On Чцв, 29 лют 2024, Grant Janssen via FreeIPA-users wrote:
It appears I have resolved my certificate expiration
issue<https://lists.fedorahosted.org/archives/list/freeipa-users@lists...
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
But I have a another issue
grant@ef-idm01:~[20240229-10:11][#772]$ klist
Ticket cache: KCM:555
Default principal: grant@PRODUCTION.EFILM.COM<mailto:grant@PRODUCTION.EFILM.COM>
Is this user has UID 555?
Can you look at your KDC's krb5kdc.log and see if there is an issue with
HANDLE_AUTHDATA or PAC or S4U operations at the time you run 'ipa
user-find' or similar commands?
Basically, I think you have users with UID/GIDs outside of your ID
ranges and therefore those users have no SIDs associated with them and
hence cannot be used for constrained delegation (S4U extensions in
Kerberos) anymore. In addition, most likely your existing ID ranges have
no support for generating SIDs as they most likely lack RID bases.
There were plenty of discussions about it on the list in past few
months. You can look at these articles on the Red Hat's Customer Portal:
https://access.redhat.com/articles/7027037
https://access.redhat.com/solutions/7052703
https://access.redhat.com/solutions/7014959
Valid starting Expires Service principal
02/29/2024 10:11:56 03/01/2024 09:42:34
krbtgt/PRODUCTION.EFILM.COM@PRODUCTION.EFILM.COM<mailto:krbtgt/PRODUCTION.EFILM.COM@PRODUCTION.EFILM.COM>
grant@ef-idm01:~[20240229-10:12][#773]$ ipa user-find roland
ipa: ERROR: No valid Negotiate header in server response
grant@ef-idm01:~[20240229-10:12][#774]$ ipa server-find
ipa: ERROR: No valid Negotiate header in server response
grant@ef-idm01:~[20240229-10:18][#775]$ sudo systemctl status gssproxy.service
[sudo] password for grant:
● gssproxy.service - GSSAPI Proxy Daemon
Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled; vendor preset:
disabled)
Active: active (running) since Tue 2024-02-20 13:57:40 PST; 1 weeks 1 days ago
Process: 2158008 ExecStart=/usr/sbin/gssproxy -D (code=exited, status=0/SUCCESS)
Main PID: 2158009 (gssproxy)
Tasks: 6 (limit: 74714)
Memory: 10.5M
CGroup: /system.slice/gssproxy.service
└─2158009 /usr/sbin/gssproxy -D
Feb 20 13:57:40 ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com>
systemd[1]: gssproxy.service: Succeeded.
Feb 20 13:57:40 ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com>
systemd[1]: Stopped GSSAPI Proxy Daemon.
Feb 20 13:57:40 ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com>
systemd[1]: Starting GSSAPI Proxy Daemon...
Feb 20 13:57:40 ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com>
systemd[1]: Started GSSAPI Proxy Daemon.
grant@ef-idm01:~[20240229-10:18][#776]$
I searched online for some references and it was suggested I generate the
/var/lib/ipa/gssproxy/http.keytab
The keytab file appears OKAY to me though.
I would like to get this issue behind me
thanx
- grant
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland