Hi Rob.
On 15 Feb 2021, at 10:58, Rob Crittenden
<rcritten@redhat.com<mailto:rcritten@redhat.com>> wrote:
Vinícius Ferrão wrote:
Hi Rob.
Actually nothing that relies on Kerberos Keytabs is working.
Kerberos is working. The kinit was successful.
Sorry perhaps I didn’t say it correctly. In fact Kerberos is working (I can kinit) but
anything that relies on Keytabs, specifically Keytabs, aren’t working.
named-pkcs11 does not start without the hack that I’ve mentioned. Please correct me if I’m
wrong about this.
Every other service fails with “insufficient credentials”; dogtag, gssproxy, etc.
I can properly issue kinit’s and login, but I can’t use ‘ipa’ commands
for instance. named-pkcs11 is only starting up because I’ve changed the
authentication method on /etc/named.conf:
/* WARNING: This part of the config file is IPA-managed.
* Modifications may break IPA setup or upgrades.
*/
dyndb "ipa" "/usr/lib64/bind/ldap.so" {
uri "ldapi://%2fvar%2frun%2fslapd-CLUSTER-CETENE-GOV-BR.socket";
base "cn=dns, dc=cluster,dc=cetene,dc=gov,dc=br";
server_id
"neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.g...;
#auth_method "sasl";
#sasl_mech "GSSAPI";
#sasl_user
"DNS/neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.g...;
/* Desespero */
auth_method "simple";
bind_dn "uid=admin,cn=users,cn=accounts,dc=cluster,dc=cetene,dc=gov,dc=br";
password “REDACTED";
};
/* End of IPA-managed part. */
I’ve done the test that you’ve asked, and was a no go:
[root@neumann2 ~]# kinit -kt /etc/ipa/dnssec/ipa-dnskeysyncd.keytab
ipa-dnskeysyncd/neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.g...
[root@neumann2 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_dngnA1P
Default principal:
ipa-dnskeysyncd/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR<mailto:ipa-dnskeysyncd/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
<mailto:ipa-dnskeysyncd/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
Valid starting Expires Service principal
02/12/2021 22:42:03 02/13/2021 22:42:03
krbtgt/CLUSTER.CETENE.GOV.BR@CLUSTER.CETENE.GOV.BR<mailto:krbtgt/CLUSTER.CETENE.GOV.BR@CLUSTER.CETENE.GOV.BR>
<mailto:krbtgt/CLUSTER.CETENE.GOV.BR@CLUSTER.CETENE.GOV.BR>
[root@neumann2 ~]# ipa user-show admin
ipa: ERROR: Insufficient access: Invalid credentials
[root@neumann2 ~]# ipa -v user-show admin
ipa: INFO: trying
https://neumann2.cluster.cetene.gov.br/ipa/session/json
ipa: INFO: [try 1]: Forwarding 'schema' to json server
'https://neumann2.cluster.cetene.gov.br/ipa/session/json'
ipa: INFO: trying
https://neumann2.cluster.cetene.gov.br/ipa/session/json
ipa: INFO: [try 2]: Forwarding 'schema' to json server
'https://neumann2.cluster.cetene.gov.br/ipa/session/json'
ipa: INFO: trying
https://neumann2.cluster.cetene.gov.br/ipa/session/json
ipa: INFO: [try 3]: Forwarding 'schema' to json server
'https://neumann2.cluster.cetene.gov.br/ipa/session/json'
ipa: INFO: trying
https://neumann2.cluster.cetene.gov.br/ipa/session/json
ipa: INFO: [try 4]: Forwarding 'schema' to json server
'https://neumann2.cluster.cetene.gov.br/ipa/session/json'
ipa: INFO: trying
https://neumann2.cluster.cetene.gov.br/ipa/session/json
ipa: INFO: [try 5]: Forwarding 'schema' to json server
'https://neumann2.cluster.cetene.gov.br/ipa/session/json'
ipa: INFO: trying
https://neumann2.cluster.cetene.gov.br/ipa/session/json
ipa: ERROR: cannot connect to
'https://neumann2.cluster.cetene.gov.br/ipa/session/json': Exceeded
number of tries to forward a request.
