10:51 a.m.
Hello,
i have setup of 5 IPA servers on RHEL8. This morning i upgraded with dnf
upgrade IPA components to 4.9.12-11 for example:
ipa-server-4.9.12-11.module+el8.9.0+20824+f2605038.x86_64
ipa-server-common-4.9.12-11.module+el8.9.0+20824+f2605038.noarch
After upgrade finished without errors, i was not able to login to UI
with correct password with message "Your session has expired. Please log
in again."
dirsrv replication looks OK.
I checked logs, everytime i try to login, /var/log/httpd/error_log contain:
[Thu Jan 11 17:30:03.490345 2024] [wsgi:error] [pid 3299146:tid
139867429353216] [remote 185.103.146.26:46292] ipa: INFO: 401
Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information
(Credential cache is empty)
I can do kinit, without any error. But when i try to use ipa user-show,
not working.
ipaupgrade.log attached, rest inline.
If you have any idea how to fix this please, i will be gratefull.
Thank you,
Rasto
ipa -d user-show
ipa: DEBUG: Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa: DEBUG: Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
ipa: DEBUG: Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
ipa: DEBUG: found session_cookie in persistent storage for principal
'rrickardt@redacted', cookie:
'ipa_session=MagBearerToken=VsNzXWPFKUTUmXpNpoXBnYn%2f7kaXq3b77Vb1HDzWdZ8u1c3ZAAReJFNMYwMeRLYSv4pggL%2bb3O1YH9lpJuXswOV%2fK%2fs%2bF96bBeIykbO2%2bnklplxnRxGyjo4edYLEo4QvfYIr9P2xGoxPEsCjrDj6m%2bro3UZtiFKGIgrI9KJKfZAhLrk46ooeAZ0HF7IAR5DgI07EdHeXdoP%2bA1T70CoXYA%3d%3d'
ipa: DEBUG: setting session_cookie into context
'ipa_session=MagBearerToken=VsNzXWPFKUTUmXpNpoXBnYn%2f7kaXq3b77Vb1HDzWdZ8u1c3ZAAReJFNMYwMeRLYSv4pggL%2bb3O1YH9lpJuXswOV%2fK%2fs%2bF96bBeIykbO2%2bnklplxnRxGyjo4edYLEo4QvfYIr9P2xGoxPEsCjrDj6m%2bro3UZtiFKGIgrI9KJKfZAhLrk46ooeAZ0HF7IAR5DgI07EdHeXdoP%2bA1T70CoXYA%3d%3d;'
ipa: DEBUG: trying https://ipa2.id.example.com/ipa/session/json
ipa: DEBUG: New HTTP connection (ipa2.id.example.com)
ipa: DEBUG: HTTP connection destroyed (ipa2.id.example.com)
Traceback (most recent call last):
File
"/usr/lib/python3.6/site-packages/ipaclient/remote_plugins/__init__.py",
line 120, in get_package
plugins = api._remote_plugins
AttributeError: 'API' object has no attribute '_remote_plugins'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 730, in
single_request
response.msg)
xmlrpc.client.ProtocolError: <ProtocolError for
ipa2.id.example.com/ipa/session/json: 401 Unauthorized>
ipa: DEBUG: trying https://ipa2.id.example.com/ipa/session/json
ipa: DEBUG: New HTTP connection (ipa2.id.example.com)
ipa: DEBUG: HTTP connection destroyed (ipa2.id.example.com)
Traceback (most recent call last):
File
"/usr/lib/python3.6/site-packages/ipaclient/remote_plugins/__init__.py",
line 120, in get_package
plugins = api._remote_plugins
AttributeError: 'API' object has no attribute '_remote_plugins'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 730, in
single_request
response.msg)
xmlrpc.client.ProtocolError: <ProtocolError for
ipa2.id.example.com/ipa/session/json: 401 Unauthorized>
ipa: INFO: Connection to https://ipa2.id.example.com/ipa/session/json
failed with <ProtocolError for ipa2.id.example.com/ipa/session/json: 401
Unauthorized>
krb5kdc.log
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): AS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75:
NEEDED_PREAUTH: rrickardt(a)id.example.com for
krbtgt/id.example.com(a)id.example.com, Additional pre-authentication required
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): AS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75:
ISSUE: authtime 1704991295, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
rrickardt(a)id.example.com for krbtgt/id.example.com(a)id.example.com
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1231](info): TGS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75:
ISSUE: authtime 1704991295, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
rrickardt(a)id.example.com for HTTP/ipa7.id.example.com(a)id.example.com
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1231](info): closing down fd 12
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75:
S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes
{rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com(a)id.example.com for
ldap/ipa7.id.example.com(a)id.example.com, KDC policy rejects request
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): ...
CONSTRAINED-DELEGATION s4u-client=<unknown>
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75:
S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes
{rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com(a)id.example.com for
ldap/ipa7.id.example.com(a)id.example.com, KDC policy rejects request
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): ...
CONSTRAINED-DELEGATION s4u-client=<unknown>
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12
11:18 a.m.
New subject: api authorization stopped working after upgrade to 4.9.12-11 on RHEL8
On Чцв, 11 сту 2024, Rasto Rickardt via FreeIPA-users wrote:
Hello,
i have setup of 5 IPA servers on RHEL8. This morning i upgraded with
dnf upgrade IPA components to 4.9.12-11 for example:
ipa-server-4.9.12-11.module+el8.9.0+20824+f2605038.x86_64
ipa-server-common-4.9.12-11.module+el8.9.0+20824+f2605038.noarch
After upgrade finished without errors, i was not able to login to UI
with correct password with message "Your session has expired. Please
log in again."
dirsrv replication looks OK.
I checked logs, everytime i try to login, /var/log/httpd/error_log contain:
[Thu Jan 11 17:30:03.490345 2024] [wsgi:error] [pid 3299146:tid
139867429353216] [remote 185.103.146.26:46292] ipa: INFO: 401
Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more
information (Credential cache is empty)
I can do kinit, without any error. But when i try to use ipa
user-show, not working.
The error below tells that a user ticket did not have a PAC associated:
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
camellia128-cts-cmac(25)}) 10.112.65.75:
S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes
{rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com(a)id.example.com for
ldap/ipa7.id.example.com(a)id.example.com, KDC policy rejects request
Can you also share your client and server's Kerberos configurations?
configs and which rpms are used.
It looks like either SID is missing in the user account and KDC is
forced to ignore that (disable_pac = true in the realm configuration in
kdc.conf). Or some flags are set on IPA services to force ignoring PAC
checks. PAC presence is required for constrained delegation
operations and we now enforce it for krb5 1.18 as well.
>
>ipaupgrade.log attached, rest inline.
>
>If you have any idea how to fix this please, i will be gratefull.
>
>Thank you,
>
>Rasto
>
>ipa -d user-show
>ipa: DEBUG: Loading Index file from
>'/var/lib/ipa-client/sysrestore/sysrestore.index'
>ipa: DEBUG: Loading StateFile from
>'/var/lib/ipa-client/sysrestore/sysrestore.state'
>ipa: DEBUG: Loading StateFile from
>'/var/lib/ipa-client/sysrestore/sysrestore.state'
>ipa: DEBUG: found session_cookie in persistent storage for principal
>'rrickardt@redacted', cookie:
'ipa_session=MagBearerToken=VsNzXWPFKUTUmXpNpoXBnYn%2f7kaXq3b77Vb1HDzWdZ8u1c3ZAAReJFNMYwMeRLYSv4pggL%2bb3O1YH9lpJuXswOV%2fK%2fs%2bF96bBeIykbO2%2bnklplxnRxGyjo4edYLEo4QvfYIr9P2xGoxPEsCjrDj6m%2bro3UZtiFKGIgrI9KJKfZAhLrk46ooeAZ0HF7IAR5DgI07EdHeXdoP%2bA1T70CoXYA%3d%3d'
>ipa: DEBUG: setting session_cookie into context
'ipa_session=MagBearerToken=VsNzXWPFKUTUmXpNpoXBnYn%2f7kaXq3b77Vb1HDzWdZ8u1c3ZAAReJFNMYwMeRLYSv4pggL%2bb3O1YH9lpJuXswOV%2fK%2fs%2bF96bBeIykbO2%2bnklplxnRxGyjo4edYLEo4QvfYIr9P2xGoxPEsCjrDj6m%2bro3UZtiFKGIgrI9KJKfZAhLrk46ooeAZ0HF7IAR5DgI07EdHeXdoP%2bA1T70CoXYA%3d%3d;'
>ipa: DEBUG: trying https://ipa2.id.example.com/ipa/session/json
>ipa: DEBUG: New HTTP connection (ipa2.id.example.com)
>ipa: DEBUG: HTTP connection destroyed (ipa2.id.example.com)
>Traceback (most recent call last):
> File
"/usr/lib/python3.6/site-packages/ipaclient/remote_plugins/__init__.py",
>line 120, in get_package
> plugins = api._remote_plugins
>AttributeError: 'API' object has no attribute '_remote_plugins'
>
>During handling of the above exception, another exception occurred:
>
>Traceback (most recent call last):
> File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 730, in
>single_request
> response.msg)
>xmlrpc.client.ProtocolError: <ProtocolError for
>ipa2.id.example.com/ipa/session/json: 401 Unauthorized>
>ipa: DEBUG: trying https://ipa2.id.example.com/ipa/session/json
>ipa: DEBUG: New HTTP connection (ipa2.id.example.com)
>ipa: DEBUG: HTTP connection destroyed (ipa2.id.example.com)
>Traceback (most recent call last):
> File
"/usr/lib/python3.6/site-packages/ipaclient/remote_plugins/__init__.py",
>line 120, in get_package
> plugins = api._remote_plugins
>AttributeError: 'API' object has no attribute '_remote_plugins'
>
>During handling of the above exception, another exception occurred:
>
>Traceback (most recent call last):
> File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 730, in
>single_request
> response.msg)
>xmlrpc.client.ProtocolError: <ProtocolError for
>ipa2.id.example.com/ipa/session/json: 401 Unauthorized>
>ipa: INFO: Connection to https://ipa2.id.example.com/ipa/session/json
>failed with <ProtocolError for ipa2.id.example.com/ipa/session/json:
>401 Unauthorized>
>
>krb5kdc.log
>Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): AS_REQ (6
>etypes {aes256-cts-hmac-sha384-192(20),
>aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
>aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
>camellia128-cts-cmac(25)}) 10.112.65.75: NEEDED_PREAUTH:
>rrickardt(a)id.example.com for krbtgt/id.example.com(a)id.example.com,
>Additional pre-authentication required
>Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12
>Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): AS_REQ (6
>etypes {aes256-cts-hmac-sha384-192(20),
>aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
>aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
>camellia128-cts-cmac(25)}) 10.112.65.75: ISSUE: authtime 1704991295,
>etypes {rep=aes256-cts-hmac-sha1-96(18),
>tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
>rrickardt(a)id.example.com for krbtgt/id.example.com(a)id.example.com
>Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12
>Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1231](info): TGS_REQ (6
>etypes {aes256-cts-hmac-sha384-192(20),
>aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
>aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
>camellia128-cts-cmac(25)}) 10.112.65.75: ISSUE: authtime 1704991295,
>etypes {rep=aes256-cts-hmac-sha1-96(18),
>tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
>rrickardt(a)id.example.com for HTTP/ipa7.id.example.com(a)id.example.com
>Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1231](info): closing down fd 12
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
camellia128-cts-cmac(25)}) 10.112.65.75:
S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes
{rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com(a)id.example.com for
ldap/ipa7.id.example.com(a)id.example.com, KDC policy rejects request
>Jan 11
17:41:35 ipa7.id.example.com krb5kdc[1230](info): ...
>CONSTRAINED-DELEGATION s4u-client=<unknown>
>Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
camellia128-cts-cmac(25)}) 10.112.65.75:
S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes
{rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com(a)id.example.com for
ldap/ipa7.id.example.com(a)id.example.com, KDC policy rejects request
>Jan 11
17:41:35 ipa7.id.example.com krb5kdc[1230](info): ...
