Hey all -
I'm having an odd bug when I try to login to the web interface as the FreeIPA 'admin' user. I get the following error message:
Login failed due to an unknown reason.
Not sure where that's coming from, but per this post (https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...) I went ahead and checked the validity period of the `/var/kerberos/krb5kdc/kdc.crt` with the `openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt` command. Sure as shoot, that certificate expired on the 22nd of January at about 7:00 AM GMT - and I'm stuck unable to login and manage my domain. :(
Now according to the end of that thread, the problem just up and fixed itself but I'm up against a wall here in that I... definitely need to to be able to get in pretty soon, as I have a new host I need to provision. Is there any way to manually jumpstart this process?
Password isn't expired, I can `kinit admin` and I am not prompted to change my password.
Further, running `ipa-cert-fix` updated the certificate at `/var/kerberos/krb5kdc/kdc.crt`, but that did not solve the login issue.
I get the following in the logs: [Wed Jan 24 10:58:58.693971 2024] [:error] [pid 1539] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Wed Jan 24 10:58:58.694439 2024] [:error] [pid 1539] ipa: DEBUG: WSGI login_password.__call__: [Wed Jan 24 10:58:58.696749 2024] [:error] [pid 1539] ipa: DEBUG: Obtaining armor in ccache /var/run/ipa/ccaches/armor_1539 [Wed Jan 24 10:58:58.697075 2024] [:error] [pid 1539] ipa: DEBUG: Initializing anonymous ccache [Wed Jan 24 10:58:58.697697 2024] [:error] [pid 1539] ipa: DEBUG: Starting external process [Wed Jan 24 10:58:58.697952 2024] [:error] [pid 1539] ipa: DEBUG: args=/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_1539 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem [Wed Jan 24 10:58:58.811721 2024] [:error] [pid 1539] ipa: DEBUG: Process finished, return code=1 [Wed Jan 24 10:58:58.812104 2024] [:error] [pid 1539] ipa: DEBUG: stdout=Password for WELLKNOWN/ANONYMOUS@ZONIT.COM: [Wed Jan 24 10:58:58.812149 2024] [:error] [pid 1539] [Wed Jan 24 10:58:58.812536 2024] [:error] [pid 1539] ipa: DEBUG: stderr=kinit: Cannot read password while getting initial credentials [Wed Jan 24 10:58:58.812717 2024] [:error] [pid 1539] [Wed Jan 24 10:58:58.813450 2024] [:error] [pid 1539] [remote 172.30.2.121:148] mod_wsgi (pid=1539): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Wed Jan 24 10:58:58.813603 2024] [:error] [pid 1539] [remote 172.30.2.121:148] Traceback (most recent call last): [Wed Jan 24 10:58:58.813691 2024] [:error] [pid 1539] [remote 172.30.2.121:148] File "/usr/share/ipa/wsgi.py", line 59, in application [Wed Jan 24 10:58:58.815113 2024] [:error] [pid 1539] [remote 172.30.2.121:148] return api.Backend.wsgi_dispatch(environ, start_response) [Wed Jan 24 10:58:58.815303 2024] [:error] [pid 1539] [remote 172.30.2.121:148] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 267, in __call__ [Wed Jan 24 10:58:58.816826 2024] [:error] [pid 1539] [remote 172.30.2.121:148] return self.route(environ, start_response) [Wed Jan 24 10:58:58.816956 2024] [:error] [pid 1539] [remote 172.30.2.121:148] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 279, in route [Wed Jan 24 10:58:58.817051 2024] [:error] [pid 1539] [remote 172.30.2.121:148] return app(environ, start_response) [Wed Jan 24 10:58:58.817099 2024] [:error] [pid 1539] [remote 172.30.2.121:148] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 937, in __call__ [Wed Jan 24 10:58:58.817163 2024] [:error] [pid 1539] [remote 172.30.2.121:148] self.kinit(user_principal, password, ipa_ccache_name) [Wed Jan 24 10:58:58.817357 2024] [:error] [pid 1539] [remote 172.30.2.121:148] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 973, in kinit [Wed Jan 24 10:58:58.817514 2024] [:error] [pid 1539] [remote 172.30.2.121:148] pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM], [Wed Jan 24 10:58:58.817714 2024] [:error] [pid 1539] [remote 172.30.2.121:148] File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 127, in kinit_armor [Wed Jan 24 10:58:58.818268 2024] [:error] [pid 1539] [remote 172.30.2.121:148] run(args, env=env, raiseonerr=True, capture_error=True) [Wed Jan 24 10:58:58.818348 2024] [:error] [pid 1539] [remote 172.30.2.121:148] File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run [Wed Jan 24 10:58:58.819946 2024] [:error] [pid 1539] [remote 172.30.2.121:148] raise CalledProcessError(p.returncode, arg_string, str(output)) [Wed Jan 24 10:58:58.820275 2024] [:error] [pid 1539] [remote 172.30.2.121:148] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_1539 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1
(I should add that those logs were from `/var/log/httpd/error_log`)
Per the following pages:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
https://www.freeipa.org/page/V4/Kerberos_PKINIT
I found that, somehow PKINIT was... not enabled on my systems? This made very little sense to me, as I'd had no problems before and I DID NOT do an upgrade or anything.
freeipa-users@lists.fedorahosted.org