I never seen this on FreeIPA.
Subsequent queries of IPA commands just returns the same error:
[root@neumann2 ~]# ipa user-show admin
ipa: ERROR: cannot connect to
'https://neumann2.cluster.cetene.gov.br/ipa/session/json': Exceeded
number of tries to forward a request.
Did you get a HTTP service ticket? (klist)
I issued and admin ticket as I usually do:
[root@neumann2 ~]# kinit admin
Password for admin@CLUSTER.CETENE.GOV.BR<mailto:admin@CLUSTER.CETENE.GOV.BR>:
[root@neumann2 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_dngnA1P
Default principal: admin@CLUSTER.CETENE.GOV.BR<mailto:admin@CLUSTER.CETENE.GOV.BR>
Valid starting Expires Service principal
02/15/2021 13:09:04 02/16/2021 13:09:04
krbtgt/CLUSTER.CETENE.GOV.BR@CLUSTER.CETENE.GOV.BR<mailto:krbtgt/CLUSTER.CETENE.GOV.BR@CLUSTER.CETENE.GOV.BR>
[root@neumann2 ~]# ipa user-list
ipa: ERROR: Insufficient access: Invalid credentials
[root@neumann2 ~]# ipa user-list
ipa: ERROR: cannot connect to
'https://neumann2.cluster.cetene.gov.br/ipa/session/json': Exceeded number of
tries to forward a request.
[root@neumann2 ~]# ipa user-list
ipa: ERROR: cannot connect to
'https://neumann2.cluster.cetene.gov.br/ipa/session/json': Exceeded number of
tries to forward a request.
But I can recover the HTTP ticket and kinit:
[root@neumann2 ~]# klist -kt /var/lib/ipa/gssproxy/http.keytab
Keytab name: FILE:/var/lib/ipa/gssproxy/http.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
3 02/10/2021 22:52:34
HTTP/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR<mailto:HTTP/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
3 02/10/2021 22:52:34
HTTP/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR<mailto:HTTP/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
[root@neumann2 ~]# kinit -kt /var/lib/ipa/gssproxy/http.keytab
HTTP/neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.gov.br>
[root@neumann2 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_JRv9hJN
Default principal:
HTTP/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR<mailto:HTTP/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
Valid starting Expires Service principal
02/15/2021 13:13:47 02/16/2021 13:13:47
krbtgt/CLUSTER.CETENE.GOV.BR@CLUSTER.CETENE.GOV.BR<mailto:krbtgt/CLUSTER.CETENE.GOV.BR@CLUSTER.CETENE.GOV.BR>
[root@neumann2 ~]# ipa user-list
ipa: ERROR: Insufficient access: Invalid credentials
[root@neumann2 ~]# ipa user-list
ipa: ERROR: cannot connect to
'https://neumann2.cluster.cetene.gov.br/ipa/session/json': Exceeded number of
tries to forward a request.
[root@neumann2 ~]# ipa user-list
ipa: ERROR: cannot connect to
'https://neumann2.cluster.cetene.gov.br/ipa/session/json': Exceeded number of
tries to forward a request.
But again it didn’t work.
