-ca-bundle.pem and /var/kerberos/krb5kdc/kdc.crt ? could you share your /etc/sssd/sssd.conf ?
On Tue, Sep 5, 2017 at 2:42 PM, Steve Huston via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Running a clone of RHEL (Springdale Linux), and recently upgraded to 7.4 and all its ensuing surprises. Todays is strange because it affects one of three servers.
If a user tries to login to the web UI on 2/3 of the servers, they get the same error listed in this ticket:
https://pagure.io/freeipa/issue/6739
One of the three servers works fine, and getting a Kerberos ticket first also works (assuming the browser is configured properly, etc).
I noticed an error in the messages file on one of the failing machines:
Sep 5 13:22:59 ipa ipa-httpd-kdcproxy: ipa : WARNING Unable to connect to dirsrv: cannot connect to 'ldapi://%2Fvar%2Frun%2Fslapd-ASTRO-PRINCETON-EDU.socket': Sep 5 13:22:59 ipa ipa-httpd-kdcproxy: ipa : WARNING Disabling KDC proxy
So I ran an 'ipactl restart' on that machine, and saw it successfully connected later:
Sep 5 13:33:36 ipa systemd: Stopping The Apache HTTP Server... Sep 5 13:33:37 ipa systemd: Starting The Apache HTTP Server... Sep 5 13:33:38 ipa ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabled Sep 5 13:33:38 ipa systemd: Started The Apache HTTP Server.
But that did not solve the problem. I'm happy to provide more information, but as this is all new to me I don't know where to begin to debug. Thanks for any pointers you can send my way.
-- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Tue, Sep 5, 2017 at 1:57 PM, Felipe Barreto Volpone fbarreto@redhat.com wrote:
What version of IPA are you running?
ipa-server-4.5.0-21.el7.x86_64
Is SELinux in permissive mode?
Not normally, but I set it to permissive and ran 'ipactl restart' with no change.
What are the permissions on: /var/lib/ipa-client/pki/kdc-ca-bundle.pem and /var/kerberos/krb5kdc/kdc.crt ?
-rw-r--r--. root root system_u:object_r:krb5kdc_conf_t:s0 /var/kerberos/krb5kdc/kdc.crt -r--r--r--. root root unconfined_u:object_r:realmd_var_lib_t:s0 /var/lib/ipa-client/pki/kdc-ca-bundle.pem
could you share your /etc/sssd/sssd.conf ?
# !!! Warning !!! # This file is auto-generated by Puppet and WILL get overwritten! [domain/astro.princeton.edu]
ipa_hostname = ipa.astro.princeton.edu cache_credentials = True ipa_domain = astro.princeton.edu id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = ipa.astro.princeton.edu,auth.astro.princeton.edu,jedgar.astro.princeton.edu ldap_tls_cacert = /etc/ipa/ca.crt # This option loads a precache of data, lets things like 'finger' work # properly enumerate = True ipa_server_mode = True [sssd] services = nss, pam config_file_version = 2
domains = astro.princeton.edu [nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac]
This is from the machine 'ipa'; 'jedgar' exhibits the same behavior but 'auth' does not. I also found another thread with the same symptoms where someone said they ran the 'kinit' line that was reported as failing and was asked for a password, I get a simple "kinit: Preauthentication failed while getting initial credentials" when I do that. The responder in that thread had asked for more debugging, and in case it's useful here I include it:
ipa:~# KRB5_TRACE=/dev/stderr /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_3050 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem [5224] 1504634277.135166: Getting initial credentials for WELLKNOWN/ANONYMOUS@ASTRO.PRINCETON.EDU [5224] 1504634277.135315: Sending request (221 bytes) to ASTRO.PRINCETON.EDU [5224] 1504634277.135517: Sending initial UDP request to dgram 128.112.24.29:88 [5224] 1504634277.138567: Received answer (362 bytes) from dgram 128.112.24.29:88 [5224] 1504634277.138599: Response was from master KDC [5224] 1504634277.138652: Received error from KDC: -1765328359/Additional pre-authentication required [5224] 1504634277.138684: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133 [5224] 1504634277.138693: Selected etype info: etype aes256-cts, salt "ASTRO.PRINCETON.EDUWELLKNOWNANONYMOUS", params "" [5224] 1504634277.138697: Received cookie: MIT [5224] 1504634277.138726: Preauth module pkinit (147) (info) returned: 0/Success [5224] 1504634277.139038: PKINIT client computed kdc-req-body checksum 9/8F3E114A4F723439791372FC00886002EE662DFD [5224] 1504634277.139045: PKINIT client making DH request [5224] 1504634277.167261: Preauth module pkinit (16) (real) returned: 0/Success [5224] 1504634277.167271: Produced preauth for next request: 133, 16 [5224] 1504634277.167289: Sending request (1601 bytes) to ASTRO.PRINCETON.EDU [5224] 1504634277.167339: Initiating TCP connection to stream 128.112.24.29:88 [5224] 1504634277.167845: Sending TCP request to stream 128.112.24.29:88 [5224] 1504634277.189879: Received answer (1701 bytes) from stream 128.112.24.29:88 [5224] 1504634277.189935: Terminating TCP connection to stream 128.112.24.29:88 [5224] 1504634277.189989: Response was from master KDC [5224] 1504634277.190010: Processing preauth types: 17, 19, 147 [5224] 1504634277.190016: Selected etype info: etype aes256-cts, salt "ASTRO.PRINCETON.EDUWELLKNOWNANONYMOUS", params "" [5224] 1504634277.190026: Preauth module pkinit (147) (info) returned: 0/Success [5224] 1504634277.190070: PKINIT client could not verify DH reply [5224] 1504634277.190080: Preauth module pkinit (17) (real) returned: -1765328360/Preauthentication failed kinit: Preauthentication failed while getting initial credentials
The IP address of the KDC it's sending to is not the machine this is running from ('ipa'), but *is* the machine that works successfully ('auth').
On Tue, Sep 05, 2017 at 02:12:57PM -0400, Steve Huston via FreeIPA-users wrote:
On Tue, Sep 5, 2017 at 1:57 PM, Felipe Barreto Volpone fbarreto@redhat.com wrote:
What version of IPA are you running?
ipa-server-4.5.0-21.el7.x86_64
Is SELinux in permissive mode?
Not normally, but I set it to permissive and ran 'ipactl restart' with no change.
What are the permissions on: /var/lib/ipa-client/pki/kdc-ca-bundle.pem and /var/kerberos/krb5kdc/kdc.crt ?
-rw-r--r--. root root system_u:object_r:krb5kdc_conf_t:s0 /var/kerberos/krb5kdc/kdc.crt -r--r--r--. root root unconfined_u:object_r:realmd_var_lib_t:s0 /var/lib/ipa-client/pki/kdc-ca-bundle.pem
could you share your /etc/sssd/sssd.conf ?
# !!! Warning !!! # This file is auto-generated by Puppet and WILL get overwritten! [domain/astro.princeton.edu]
ipa_hostname = ipa.astro.princeton.edu cache_credentials = True ipa_domain = astro.princeton.edu id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = ipa.astro.princeton.edu,auth.astro.princeton.edu,jedgar.astro.princeton.edu ldap_tls_cacert = /etc/ipa/ca.crt # This option loads a precache of data, lets things like 'finger' work # properly enumerate = True ipa_server_mode = True [sssd] services = nss, pam config_file_version = 2
domains = astro.princeton.edu [nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac]
This is from the machine 'ipa'; 'jedgar' exhibits the same behavior but 'auth' does not. I also found another thread with the same symptoms where someone said they ran the 'kinit' line that was reported as failing and was asked for a password, I get a simple "kinit: Preauthentication failed while getting initial credentials" when I do that. The responder in that thread had asked for more debugging, and in case it's useful here I include it:
ipa:~# KRB5_TRACE=/dev/stderr /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_3050 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem [5224] 1504634277.135166: Getting initial credentials for WELLKNOWN/ANONYMOUS@ASTRO.PRINCETON.EDU [5224] 1504634277.135315: Sending request (221 bytes) to ASTRO.PRINCETON.EDU
Sorry if I'm being thick but I have trouble understanding if you ran the kinit on ASTRO?
Normally, on the IPA server, Kerberos should only talk to the machine you're running at.
[5224] 1504634277.135517: Sending initial UDP request to dgram 128.112.24.29:88 [5224] 1504634277.138567: Received answer (362 bytes) from dgram 128.112.24.29:88 [5224] 1504634277.138599: Response was from master KDC [5224] 1504634277.138652: Received error from KDC: -1765328359/Additional pre-authentication required [5224] 1504634277.138684: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133 [5224] 1504634277.138693: Selected etype info: etype aes256-cts, salt "ASTRO.PRINCETON.EDUWELLKNOWNANONYMOUS", params "" [5224] 1504634277.138697: Received cookie: MIT [5224] 1504634277.138726: Preauth module pkinit (147) (info) returned: 0/Success [5224] 1504634277.139038: PKINIT client computed kdc-req-body checksum 9/8F3E114A4F723439791372FC00886002EE662DFD [5224] 1504634277.139045: PKINIT client making DH request [5224] 1504634277.167261: Preauth module pkinit (16) (real) returned: 0/Success [5224] 1504634277.167271: Produced preauth for next request: 133, 16 [5224] 1504634277.167289: Sending request (1601 bytes) to ASTRO.PRINCETON.EDU [5224] 1504634277.167339: Initiating TCP connection to stream 128.112.24.29:88 [5224] 1504634277.167845: Sending TCP request to stream 128.112.24.29:88 [5224] 1504634277.189879: Received answer (1701 bytes) from stream 128.112.24.29:88 [5224] 1504634277.189935: Terminating TCP connection to stream 128.112.24.29:88 [5224] 1504634277.189989: Response was from master KDC [5224] 1504634277.190010: Processing preauth types: 17, 19, 147 [5224] 1504634277.190016: Selected etype info: etype aes256-cts, salt "ASTRO.PRINCETON.EDUWELLKNOWNANONYMOUS", params "" [5224] 1504634277.190026: Preauth module pkinit (147) (info) returned: 0/Success [5224] 1504634277.190070: PKINIT client could not verify DH reply [5224] 1504634277.190080: Preauth module pkinit (17) (real) returned: -1765328360/Preauthentication failed kinit: Preauthentication failed while getting initial credentials
The IP address of the KDC it's sending to is not the machine this is running from ('ipa'), but *is* the machine that works successfully ('auth').
-- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
I ran it on the machine 'ipa.astro.princeton.edu'. I would have expected it to talk to itself, but it seems to be talking to 'auth.astro.princeton.edu' instead. I'm not sure why it failed over to there, or how to tell it not to (without turning off/rebooting/restarting auth.astro.princeton.edu, which since that's the one of the three machines that is working properly for password authentication through the web UI I'm reluctant to do so)
On Tue, Sep 5, 2017 at 2:29 PM, Jakub Hrozek via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On Tue, Sep 05, 2017 at 02:12:57PM -0400, Steve Huston via FreeIPA-users wrote:
On Tue, Sep 5, 2017 at 1:57 PM, Felipe Barreto Volpone fbarreto@redhat.com wrote:
What version of IPA are you running?
ipa-server-4.5.0-21.el7.x86_64
Is SELinux in permissive mode?
Not normally, but I set it to permissive and ran 'ipactl restart' with no change.
What are the permissions on: /var/lib/ipa-client/pki/kdc-ca-bundle.pem and /var/kerberos/krb5kdc/kdc.crt ?
-rw-r--r--. root root system_u:object_r:krb5kdc_conf_t:s0 /var/kerberos/krb5kdc/kdc.crt -r--r--r--. root root unconfined_u:object_r:realmd_var_lib_t:s0 /var/lib/ipa-client/pki/kdc-ca-bundle.pem
could you share your /etc/sssd/sssd.conf ?
# !!! Warning !!! # This file is auto-generated by Puppet and WILL get overwritten! [domain/astro.princeton.edu]
ipa_hostname = ipa.astro.princeton.edu cache_credentials = True ipa_domain = astro.princeton.edu id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = ipa.astro.princeton.edu,auth.astro.princeton.edu,jedgar.astro.princeton.edu ldap_tls_cacert = /etc/ipa/ca.crt # This option loads a precache of data, lets things like 'finger' work # properly enumerate = True ipa_server_mode = True [sssd] services = nss, pam config_file_version = 2
domains = astro.princeton.edu [nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac]
This is from the machine 'ipa'; 'jedgar' exhibits the same behavior but 'auth' does not. I also found another thread with the same symptoms where someone said they ran the 'kinit' line that was reported as failing and was asked for a password, I get a simple "kinit: Preauthentication failed while getting initial credentials" when I do that. The responder in that thread had asked for more debugging, and in case it's useful here I include it:
ipa:~# KRB5_TRACE=/dev/stderr /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_3050 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem [5224] 1504634277.135166: Getting initial credentials for WELLKNOWN/ANONYMOUS@ASTRO.PRINCETON.EDU [5224] 1504634277.135315: Sending request (221 bytes) to ASTRO.PRINCETON.EDU
Sorry if I'm being thick but I have trouble understanding if you ran the kinit on ASTRO?
Normally, on the IPA server, Kerberos should only talk to the machine you're running at.
[5224] 1504634277.135517: Sending initial UDP request to dgram 128.112.24.29:88 [5224] 1504634277.138567: Received answer (362 bytes) from dgram 128.112.24.29:88 [5224] 1504634277.138599: Response was from master KDC [5224] 1504634277.138652: Received error from KDC: -1765328359/Additional pre-authentication required [5224] 1504634277.138684: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133 [5224] 1504634277.138693: Selected etype info: etype aes256-cts, salt "ASTRO.PRINCETON.EDUWELLKNOWNANONYMOUS", params "" [5224] 1504634277.138697: Received cookie: MIT [5224] 1504634277.138726: Preauth module pkinit (147) (info) returned: 0/Success [5224] 1504634277.139038: PKINIT client computed kdc-req-body checksum 9/8F3E114A4F723439791372FC00886002EE662DFD [5224] 1504634277.139045: PKINIT client making DH request [5224] 1504634277.167261: Preauth module pkinit (16) (real) returned: 0/Success [5224] 1504634277.167271: Produced preauth for next request: 133, 16 [5224] 1504634277.167289: Sending request (1601 bytes) to ASTRO.PRINCETON.EDU [5224] 1504634277.167339: Initiating TCP connection to stream 128.112.24.29:88 [5224] 1504634277.167845: Sending TCP request to stream 128.112.24.29:88 [5224] 1504634277.189879: Received answer (1701 bytes) from stream 128.112.24.29:88 [5224] 1504634277.189935: Terminating TCP connection to stream 128.112.24.29:88 [5224] 1504634277.189989: Response was from master KDC [5224] 1504634277.190010: Processing preauth types: 17, 19, 147 [5224] 1504634277.190016: Selected etype info: etype aes256-cts, salt "ASTRO.PRINCETON.EDUWELLKNOWNANONYMOUS", params "" [5224] 1504634277.190026: Preauth module pkinit (147) (info) returned: 0/Success [5224] 1504634277.190070: PKINIT client could not verify DH reply [5224] 1504634277.190080: Preauth module pkinit (17) (real) returned: -1765328360/Preauthentication failed kinit: Preauthentication failed while getting initial credentials
The IP address of the KDC it's sending to is not the machine this is running from ('ipa'), but *is* the machine that works successfully ('auth').
-- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
- is there a filed called kdcinfo.YOURDOMAIN in /var/lib/sss/pubconf/ ? What does it contain? - can you show your krb5.conf? - can you strace the kinit?
On Tue, Sep 05, 2017 at 02:32:28PM -0400, Steve Huston via FreeIPA-users wrote:
I ran it on the machine 'ipa.astro.princeton.edu'. I would have expected it to talk to itself, but it seems to be talking to 'auth.astro.princeton.edu' instead. I'm not sure why it failed over to there, or how to tell it not to (without turning off/rebooting/restarting auth.astro.princeton.edu, which since that's the one of the three machines that is working properly for password authentication through the web UI I'm reluctant to do so)
On Tue, Sep 5, 2017 at 2:29 PM, Jakub Hrozek via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On Tue, Sep 05, 2017 at 02:12:57PM -0400, Steve Huston via FreeIPA-users wrote:
On Tue, Sep 5, 2017 at 1:57 PM, Felipe Barreto Volpone fbarreto@redhat.com wrote:
What version of IPA are you running?
ipa-server-4.5.0-21.el7.x86_64
Is SELinux in permissive mode?
Not normally, but I set it to permissive and ran 'ipactl restart' with no change.
What are the permissions on: /var/lib/ipa-client/pki/kdc-ca-bundle.pem and /var/kerberos/krb5kdc/kdc.crt ?
-rw-r--r--. root root system_u:object_r:krb5kdc_conf_t:s0 /var/kerberos/krb5kdc/kdc.crt -r--r--r--. root root unconfined_u:object_r:realmd_var_lib_t:s0 /var/lib/ipa-client/pki/kdc-ca-bundle.pem
could you share your /etc/sssd/sssd.conf ?
# !!! Warning !!! # This file is auto-generated by Puppet and WILL get overwritten! [domain/astro.princeton.edu]
ipa_hostname = ipa.astro.princeton.edu cache_credentials = True ipa_domain = astro.princeton.edu id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = ipa.astro.princeton.edu,auth.astro.princeton.edu,jedgar.astro.princeton.edu ldap_tls_cacert = /etc/ipa/ca.crt # This option loads a precache of data, lets things like 'finger' work # properly enumerate = True ipa_server_mode = True [sssd] services = nss, pam config_file_version = 2
domains = astro.princeton.edu [nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac]
This is from the machine 'ipa'; 'jedgar' exhibits the same behavior but 'auth' does not. I also found another thread with the same symptoms where someone said they ran the 'kinit' line that was reported as failing and was asked for a password, I get a simple "kinit: Preauthentication failed while getting initial credentials" when I do that. The responder in that thread had asked for more debugging, and in case it's useful here I include it:
ipa:~# KRB5_TRACE=/dev/stderr /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_3050 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem [5224] 1504634277.135166: Getting initial credentials for WELLKNOWN/ANONYMOUS@ASTRO.PRINCETON.EDU [5224] 1504634277.135315: Sending request (221 bytes) to ASTRO.PRINCETON.EDU
Sorry if I'm being thick but I have trouble understanding if you ran the kinit on ASTRO?
Normally, on the IPA server, Kerberos should only talk to the machine you're running at.
[5224] 1504634277.135517: Sending initial UDP request to dgram 128.112.24.29:88 [5224] 1504634277.138567: Received answer (362 bytes) from dgram 128.112.24.29:88 [5224] 1504634277.138599: Response was from master KDC [5224] 1504634277.138652: Received error from KDC: -1765328359/Additional pre-authentication required [5224] 1504634277.138684: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133 [5224] 1504634277.138693: Selected etype info: etype aes256-cts, salt "ASTRO.PRINCETON.EDUWELLKNOWNANONYMOUS", params "" [5224] 1504634277.138697: Received cookie: MIT [5224] 1504634277.138726: Preauth module pkinit (147) (info) returned: 0/Success [5224] 1504634277.139038: PKINIT client computed kdc-req-body checksum 9/8F3E114A4F723439791372FC00886002EE662DFD [5224] 1504634277.139045: PKINIT client making DH request [5224] 1504634277.167261: Preauth module pkinit (16) (real) returned: 0/Success [5224] 1504634277.167271: Produced preauth for next request: 133, 16 [5224] 1504634277.167289: Sending request (1601 bytes) to ASTRO.PRINCETON.EDU [5224] 1504634277.167339: Initiating TCP connection to stream 128.112.24.29:88 [5224] 1504634277.167845: Sending TCP request to stream 128.112.24.29:88 [5224] 1504634277.189879: Received answer (1701 bytes) from stream 128.112.24.29:88 [5224] 1504634277.189935: Terminating TCP connection to stream 128.112.24.29:88 [5224] 1504634277.189989: Response was from master KDC [5224] 1504634277.190010: Processing preauth types: 17, 19, 147 [5224] 1504634277.190016: Selected etype info: etype aes256-cts, salt "ASTRO.PRINCETON.EDUWELLKNOWNANONYMOUS", params "" [5224] 1504634277.190026: Preauth module pkinit (147) (info) returned: 0/Success [5224] 1504634277.190070: PKINIT client could not verify DH reply [5224] 1504634277.190080: Preauth module pkinit (17) (real) returned: -1765328360/Preauthentication failed kinit: Preauthentication failed while getting initial credentials
The IP address of the KDC it's sending to is not the machine this is running from ('ipa'), but *is* the machine that works successfully ('auth').
-- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
-- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Tue, Sep 5, 2017 at 2:43 PM, Jakub Hrozek via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
- is there a filed called kdcinfo.YOURDOMAIN in /var/lib/sss/pubconf/ ? What does it contain?
There is, and it contains '128.112.24.29' with no EOL (the IP address for auth.astro.princeton.edu, the KDC that it contacted and the one machine that allows user logins via password on the web UI)
- can you show your krb5.conf?
includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = ASTRO.PRINCETON.EDU dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_ccache_name = KEYRING:persistent:%{uid}
[realms] ASTRO.PRINCETON.EDU = { kdc = ipa.astro.princeton.edu:88 master_kdc = ipa.astro.princeton.edu:88 admin_server = ipa.astro.princeton.edu:749 kdc = auth.astro.princeton.edu:88 master_kdc = auth.astro.princeton.edu:88 admin_server = auth.astro.princeton.edu:749 kdc = jedgar.astro.princeton.edu:88 master_kdc = jedgar.astro.princeton.edu:88 admin_server = jedgar.astro.princeton.edu:749 default_domain = astro.princeton.edu pkinit_anchors = FILE:/etc/ipa/ca.crt }
[domain_realm] .astro.princeton.edu = ASTRO.PRINCETON.EDU astro.princeton.edu = ASTRO.PRINCETON.EDU
[dbmodules] ASTRO.PRINCETON.EDU = { db_library = ipadb.so }
- can you strace the kinit?
Output here: https://www.dropbox.com/s/8r1ocrufj924trv/kinit.out?dl=0
On Tue, Sep 05, 2017 at 02:48:59PM -0400, Steve Huston via FreeIPA-users wrote:
On Tue, Sep 5, 2017 at 2:43 PM, Jakub Hrozek via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
- is there a filed called kdcinfo.YOURDOMAIN in /var/lib/sss/pubconf/ ? What does it contain?
There is, and it contains '128.112.24.29' with no EOL (the IP address for auth.astro.princeton.edu, the KDC that it contacted and the one machine that allows user logins via password on the web UI)
OK, so it's SSSD telling libkrb5 to talk to auth.astro. Since in your sssd.conf, auth.astro is listed in addition to the 'local' IPA server, I would check the sssd logs if sssd can contact the server it is running on.
Because I think it's falling back to auth.astro, writing its IP address to the kdcinfo files which breaks other things. btw because similar issues were reported after 7.4 was released, we fixed sssd in git master already so that the kdcinfo files are not generated on the masters at all. You can achieve the same effect by setting 'krb5_use_kdcinfo = false', but I would also check the sssd logs for any issues talking to the IPA server, because it is listed first aftre all, so I assume sssd must be failing over..
On Tue, Sep 5, 2017 at 2:57 PM, Jakub Hrozek via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
OK, so it's SSSD telling libkrb5 to talk to auth.astro. Since in your sssd.conf, auth.astro is listed in addition to the 'local' IPA server, I would check the sssd logs if sssd can contact the server it is running on.
Because I think it's falling back to auth.astro, writing its IP address to the kdcinfo files which breaks other things. btw because similar issues were reported after 7.4 was released, we fixed sssd in git master already so that the kdcinfo files are not generated on the masters at all. You can achieve the same effect by setting 'krb5_use_kdcinfo = false', but I would also check the sssd logs for any issues talking to the IPA server, because it is listed first aftre all, so I assume sssd must be failing over..
That was it!
I'm guessing that the failover happened when I was upgrading the machines, though jedgar was the first one upgraded and the other two a few days later when things seemed to be working. But I just added the krb5_use_kdcinfo = false line to sssd.conf, restarted sssd, and the 'kinit' line succeeded. Tried the web UI and it's working perfectly. Will add that to the puppet config for IPA servers so the other two should get it shortly and everything sorted.
Thank you very much for your time and assistance working through this.
freeipa-users@lists.fedorahosted.org
-
Felipe Barreto Volpone -
Jakub Hrozek -
Steve Huston