>CONSTRAINED-DELEGATION s4u-client=<unknown>
>Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12
>
>
>
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
noon
New subject: api authorization stopped working after upgrade to 4.9.12-11 on RHEL8
Hello Alexander,
all packages should be current with default RHEL configuration:
krb5-workstation-1.18.2-26.el8_9.x86_64
krb5-pkinit-1.18.2-26.el8_9.x86_64
sssd-krb5-2.9.1-4.el8_9.x86_64
krb5-libs-1.18.2-26.el8_9.x86_64
krb5-server-1.18.2-26.el8_9.x86_64
sssd-krb5-common-2.9.1-4.el8_9.x86_64
cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
restrict_anonymous_to_tgt = true
spake_preauth_kdc_challenge = edwards25519
[realms]
ID.EXAMPLE.COM = {
master_key_type = aes256-cts
max_life = 7d
max_renewable_life = 14d
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
default_principal_flags = +preauth
; admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
pkinit_identity =
FILE:/var/kerberos/krb5kdc/kdc.crt,/var/kerberos/krb5kdc/kdc.key
pkinit_anchors = FILE:/var/kerberos/krb5kdc/kdc.crt
pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
pkinit_indicator = pkinit
spake_preauth_indicator = hardened
encrypted_challenge_indicator = hardened
}
[libdefaults]
spake_preauth_kdc_challenge = edwards25519
/etc/krb5.conf and conf.d are in attached file.
I do not see disable_pac anywhere.
Thank you,
Rasto
The error below tells that a user ticket did not have a PAC
associated:
> Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6
> etypes {aes256-cts-hmac-sha384-192(20),
> aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
> aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
> camellia128-cts-cmac(25)}) 10.112.65.75:
> S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes
> {rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com(a)id.example.com for
> ldap/ipa7.id.example.com(a)id.example.com, KDC policy rejects request
Can you also share your client and server's Kerberos configurations?
configs and which rpms are used.
It looks like either SID is missing in the user account and KDC is
forced to ignore that (disable_pac = true in the realm configuration in
kdc.conf). Or some flags are set on IPA services to force ignoring PAC
checks. PAC presence is required for constrained delegation
operations and we now enforce it for krb5 1.18 as well.
1:56 p.m.
New subject: api authorization stopped working after upgrade to 4.9.12-11 on RHEL8
On Чцв, 11 сту 2024, Rasto Rickardt wrote:
Hello Alexander,
all packages should be current with default RHEL configuration:
Thanks, the configs look OK. So check whether users miss SIDs and
regenerate them with
ipa config-mod --enable-sid --add-sids
as admin.
krb5-workstation-1.18.2-26.el8_9.x86_64
krb5-pkinit-1.18.2-26.el8_9.x86_64
sssd-krb5-2.9.1-4.el8_9.x86_64
krb5-libs-1.18.2-26.el8_9.x86_64
krb5-server-1.18.2-26.el8_9.x86_64
sssd-krb5-common-2.9.1-4.el8_9.x86_64
cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
restrict_anonymous_to_tgt = true
spake_preauth_kdc_challenge = edwards25519
[realms]
ID.EXAMPLE.COM = {
master_key_type = aes256-cts
max_life = 7d
max_renewable_life = 14d
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
default_principal_flags = +preauth
; admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
pkinit_identity =
FILE:/var/kerberos/krb5kdc/kdc.crt,/var/kerberos/krb5kdc/kdc.key
pkinit_anchors = FILE:/var/kerberos/krb5kdc/kdc.crt
pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
pkinit_indicator = pkinit
spake_preauth_indicator = hardened
encrypted_challenge_indicator = hardened
}
[libdefaults]
spake_preauth_kdc_challenge = edwards25519
/etc/krb5.conf and conf.d are in attached file.
I do not see disable_pac anywhere.
Thank you,
Rasto
>The error below tells that a user ticket did not have a PAC associated:
>
>>Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ
>>(6 etypes {aes256-cts-hmac-sha384-192(20),
>>aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
>>aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
>>camellia128-cts-cmac(25)}) 10.112.65.75:
>>S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes
>>{rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com(a)id.example.com for
>>ldap/ipa7.id.example.com(a)id.example.com, KDC policy rejects
>>request
>
>Can you also share your client and server's Kerberos configurations?
>configs and which rpms are used.
>
>It looks like either SID is missing in the user account and KDC is
>forced to ignore that (disable_pac = true in the realm configuration in
>kdc.conf). Or some flags are set on IPA services to force ignoring PAC
>checks. PAC presence is required for constrained delegation
>operations and we now enforce it for krb5 1.18 as well.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
2:10 p.m.
New subject: api authorization stopped working after upgrade to 4.9.12-11 on RHEL8
Hello Alexander,
indeed, some users have SIDs (ipantsecurityidentifier) attribute missing.
ipa config-mod --enable-sid --add-sids fixed it. Thank you.
I found
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
Looks like we have installation on early RHEL8 before 8.5, SIDS became
mandatory in the meantime and current update definitely broke it.
Thank you for your help!
Kind Regards,
Rasto
On 11/01/2024 20:56, Alexander Bokovoy wrote:
> On Чцв, 11 сту 2024, Rasto Rickardt wrote:
>> Hello Alexander,
>>
>> all packages should be current with default RHEL configuration:
>
> Thanks, the configs look OK. So check whether users miss SIDs and
> regenerate them with
> ipa config-mod --enable-sid --add-sids
>
> as admin.
>
>>
>> krb5-workstation-1.18.2-26.el8_9.x86_64
>> krb5-pkinit-1.18.2-26.el8_9.x86_64
>> sssd-krb5-2.9.1-4.el8_9.x86_64
>> krb5-libs-1.18.2-26.el8_9.x86_64
>> krb5-server-1.18.2-26.el8_9.x86_64
>> sssd-krb5-common-2.9.1-4.el8_9.x86_64
>>
>> cat /var/kerberos/krb5kdc/kdc.conf
>> [kdcdefaults]
>> kdc_ports = 88
>> kdc_tcp_ports = 88
>> restrict_anonymous_to_tgt = true
>> spake_preauth_kdc_challenge = edwards25519
>>
>> [realms]
>> ID.EXAMPLE.COM = {
>> master_key_type = aes256-cts
>> max_life = 7d
>> max_renewable_life = 14d
>> acl_file = /var/kerberos/krb5kdc/kadm5.acl
>> dict_file = /usr/share/dict/words
>> default_principal_flags = +preauth
>> ; admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>> pkinit_identity =
>> FILE:/var/kerberos/krb5kdc/kdc.crt,/var/kerberos/krb5kdc/kdc.key
>> pkinit_anchors = FILE:/var/kerberos/krb5kdc/kdc.crt
>> pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
>> pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
>> pkinit_indicator = pkinit
>> spake_preauth_indicator = hardened
>> encrypted_challenge_indicator = hardened
>> }
>> [libdefaults]
>> spake_preauth_kdc_challenge = edwards25519
>>
>> /etc/krb5.conf and conf.d are in attached file.
>>
>> I do not see disable_pac anywhere.
>>
>> Thank you,
>>
>> Rasto
>>
>>> The error below tells that a user ticket did not have a PAC associated:
>>>
>>>> Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6
>>>> etypes {aes256-cts-hmac-sha384-192(20),
>>>> aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
>>>> aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
>>>> camellia128-cts-cmac(25)}) 10.112.65.75:
>>>> S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes
>>>> {rep=UNSUPPORTED:(0)} HTTP/ipa7.id.example.com(a)id.example.com for
>>>> ldap/ipa7.id.example.com(a)id.example.com, KDC policy rejects request
>>>
>>> Can you also share your client and server's Kerberos configurations?
>>> configs and which rpms are used.
>>>
>>> It looks like either SID is missing in the user account and KDC is
>>> forced to ignore that (disable_pac = true in the realm configuration in
>>> kdc.conf). Or some flags are set on IPA services to force ignoring PAC
>>> checks. PAC presence is required for constrained delegation
>>> operations and we now enforce it for krb5 1.18 as well.
>>
>
>
>
>
7:32 p.m.
New subject: api authorization stopped working after upgrade to 4.9.12-11 on RHEL8
On Чцв, 11 сту 2024, Rasto Rickardt wrote:
Thanks, the configs look OK. So check whether users miss SIDs and
regenerate them with
ipa config-mod --enable-sid --add-sids
as admin.
I've seen a lot of posts with this recommendation. The trouble is, that every command
I pass to "ipa" fails with the error in this post which core issue is
S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC.
So how do you run the config-mod command when "ipa config-mod" failus with the
exact same error?
2:58 a.m.
New subject: api authorization stopped working after upgrade to 4.9.12-11 on RHEL8
On Аўт, 27 лют 2024, Peter Larsen via FreeIPA-users wrote:
> On Чцв, 11 сту 2024, Rasto Rickardt wrote:
>
> Thanks, the configs look OK. So check whether users miss SIDs and
> regenerate them with
>
> ipa config-mod --enable-sid --add-sids
>
> as admin.
I've seen a lot of posts with this recommendation. The trouble is, that every command
I pass to "ipa" fails with the error in this post which core issue is
S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC.
So how do you run the config-mod command when "ipa config-mod" failus with the
exact same error?
Please see https://access.redhat.com/solutions/7052703. It requires RHEL
subscription but will also work with a free RHEL developer subscription
one can obtain at developers.redhat.com
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
6:47 a.m.
New subject: api authorization stopped working after upgrade to 4.9.12-11 on RHEL8
Thanks Alex, your comment helped me a lot and so I could fix the issue. I had exactly the
same issue.
Problem is, that none of my user hat the attribute "ipantsecurityidentifier".
I found the instruction here:
https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/8/...
Procedure
Enable SID usage and trigger the SIDgen task to generate SIDs for existing users and
groups. This task might be resource-intensive:
# kinit admin
# ipa config-mod --enable-sid --add-sids
Verification
Verify that the IdM admin user account entry has an ipantsecurityidentifier attribute with
a SID that ends with -500, the SID reserved for the domain administrator:
[root@server ~]# ipa user-show admin --all | grep ipantsecurityidentifier
ipantsecurityidentifier: S-1-5-21-2633809701-976279387-419745629-500
After this procedure, my admin user hat the attribute "ipantsecurityidentifier"
and I could successful login to the WebUI. The issue I encountered was, that not all of my
users had been upgraded with the new attribute. Therefore I had to delete and recreate
them.
1:15 a.m.
New subject: api authorization stopped working after upgrade to 4.9.12-11 on RHEL8
On Аўт, 23 сту 2024, Sören R. via FreeIPA-users wrote:
Thanks Alex, your comment helped me a lot and so I could fix the
issue.
I had exactly the same issue.
Problem is, that none of my user hat the attribute
"ipantsecurityidentifier".
I found the instruction here:
https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/8/...
Procedure
Enable SID usage and trigger the SIDgen task to generate SIDs for
existing users and groups. This task might be resource-intensive:
# kinit admin
# ipa config-mod --enable-sid --add-sids
Verification
Verify that the IdM admin user account entry has an ipantsecurityidentifier attribute with
a SID that ends with -500, the SID reserved for the domain administrator:
[root@server ~]# ipa user-show admin --all | grep ipantsecurityidentifier
ipantsecurityidentifier: S-1-5-21-2633809701-976279387-419745629-500
After this procedure, my admin user hat the attribute
"ipantsecurityidentifier" and I could successful login to the WebUI.
The issue I encountered was, that not all of my users had been upgraded
with the new attribute. Therefore I had to delete and recreate them.
Good that it worked for you. You didn't need to delete those
users/groups, just make sure their UID and GID numbers are within ID
ranges defined by IPA. You can add a new ID range to help sidgen plugin
to handle those IDs.
See https://access.redhat.com/articles/7027037 for more details. It
needs a RHEL subscription but you can get a free one from
developers.redhat.com.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
72
days inactive
119
days old
freeipa-users@lists.fedorahosted.org
8 comments
4 participants
participants (4)
-
Alexander Bokovoy -
Peter Larsen -
Rasto Rickardt -
Sören R.