On /var/log/httpd/error_log there basically this:
[Wed Feb 10 17:34:19.129505 2021] [:error] [pid 13912] ipa: INFO: 401 Unauthorized:
Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Credential cache is empty)
[Wed Feb 10 17:34:19.151811 2021] [auth_gssapi:error] [pid 13917] [client
172.26.255.254:48758] GSS ERROR gss_acquire_cred[_from]() failed to get server creds:
[Unspecified GSS failure. Minor code may provide more information ( SPNEGO cannot find
mechanisms to negotiate)], referer:
https://neumann2.cluster.cetene.gov.br/ipa/xml
[Wed Feb 10 17:34:31.982562 2021] [:error] [pid 13913] ipa: INFO: 401 Unauthorized:
Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Credential cache is empty)
[Wed Feb 10 17:34:32.015893 2021] [auth_gssapi:error] [pid 13914] [client
172.26.255.254:49020] GSS ERROR gss_acquire_cred[_from]() failed to get server creds:
[Unspecified GSS failure. Minor code may provide more information ( SPNEGO cannot find
mechanisms to negotiate)], referer:
https://neumann2.cluster.cetene.gov.br/ipa/xml
[Wed Feb 10 17:35:08.037058 2021] [auth_gssapi:error] [pid 13915] [client
172.26.255.254:49624] GSS ERROR gss_acquire_cred[_from]() failed to get server creds:
[Unspecified GSS failure. Minor code may provide more information ( SPNEGO cannot find
mechanisms to negotiate)], referer:
https://neumann2.cluster.cetene.gov.br/ipa/xml
[Wed Feb 10 17:38:08.183222 2021] [:warn] [pid 13916] [client 172.26.255.254:52646] failed
to set perms (3140) on file
(/var/run/ipa/ccaches/admin@CLUSTER.CETENE.GOV.BR<mailto:var/run/ipa/ccaches/admin@CLUSTER.CETENE.GOV.BR>)!,
referer:
https://neumann2.cluster.cetene.gov.br/ipa/xml
[Wed Feb 10 17:38:08.213367 2021] [:error] [pid 13911] ipa: INFO: 401 Unauthorized:
Insufficient access: Invalid credentials
[Wed Feb 10 17:38:08.256346 2021] [:error] [pid 13912] ipa: INFO: 401 Unauthorized:
Insufficient access: Invalid credentials
[Wed Feb 10 17:38:08.278769 2021] [:warn] [pid 13917] [client 172.26.255.254:52654] failed
to set perms (3140) on file
(/var/run/ipa/ccaches/admin@CLUSTER.CETENE.GOV.BR<mailto:var/run/ipa/ccaches/admin@CLUSTER.CETENE.GOV.BR>)!,
referer:
https://neumann2.cluster.cetene.gov.br/ipa/xml
Just for the completude, removing the /etc/named.conf hack; this happens:
[root@neumann2 ~]# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Failed to start named Service
Shutting down
Hint: You can use --ignore-service-failure option for forced start in case that a
non-critical service failed
Aborting ipactl
On /var/log/messages:
Feb 15 13:18:52 neumann2 named-pkcs11[32027]: set up managed keys zone for view _default,
file '/var/named/dynamic/managed-keys.bind'
Feb 15 13:18:52 neumann2 named-pkcs11[32027]: loading DynDB instance 'ipa' driver
'/usr/lib64/bind/ldap.so'
Feb 15 13:18:52 neumann2 named-pkcs11[32027]: bind-dyndb-ldap version 11.1 compiled at
02:16:24 Apr 1 2020, compiler 4.8.5 20150623 (Red Hat 4.8.5-39)
Feb 15 13:18:52 neumann2 named-pkcs11[32027]: LDAP error: Invalid credentials: bind to
LDAP server failed
Feb 15 13:18:52 neumann2 named-pkcs11[32027]: couldn't establish connection in LDAP
connection pool: permission denied
Feb 15 13:18:52 neumann2 named-pkcs11[32027]: dynamic database 'ipa' configuration
failed: permission denied
Feb 15 13:18:52 neumann2 named-pkcs11[32027]: loading configuration: permission denied
Feb 15 13:18:52 neumann2 named-pkcs11[32027]: exiting (due to fatal error)
Feb 15 13:18:52 neumann2 systemd: named-pkcs11.service: control process exited,
code=exited status=1
Feb 15 13:18:52 neumann2 systemd: Failed to start Berkeley Internet Name Domain (DNS) with
native PKCS#11.
Feb 15 13:18:52 neumann2 systemd: Unit named-pkcs11.service entered failed state.
Feb 15 13:18:52 neumann2 systemd: named-pkcs11.service failed.
Feb 15 13:18:52 neumann2 systemd: Stopping Kerberos 5 KDC...
Feb 15 13:18:52 neumann2 systemd: Stopped Kerberos 5 KDC.
Feb 15 13:18:52 neumann2 systemd: Stopping Kerberos 5 Password-changing and
Administration...
Feb 15 13:18:52 neumann2 systemd: Stopped Kerberos 5 Password-changing and
Administration.
Feb 15 13:18:52 neumann2 systemd: Stopping 389 Directory Server
CLUSTER-CETENE-GOV-BR....
Thats it Rob.
If there’s anything more that I should try or you need to see please let me know.
Thank you.
Check the Apache error log for more details.
rob
Thank you.
On 12 Feb 2021, at 18:11, Rob Crittenden
<rcritten@redhat.com<mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com>> wrote:
Just to confirm, the system is working with the exception of
ipa-dnskeysyncd.service?
Does this work?
# kinit -kt /etc/ipa/dnssec/ipa-dnskeysyncd.keytab
ipa-dnskeysyncd/neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br/>
# ipa user-show admin
This will get a ticket and then use that ticket.
rob
Vinícius Ferrão via FreeIPA-users wrote:
Hello,
I still not sure of what is happening but, I got some interesting error
message on ipa-healthcheck:
[root@neumann2 keytabs]# ipa-healthcheck --failures-only
--output-type human
CRITICAL: ipahealthcheck.ipa.dna.IPADNARangeCheck: Insufficient access:
Invalid credentials
ERROR: ipahealthcheck.system.filesystemspace.FileSystemSpaceCheck:
/var/lib/ipa/backup/: free space percentage under threshold: 16% < 20%
ERROR: ipahealthcheck.system.filesystemspace.FileSystemSpaceCheck: /tmp:
free space percentage under threshold: 16% < 20%
ERROR: ipahealthcheck.system.filesystemspace.FileSystemSpaceCheck:
/var/lib/dirsrv/: free space percentage under threshold: 16% < 20%
ERROR: ipahealthcheck.system.filesystemspace.FileSystemSpaceCheck:
/var/log/: free space percentage under threshold: 16% < 20%
ERROR: ipahealthcheck.system.filesystemspace.FileSystemSpaceCheck:
/var/tmp/: free space percentage under threshold: 16% < 20%
ERROR: ipahealthcheck.system.filesystemspace.FileSystemSpaceCheck:
/var/log/audit/: free space percentage under threshold: 16% < 20%
I tried to search for the critical message but nothing comes up. There’s
a lot of GSSAPI errors on all logs.
I tried to regenerate all keytabs of the system but it was a no go
either:
# gssproxy
ipa-getkeytab -D "cn=directory manager" -w 86dNCxFFCpNMLEf6kr -s
neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.g...
<
http://neumann2.cluster.cetene.gov.br/>>
-p
'HTTP/neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.g...
<
http://neumann2.cluster.cetene.gov.br/>>' -r -k
/var/lib/ipa/gssproxy/http.keytab
# Dogtag
ipa-getkeytab -D "cn=directory manager" -w 86dNCxFFCpNMLEf6kr -s
neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.g...
<
http://neumann2.cluster.cetene.gov.br/>>
-p
'dogtag/neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.g...
<
http://neumann2.cluster.cetene.gov.br/>>' -r -k
/etc/pki/pki-tomcat/dogtag.keytab
# DNSKeySync
ipa-getkeytab -D "cn=directory manager" -w 86dNCxFFCpNMLEf6kr -s
neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.g...
<
http://neumann2.cluster.cetene.gov.br/>>
-p
'ipa-dnskeysyncd/neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.g...
<
http://neumann2.cluster.cetene.gov.br/>>' -r -k
/etc/ipa/dnssec/ipa-dnskeysyncd.keytab
# Host Keytab
ipa-getkeytab -D "cn=directory manager" -w 86dNCxFFCpNMLEf6kr -s
neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.g...
<
http://neumann2.cluster.cetene.gov.br/>>
-p
'host/neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.g...
<
http://neumann2.cluster.cetene.gov.br/>>' -r -k /etc/krb5.keytab
# named
ipa-getkeytab -D "cn=directory manager" -w 86dNCxFFCpNMLEf6kr -s
neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.g...
<
http://neumann2.cluster.cetene.gov.br/>>
-p 'DNS/neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.g...
<
http://neumann2.cluster.cetene.gov.br/>>' -r -k /etc/named.keytab
# 389ds
ipa-getkeytab -D "cn=directory manager" -w 86dNCxFFCpNMLEf6kr -s
neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.g...
<
http://neumann2.cluster.cetene.gov.br/>>
-p
'ldap/neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br/>
<
http://neumann2.cluster.cetene.gov.br<http://neumann2.cluster.cetene.g...
<
http://neumann2.cluster.cetene.gov.br/>>' -r -k /etc/dirsrv/ds.keytab
Some error messages:
[10/Feb/2021:23:05:57.501853962 -0300] conn=92 op=1 RESULT err=49 tag=97
nentries=0 etime=0.001927716 - SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Cannot create replay cache file /var/tmp/ldap_389: Operation not
permitted)
==> /var/log/messages <==
Feb 10 23:05:14 neumann2 systemd: ipa-dnskeysyncd.service holdoff time
over, scheduling restart.
Feb 10 23:05:14 neumann2 systemd: Stopped IPA key daemon.
Feb 10 23:05:14 neumann2 systemd: Started IPA key daemon.
Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: ipa-dnskeysyncd: INFO LDAP
bind...
Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: ipa-dnskeysyncd: ERROR
Login to LDAP server failed: {'desc': 'Invalid credentials'}
Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: Traceback (most recent call
last):
Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: File
"/usr/libexec/ipa/ipa-dnskeysyncd", line 96, in <module>
Feb 10 23:05:16 neumann2 ipa-dnskeysyncd:
ldap_connection.sasl_interactive_bind_s("", ipaldap.SASL_GSSAPI)
Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: File
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 850, in
sasl_interactive_bind_s
Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: res =
self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs)
Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: File
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 818, in
_apply_method_s
Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: return
func(self,*args,**kwargs)
Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: File
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 229, in
sasl_interactive_bind_s
Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: File
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in
_ldap_call
Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: result = func(*args,**kwargs)
Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: INVALID_CREDENTIALS: {'desc':
'Invalid credentials'}
Feb 10 23:05:16 neumann2 systemd: ipa-dnskeysyncd.service: main process
exited, code=exited, status=1/FAILURE
Feb 10 23:05:16 neumann2 systemd: Unit ipa-dnskeysyncd.service entered
failed state.
Feb 10 23:05:16 neumann2 systemd: ipa-dnskeysyncd.service failed.
Thanks,
On 10 Feb 2021, at 02:01, Vinícius Ferrão via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
Hello,
FreeIPA on CentOS 7.8 just stopped working and I’m unable to fix it by
myself. After reading a lot of threads here on the list, it appears
that I’ve the same issue as this
topic:
https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg0550...
Since Kerberos is apparently not working as expected, I cannot use
FreeIPA and none of the services are working correctly. Following the
debug guide I was able to at least start named with single
authentication to further debug. (Workaround 1
of
https://docs.pagure.org/bind-dyndb-ldap/BIND9/NamedCannotStart.html)
And now I’m stuck on item 5 of the same manual.
[root@neumann2 ~]# KRB5_TRACE=/dev/stderr ldapsearch -H
'ldapi://%2fvar%2frun%2fslapd-CLUSTER-CETENE-GOV-BR.socket' -Y GSSAPI
-b 'cn=dns,dc=cluster,dc=cetene,dc=gov,dc=br
<ldapi://%2fvar%2frun%2fslapd-CLUSTER-CETENE-GOV-BR.socket' -Y GSSAPI
-b 'cn=dns,dc=cluster,dc=cetene,dc=gov,dc=br>'
SASL/GSSAPI authentication started
[6588] 1612932571.244080: ccselect module realm chose cache
KEYRING:persistent:0:krb_ccache_UuVdVRC with client principal
DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR<mailto:DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
<mailto:DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
<mailto:DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR> for
server principal
ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR<mailto:ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
<mailto:ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
<mailto:ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
[6588] 1612932571.244081: Getting credentials
DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR<mailto:DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
<mailto:DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
<mailto:DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR> ->
ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR<mailto:ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
<mailto:ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
<mailto:ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
using ccache KEYRING:persistent:0:krb_ccache_UuVdVRC
[6588] 1612932571.244082: Retrieving
DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR<mailto:DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
<mailto:DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
<mailto:DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR> ->
ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR<mailto:ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
<mailto:ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
<mailto:ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
from KEYRING:persistent:0:krb_ccache_UuVdVRC with result: 0/Success
[6588] 1612932571.244084: Creating authenticator for
DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR<mailto:DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
<mailto:DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
<mailto:DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR> ->
ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR<mailto:ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
<mailto:ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
<mailto:ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>,
seqnum 1040975659, subkey aes256-cts/48E9, session key aes256-cts/DF1E
ldap_sasl_interactive_bind_s: Invalid credentials (49)
[root@neumann2 ~]# ipa privilege-show 'DNS Servers' --all --raw
ipa: ERROR: Insufficient access: Invalid credentials
[root@neumann2 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_UuVdVRC
Default principal:
DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR<mailto:DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
<mailto:DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
<mailto:DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
Valid starting Expires Service principal
02/10/2021 01:52:43 02/11/2021 01:49:04
HTTP/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR<mailto:HTTP/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
<mailto:HTTP/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
<mailto:HTTP/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
02/10/2021 01:49:16 02/11/2021 01:49:04
ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR<mailto:ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
<mailto:ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
<mailto:ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
02/10/2021 01:49:04 02/11/2021 01:49:04
krbtgt/CLUSTER.CETENE.GOV.BR@CLUSTER.CETENE.GOV.BR<mailto:krbtgt/CLUSTER.CETENE.GOV.BR@CLUSTER.CETENE.GOV.BR>
<mailto:krbtgt/CLUSTER.CETENE.GOV.BR@CLUSTER.CETENE.GOV.BR>
<mailto:krbtgt/CLUSTER.CETENE.GOV.BR@CLUSTER.CETENE.GOV.BR>
Any ideia on how to fix this?
Thanks,
Vinícius.
PS: Before the workaround named-pkcs11 fails to start with the
following error:
Feb 10 01:40:46 neumann2 named-pkcs11[4532]: set up managed keys zone
for view _default, file '/var/named/dynamic/managed-keys.bind'
Feb 10 01:40:46 neumann2 named-pkcs11[4532]: loading DynDB instance
'ipa' driver '/usr/lib64/bind/ldap.so'
Feb 10 01:40:46 neumann2 named-pkcs11[4532]: bind-dyndb-ldap version
11.1 compiled at 02:16:24 Apr 1 2020, compiler 4.8.5 20150623 (Red
Hat 4.8.5-39)
Feb 10 01:40:46 neumann2 named-pkcs11[4532]: LDAP error: Invalid
credentials: bind to LDAP server failed
Feb 10 01:40:46 neumann2 named-pkcs11[4532]: couldn't establish
connection in LDAP connection pool: permission denied
Feb 10 01:40:46 neumann2 named-pkcs11[4532]: dynamic database 'ipa'
configuration failed: permission denied
Feb 10 01:40:46 neumann2 named-pkcs11[4532]: loading configuration:
permission denied
Feb 10 01:40:46 neumann2 named-pkcs11[4532]: exiting (due to fatal
error)
Feb 10 01:40:46 neumann2 systemd: named-pkcs11.service: control
process exited, code=exited status=1
Feb 10 01:40:46 neumann2 systemd: Failed to start Berkeley Internet
Name Domain (DNS) with native PKCS#11.
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure