Hi list, as I am currently sorting out our freeipa problems we stumbled across another problem. After the last reboot of our 2ndary IPA host, we can no longer login into the webui on the 2nd host.
The webui on the first host works.
I've checked some logs but was only able to find meaningful entries in the httpd log which is this:
mod_wsgi (pid=1137): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/ipaserver/wsgi.py", line 71, in application return api.Backend.wsgi_dispatch(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 301, in __call__ return self.route(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 313, in route return app(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 1066, in __call__ result = attempt_kinit(user_principal, password, File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 996, in attempt_kinit self.kinit(user_principal, password, File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 1094, in kinit kinit_armor( File "/usr/lib/python3.10/site-packages/ipalib/install/kinit.py", line 129, in kinit_armor run(args, env=env, raiseonerr=True, capture_error=True) File "/usr/lib/python3.10/site-packages/ipapython/ipautil.py", line 599, in run raise CalledProcessError( ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_1137', '-X', 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero exit status 1: 'kinit: Cannot read password while getting initial credentials\n')
Does someone know in which direction I need to debug further?
Cheers Boris
Hi,
On Wed, Feb 19, 2025 at 1:50 PM Boris via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi list, as I am currently sorting out our freeipa problems we stumbled across another problem. After the last reboot of our 2ndary IPA host, we can no longer login into the webui on the 2nd host.
The webui on the first host works.
I've checked some logs but was only able to find meaningful entries in the httpd log which is this:
mod_wsgi (pid=1137): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/ipaserver/wsgi.py", line 71, in application return api.Backend.wsgi_dispatch(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 301, in __call__ return self.route(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 313, in route return app(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 1066, in __call__ result = attempt_kinit(user_principal, password, File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 996, in attempt_kinit self.kinit(user_principal, password, File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 1094, in kinit kinit_armor( File "/usr/lib/python3.10/site-packages/ipalib/install/kinit.py", line 129, in kinit_armor run(args, env=env, raiseonerr=True, capture_error=True) File "/usr/lib/python3.10/site-packages/ipapython/ipautil.py", line 599, in run raise CalledProcessError( ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_1137', '-X', 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero exit status 1: 'kinit: Cannot read password while getting initial credentials\n')
What is the content of this kdc.crt certificate?
openssl x509 -noout -text -in /var/kerberos/krb5kdc/kdc.crt The output will tell us if it's a self-signed PKINIT cert or signed by IPA CA (look for the Issuer: value in the output).
Does the kdc-ca-bundle.pem contain the CA that signed this certificate? openssl crl2pkcs7 -nocrl -certfile /var/lib/ipa-client/pki/kdc-ca-bundle.pem | openssl pkcs7 -print_certs -text -noout
On a working system I see the following permissions for the above files: # ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1866 Feb 19 14:02 /var/kerberos/krb5kdc/kdc.crt # ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r--. 1 root root unconfined_u:object_r:realmd_var_lib_t:s0 3266 Feb 19 14:05 /var/lib/ipa-client/pki/kdc-ca-bundle.pem
Do you have the package krb5-pkinit installed on your machine?
flo
Does someone know in which direction I need to debug further?
Cheers Boris -- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi flo,
certificate and ca looks good. Certificate is signed by the correct ca and just got renewed (Not Before: Feb 15 09:43:26 2025 GMT)
the permissions looks different (the questionmark)
[root@ipa2 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r-- 1 root root ? 1671 15. Feb 10:43 /var/kerberos/krb5kdc/kdc.crt [root@ipa2 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r-- 1 root root ? 1294 15. Mär 2023 /var/lib/ipa-client/pki/kdc-ca-bundle.pem
in comparission to the ipa1 [root@ipa1 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r--. 1 root root system_u:object_r:realmd_var_lib_t:s0 1313 Feb 21 2022 /var/lib/ipa-client/pki/kdc-ca-bundle.pem [root@ipa1 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1367 Nov 29 13:19 /var/kerberos/krb5kdc/kdc.crt
The krb5-pkinit is installed krb5-pkinit-1.19.2-9.fc35.x86_64
Am Mi., 19. Feb. 2025 um 15:46 Uhr schrieb Florence Blanc-Renaud < flo@redhat.com>:
Hi,
On Wed, Feb 19, 2025 at 1:50 PM Boris via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi list, as I am currently sorting out our freeipa problems we stumbled across another problem. After the last reboot of our 2ndary IPA host, we can no longer login into the webui on the 2nd host.
The webui on the first host works.
I've checked some logs but was only able to find meaningful entries in the httpd log which is this:
mod_wsgi (pid=1137): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/ipaserver/wsgi.py", line 71, in application return api.Backend.wsgi_dispatch(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 301, in __call__ return self.route(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 313, in route return app(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 1066, in __call__ result = attempt_kinit(user_principal, password, File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 996, in attempt_kinit self.kinit(user_principal, password, File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 1094, in kinit kinit_armor( File "/usr/lib/python3.10/site-packages/ipalib/install/kinit.py", line 129, in kinit_armor run(args, env=env, raiseonerr=True, capture_error=True) File "/usr/lib/python3.10/site-packages/ipapython/ipautil.py", line 599, in run raise CalledProcessError( ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_1137', '-X', 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero exit status 1: 'kinit: Cannot read password while getting initial credentials\n')
What is the content of this kdc.crt certificate?
openssl x509 -noout -text -in /var/kerberos/krb5kdc/kdc.crt The output will tell us if it's a self-signed PKINIT cert or signed by IPA CA (look for the Issuer: value in the output).
Does the kdc-ca-bundle.pem contain the CA that signed this certificate? openssl crl2pkcs7 -nocrl -certfile /var/lib/ipa-client/pki/kdc-ca-bundle.pem | openssl pkcs7 -print_certs -text -noout
On a working system I see the following permissions for the above files: # ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1866 Feb 19 14:02 /var/kerberos/krb5kdc/kdc.crt # ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r--. 1 root root unconfined_u:object_r:realmd_var_lib_t:s0 3266 Feb 19 14:05 /var/lib/ipa-client/pki/kdc-ca-bundle.pem
Do you have the package krb5-pkinit installed on your machine?
flo
Does someone know in which direction I need to debug further?
Cheers Boris -- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi,
On Wed, Feb 19, 2025 at 4:07 PM Boris bb@kervyn.de wrote:
Hi flo,
certificate and ca looks good. Certificate is signed by the correct ca and just got renewed (Not Before: Feb 15 09:43:26 2025 GMT)
the permissions looks different (the questionmark)
[root@ipa2 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r-- 1 root root ? 1671 15. Feb 10:43 /var/kerberos/krb5kdc/kdc.crt [root@ipa2 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r-- 1 root root ? 1294 15. Mär 2023 /var/lib/ipa-client/pki/kdc-ca-bundle.pem
The question mark means that there is no selinux context for those files. The system probably has SELINUX=disabled in /etc/selinux/config.
Can you also check the following: # kinit admin # ipa pkinit-status The above will show you which servers are enabled for PKINIT.
# ipa-pkinit-manage status
# kdestroy -A # KRB5_TRACE=/dev/stdout kinit -n -c /tmp/ccache
In the logs for kinit -n, double-check that the request is sent to ipa2. If that's not the case, you may have a wrong config (/var/lib/sss/pubconf/kdcinfo.your_realm should contain the IP address from ipa2).
flo
in comparission to the ipa1 [root@ipa1 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r--. 1 root root system_u:object_r:realmd_var_lib_t:s0 1313 Feb 21 2022 /var/lib/ipa-client/pki/kdc-ca-bundle.pem [root@ipa1 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1367 Nov 29 13:19 /var/kerberos/krb5kdc/kdc.crt
The krb5-pkinit is installed krb5-pkinit-1.19.2-9.fc35.x86_64
Am Mi., 19. Feb. 2025 um 15:46 Uhr schrieb Florence Blanc-Renaud < flo@redhat.com>:
Hi,
On Wed, Feb 19, 2025 at 1:50 PM Boris via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi list, as I am currently sorting out our freeipa problems we stumbled across another problem. After the last reboot of our 2ndary IPA host, we can no longer login into the webui on the 2nd host.
