Hello,
i have setup of 5 IPA servers on RHEL8. This morning i upgraded with dnf upgrade IPA components to 4.9.12-11 for example:
ipa-server-4.9.12-11.module+el8.9.0+20824+f2605038.x86_64 ipa-server-common-4.9.12-11.module+el8.9.0+20824+f2605038.noarch
After upgrade finished without errors, i was not able to login to UI with correct password with message "Your session has expired. Please log in again."
dirsrv replication looks OK.
I checked logs, everytime i try to login, /var/log/httpd/error_log contain:
[Thu Jan 11 17:30:03.490345 2024] [wsgi:error] [pid 3299146:tid 139867429353216] [remote 185.103.146.26:46292] ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
I can do kinit, without any error. But when i try to use ipa user-show, not working.
ipaupgrade.log attached, rest inline.
If you have any idea how to fix this please, i will be gratefull.
Thank you,
Rasto
ipa -d user-show ipa: DEBUG: Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' ipa: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' ipa: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' ipa: DEBUG: found session_cookie in persistent storage for principal 'rrickardt@redacted', cookie: 'ipa_session=MagBearerToken=VsNzXWPFKUTUmXpNpoXBnYn%2f7kaXq3b77Vb1HDzWdZ8u1c3ZAAReJFNMYwMeRLYSv4pggL%2bb3O1YH9lpJuXswOV%2fK%2fs%2bF96bBeIykbO2%2bnklplxnRxGyjo4edYLEo4QvfYIr9P2xGoxPEsCjrDj6m%2bro3UZtiFKGIgrI9KJKfZAhLrk46ooeAZ0HF7IAR5DgI07EdHeXdoP%2bA1T70CoXYA%3d%3d' ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=VsNzXWPFKUTUmXpNpoXBnYn%2f7kaXq3b77Vb1HDzWdZ8u1c3ZAAReJFNMYwMeRLYSv4pggL%2bb3O1YH9lpJuXswOV%2fK%2fs%2bF96bBeIykbO2%2bnklplxnRxGyjo4edYLEo4QvfYIr9P2xGoxPEsCjrDj6m%2bro3UZtiFKGIgrI9KJKfZAhLrk46ooeAZ0HF7IAR5DgI07EdHeXdoP%2bA1T70CoXYA%3d%3d;' ipa: DEBUG: trying https://ipa2.id.example.com/ipa/session/json ipa: DEBUG: New HTTP connection (ipa2.id.example.com) ipa: DEBUG: HTTP connection destroyed (ipa2.id.example.com) Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaclient/remote_plugins/__init__.py", line 120, in get_package plugins = api._remote_plugins AttributeError: 'API' object has no attribute '_remote_plugins'
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 730, in single_request response.msg) xmlrpc.client.ProtocolError: <ProtocolError for ipa2.id.example.com/ipa/session/json: 401 Unauthorized> ipa: DEBUG: trying https://ipa2.id.example.com/ipa/session/json ipa: DEBUG: New HTTP connection (ipa2.id.example.com) ipa: DEBUG: HTTP connection destroyed (ipa2.id.example.com) Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaclient/remote_plugins/__init__.py", line 120, in get_package plugins = api._remote_plugins AttributeError: 'API' object has no attribute '_remote_plugins'
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 730, in single_request response.msg) xmlrpc.client.ProtocolError: <ProtocolError for ipa2.id.example.com/ipa/session/json: 401 Unauthorized> ipa: INFO: Connection to https://ipa2.id.example.com/ipa/session/json failed with <ProtocolError for ipa2.id.example.com/ipa/session/json: 401 Unauthorized>
krb5kdc.log Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): AS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: NEEDED_PREAUTH: rrickardt@id.example.com for krbtgt/id.example.com@id.example.com, Additional pre-authentication required Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12 Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): AS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: ISSUE: authtime 1704991295, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, rrickardt@id.example.com for krbtgt/id.example.com@id.example.com Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12 Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1231](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: ISSUE: authtime 1704991295, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, rrickardt@id.example.com for HTTP/ipa7.id.example.com@id.example.com Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1231](info): closing down fd 12 Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com@id.example.com for ldap/ipa7.id.example.com@id.example.com, KDC policy rejects request Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): ... CONSTRAINED-DELEGATION s4u-client=<unknown> Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12 Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com@id.example.com for ldap/ipa7.id.example.com@id.example.com, KDC policy rejects request Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): ... CONSTRAINED-DELEGATION s4u-client=<unknown> Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12
On Чцв, 11 сту 2024, Rasto Rickardt via FreeIPA-users wrote:
Hello,
i have setup of 5 IPA servers on RHEL8. This morning i upgraded with dnf upgrade IPA components to 4.9.12-11 for example:
ipa-server-4.9.12-11.module+el8.9.0+20824+f2605038.x86_64 ipa-server-common-4.9.12-11.module+el8.9.0+20824+f2605038.noarch
After upgrade finished without errors, i was not able to login to UI with correct password with message "Your session has expired. Please log in again."
dirsrv replication looks OK.
I checked logs, everytime i try to login, /var/log/httpd/error_log contain:
[Thu Jan 11 17:30:03.490345 2024] [wsgi:error] [pid 3299146:tid 139867429353216] [remote 185.103.146.26:46292] ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
I can do kinit, without any error. But when i try to use ipa user-show, not working.
The error below tells that a user ticket did not have a PAC associated:
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com@id.example.com for ldap/ipa7.id.example.com@id.example.com, KDC policy rejects request
Can you also share your client and server's Kerberos configurations? configs and which rpms are used.
It looks like either SID is missing in the user account and KDC is forced to ignore that (disable_pac = true in the realm configuration in kdc.conf). Or some flags are set on IPA services to force ignoring PAC checks. PAC presence is required for constrained delegation operations and we now enforce it for krb5 1.18 as well.
ipaupgrade.log attached, rest inline.
If you have any idea how to fix this please, i will be gratefull.
Thank you,
Rasto
ipa -d user-show ipa: DEBUG: Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' ipa: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' ipa: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' ipa: DEBUG: found session_cookie in persistent storage for principal 'rrickardt@redacted', cookie: 'ipa_session=MagBearerToken=VsNzXWPFKUTUmXpNpoXBnYn%2f7kaXq3b77Vb1HDzWdZ8u1c3ZAAReJFNMYwMeRLYSv4pggL%2bb3O1YH9lpJuXswOV%2fK%2fs%2bF96bBeIykbO2%2bnklplxnRxGyjo4edYLEo4QvfYIr9P2xGoxPEsCjrDj6m%2bro3UZtiFKGIgrI9KJKfZAhLrk46ooeAZ0HF7IAR5DgI07EdHeXdoP%2bA1T70CoXYA%3d%3d' ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=VsNzXWPFKUTUmXpNpoXBnYn%2f7kaXq3b77Vb1HDzWdZ8u1c3ZAAReJFNMYwMeRLYSv4pggL%2bb3O1YH9lpJuXswOV%2fK%2fs%2bF96bBeIykbO2%2bnklplxnRxGyjo4edYLEo4QvfYIr9P2xGoxPEsCjrDj6m%2bro3UZtiFKGIgrI9KJKfZAhLrk46ooeAZ0HF7IAR5DgI07EdHeXdoP%2bA1T70CoXYA%3d%3d;' ipa: DEBUG: trying https://ipa2.id.example.com/ipa/session/json ipa: DEBUG: New HTTP connection (ipa2.id.example.com) ipa: DEBUG: HTTP connection destroyed (ipa2.id.example.com) Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaclient/remote_plugins/__init__.py", line 120, in get_package plugins = api._remote_plugins AttributeError: 'API' object has no attribute '_remote_plugins'
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 730, in single_request response.msg) xmlrpc.client.ProtocolError: <ProtocolError for ipa2.id.example.com/ipa/session/json: 401 Unauthorized> ipa: DEBUG: trying https://ipa2.id.example.com/ipa/session/json ipa: DEBUG: New HTTP connection (ipa2.id.example.com) ipa: DEBUG: HTTP connection destroyed (ipa2.id.example.com) Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaclient/remote_plugins/__init__.py", line 120, in get_package plugins = api._remote_plugins AttributeError: 'API' object has no attribute '_remote_plugins'
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 730, in single_request response.msg) xmlrpc.client.ProtocolError: <ProtocolError for ipa2.id.example.com/ipa/session/json: 401 Unauthorized> ipa: INFO: Connection to https://ipa2.id.example.com/ipa/session/json failed with <ProtocolError for ipa2.id.example.com/ipa/session/json: 401 Unauthorized>
krb5kdc.log Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): AS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: NEEDED_PREAUTH: rrickardt@id.example.com for krbtgt/id.example.com@id.example.com, Additional pre-authentication required Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12 Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): AS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: ISSUE: authtime 1704991295, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, rrickardt@id.example.com for krbtgt/id.example.com@id.example.com Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12 Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1231](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: ISSUE: authtime 1704991295, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, rrickardt@id.example.com for HTTP/ipa7.id.example.com@id.example.com Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1231](info): closing down fd 12 Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com@id.example.com for ldap/ipa7.id.example.com@id.example.com, KDC policy rejects request Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): ... CONSTRAINED-DELEGATION s4u-client=<unknown> Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12 Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com@id.example.com for ldap/ipa7.id.example.com@id.example.com, KDC policy rejects request Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): ... CONSTRAINED-DELEGATION s4u-client=<unknown> Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hello Alexander,
all packages should be current with default RHEL configuration:
krb5-workstation-1.18.2-26.el8_9.x86_64 krb5-pkinit-1.18.2-26.el8_9.x86_64 sssd-krb5-2.9.1-4.el8_9.x86_64 krb5-libs-1.18.2-26.el8_9.x86_64 krb5-server-1.18.2-26.el8_9.x86_64 sssd-krb5-common-2.9.1-4.el8_9.x86_64
cat /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 restrict_anonymous_to_tgt = true spake_preauth_kdc_challenge = edwards25519
[realms] ID.EXAMPLE.COM = { master_key_type = aes256-cts max_life = 7d max_renewable_life = 14d acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words default_principal_flags = +preauth ; admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.crt,/var/kerberos/krb5kdc/kdc.key pkinit_anchors = FILE:/var/kerberos/krb5kdc/kdc.crt pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem pkinit_indicator = pkinit spake_preauth_indicator = hardened encrypted_challenge_indicator = hardened } [libdefaults] spake_preauth_kdc_challenge = edwards25519
/etc/krb5.conf and conf.d are in attached file.
I do not see disable_pac anywhere.
Thank you,
Rasto
The error below tells that a user ticket did not have a PAC associated:
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com@id.example.com for ldap/ipa7.id.example.com@id.example.com, KDC policy rejects request
Can you also share your client and server's Kerberos configurations? configs and which rpms are used.
It looks like either SID is missing in the user account and KDC is forced to ignore that (disable_pac = true in the realm configuration in kdc.conf). Or some flags are set on IPA services to force ignoring PAC checks. PAC presence is required for constrained delegation operations and we now enforce it for krb5 1.18 as well.
On Чцв, 11 сту 2024, Rasto Rickardt wrote:
Hello Alexander,
all packages should be current with default RHEL configuration:
Thanks, the configs look OK. So check whether users miss SIDs and regenerate them with
ipa config-mod --enable-sid --add-sids
as admin.
krb5-workstation-1.18.2-26.el8_9.x86_64 krb5-pkinit-1.18.2-26.el8_9.x86_64 sssd-krb5-2.9.1-4.el8_9.x86_64 krb5-libs-1.18.2-26.el8_9.x86_64 krb5-server-1.18.2-26.el8_9.x86_64 sssd-krb5-common-2.9.1-4.el8_9.x86_64
cat /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 restrict_anonymous_to_tgt = true spake_preauth_kdc_challenge = edwards25519
[realms] ID.EXAMPLE.COM = { master_key_type = aes256-cts max_life = 7d max_renewable_life = 14d acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words default_principal_flags = +preauth ; admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.crt,/var/kerberos/krb5kdc/kdc.key pkinit_anchors = FILE:/var/kerberos/krb5kdc/kdc.crt pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem pkinit_indicator = pkinit spake_preauth_indicator = hardened encrypted_challenge_indicator = hardened } [libdefaults] spake_preauth_kdc_challenge = edwards25519
/etc/krb5.conf and conf.d are in attached file.
I do not see disable_pac anywhere.
Thank you,
Rasto
The error below tells that a user ticket did not have a PAC associated:
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com@id.example.com for ldap/ipa7.id.example.com@id.example.com, KDC policy rejects request
Can you also share your client and server's Kerberos configurations? configs and which rpms are used.
It looks like either SID is missing in the user account and KDC is forced to ignore that (disable_pac = true in the realm configuration in kdc.conf). Or some flags are set on IPA services to force ignoring PAC checks. PAC presence is required for constrained delegation operations and we now enforce it for krb5 1.18 as well.
Hello Alexander,
indeed, some users have SIDs (ipantsecurityidentifier) attribute missing.
ipa config-mod --enable-sid --add-sids fixed it. Thank you.
I found
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
Looks like we have installation on early RHEL8 before 8.5, SIDS became mandatory in the meantime and current update definitely broke it.
Thank you for your help!
Kind Regards,
Rasto
On 11/01/2024 20:56, Alexander Bokovoy wrote:
On Чцв, 11 сту 2024, Rasto Rickardt wrote:
Hello Alexander,
all packages should be current with default RHEL configuration:
Thanks, the configs look OK. So check whether users miss SIDs and regenerate them with ipa config-mod --enable-sid --add-sids
as admin.
krb5-workstation-1.18.2-26.el8_9.x86_64 krb5-pkinit-1.18.2-26.el8_9.x86_64 sssd-krb5-2.9.1-4.el8_9.x86_64 krb5-libs-1.18.2-26.el8_9.x86_64 krb5-server-1.18.2-26.el8_9.x86_64 sssd-krb5-common-2.9.1-4.el8_9.x86_64
cat /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 restrict_anonymous_to_tgt = true spake_preauth_kdc_challenge = edwards25519
[realms] ID.EXAMPLE.COM = { master_key_type = aes256-cts max_life = 7d max_renewable_life = 14d acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words default_principal_flags = +preauth ; admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.crt,/var/kerberos/krb5kdc/kdc.key pkinit_anchors = FILE:/var/kerberos/krb5kdc/kdc.crt pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem pkinit_indicator = pkinit spake_preauth_indicator = hardened encrypted_challenge_indicator = hardened } [libdefaults] spake_preauth_kdc_challenge = edwards25519
/etc/krb5.conf and conf.d are in attached file.
I do not see disable_pac anywhere.
Thank you,
Rasto
The error below tells that a user ticket did not have a PAC associated:
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com@id.example.com for ldap/ipa7.id.example.com@id.example.com, KDC policy rejects request
Can you also share your client and server's Kerberos configurations? configs and which rpms are used.
It looks like either SID is missing in the user account and KDC is forced to ignore that (disable_pac = true in the realm configuration in kdc.conf). Or some flags are set on IPA services to force ignoring PAC checks. PAC presence is required for constrained delegation operations and we now enforce it for krb5 1.18 as well.
On Чцв, 11 сту 2024, Rasto Rickardt wrote:
Thanks, the configs look OK. So check whether users miss SIDs and regenerate them with
ipa config-mod --enable-sid --add-sids
as admin.
I've seen a lot of posts with this recommendation. The trouble is, that every command I pass to "ipa" fails with the error in this post which core issue is S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC.
So how do you run the config-mod command when "ipa config-mod" failus with the exact same error?
On Аўт, 27 лют 2024, Peter Larsen via FreeIPA-users wrote:
On Чцв, 11 сту 2024, Rasto Rickardt wrote:
Thanks, the configs look OK. So check whether users miss SIDs and regenerate them with
ipa config-mod --enable-sid --add-sids
as admin.
I've seen a lot of posts with this recommendation. The trouble is, that every command I pass to "ipa" fails with the error in this post which core issue is S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC.
So how do you run the config-mod command when "ipa config-mod" failus with the exact same error?
Please see https://access.redhat.com/solutions/7052703. It requires RHEL subscription but will also work with a free RHEL developer subscription one can obtain at developers.redhat.com
Thanks Alex, your comment helped me a lot and so I could fix the issue. I had exactly the same issue.
Problem is, that none of my user hat the attribute "ipantsecurityidentifier".
I found the instruction here: https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/8/htm...
Procedure Enable SID usage and trigger the SIDgen task to generate SIDs for existing users and groups. This task might be resource-intensive:
# kinit admin # ipa config-mod --enable-sid --add-sids
Verification Verify that the IdM admin user account entry has an ipantsecurityidentifier attribute with a SID that ends with -500, the SID reserved for the domain administrator:
[root@server ~]# ipa user-show admin --all | grep ipantsecurityidentifier ipantsecurityidentifier: S-1-5-21-2633809701-976279387-419745629-500
After this procedure, my admin user hat the attribute "ipantsecurityidentifier" and I could successful login to the WebUI. The issue I encountered was, that not all of my users had been upgraded with the new attribute. Therefore I had to delete and recreate them.
On Аўт, 23 сту 2024, Sören R. via FreeIPA-users wrote:
Thanks Alex, your comment helped me a lot and so I could fix the issue. I had exactly the same issue.
Problem is, that none of my user hat the attribute "ipantsecurityidentifier".
I found the instruction here: https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/8/htm...
Procedure Enable SID usage and trigger the SIDgen task to generate SIDs for existing users and groups. This task might be resource-intensive:
# kinit admin # ipa config-mod --enable-sid --add-sids
Verification Verify that the IdM admin user account entry has an ipantsecurityidentifier attribute with a SID that ends with -500, the SID reserved for the domain administrator:
[root@server ~]# ipa user-show admin --all | grep ipantsecurityidentifier ipantsecurityidentifier: S-1-5-21-2633809701-976279387-419745629-500
After this procedure, my admin user hat the attribute "ipantsecurityidentifier" and I could successful login to the WebUI. The issue I encountered was, that not all of my users had been upgraded with the new attribute. Therefore I had to delete and recreate them.
Good that it worked for you. You didn't need to delete those users/groups, just make sure their UID and GID numbers are within ID ranges defined by IPA. You can add a new ID range to help sidgen plugin to handle those IDs.
See https://access.redhat.com/articles/7027037 for more details. It needs a RHEL subscription but you can get a free one from developers.redhat.com.
freeipa-users@lists.fedorahosted.org