The webui on the first host works.
I've checked some logs but was only able to find meaningful entries in the httpd log which is this:
mod_wsgi (pid=1137): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/ipaserver/wsgi.py", line 71, in application return api.Backend.wsgi_dispatch(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 301, in __call__ return self.route(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 313, in route return app(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 1066, in __call__ result = attempt_kinit(user_principal, password, File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 996, in attempt_kinit self.kinit(user_principal, password, File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 1094, in kinit kinit_armor( File "/usr/lib/python3.10/site-packages/ipalib/install/kinit.py", line 129, in kinit_armor run(args, env=env, raiseonerr=True, capture_error=True) File "/usr/lib/python3.10/site-packages/ipapython/ipautil.py", line 599, in run raise CalledProcessError( ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_1137', '-X', 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero exit status 1: 'kinit: Cannot read password while getting initial credentials\n')
What is the content of this kdc.crt certificate?
openssl x509 -noout -text -in /var/kerberos/krb5kdc/kdc.crt The output will tell us if it's a self-signed PKINIT cert or signed by IPA CA (look for the Issuer: value in the output).
Does the kdc-ca-bundle.pem contain the CA that signed this certificate? openssl crl2pkcs7 -nocrl -certfile /var/lib/ipa-client/pki/kdc-ca-bundle.pem | openssl pkcs7 -print_certs -text -noout
On a working system I see the following permissions for the above files: # ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1866 Feb 19 14:02 /var/kerberos/krb5kdc/kdc.crt # ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r--. 1 root root unconfined_u:object_r:realmd_var_lib_t:s0 3266 Feb 19 14:05 /var/lib/ipa-client/pki/kdc-ca-bundle.pem
Do you have the package krb5-pkinit installed on your machine?
flo
Does someone know in which direction I need to debug further?
Cheers Boris -- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal.
yes, SELINUX seems to be disabled.
[root@ipa2 ~]# kinit boris@DOMAIN Passwort für boris@DOMAIN:
[root@ipa2 ~]# ipa pkinit-status ----------------- 2 servers matched ----------------- Servername: ipa1.redacted PKINIT status: disabled
Servername: ipa2.redacted PKINIT status: enabled ------------------------------------- Anzahl der zurückgegebenen Einträge 2 -------------------------------------
[root@ipa2 ~]# ipa-pkinit-manage status PKINIT is enabled The ipa-pkinit-manage command was successful [root@ipa2 ~]# kdestroy -A [root@ipa2 ~]# KRB5_TRACE=/dev/stdout kinit -n -c /tmp/ccache [55944] 1739982907.606095: Getting initial credentials for WELLKNOWN/ANONYMOUS@DOMAIN [55944] 1739982907.606097: Sending unauthenticated request [55944] 1739982907.606098: Sending request (194 bytes) to DOMAIN ...
the kinit command tries to connect to the ipa1, in the /var/lib/sss/pubconf/kdcinfo.your_realm are both addresses. It is the same on the ipa1 host.
Am Mi., 19. Feb. 2025 um 17:04 Uhr schrieb Florence Blanc-Renaud < flo@redhat.com>:
Hi,
On Wed, Feb 19, 2025 at 4:07 PM Boris bb@kervyn.de wrote:
Hi flo,
certificate and ca looks good. Certificate is signed by the correct ca and just got renewed (Not Before: Feb 15 09:43:26 2025 GMT)
the permissions looks different (the questionmark)
[root@ipa2 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r-- 1 root root ? 1671 15. Feb 10:43 /var/kerberos/krb5kdc/kdc.crt [root@ipa2 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r-- 1 root root ? 1294 15. Mär 2023 /var/lib/ipa-client/pki/kdc-ca-bundle.pem
The question mark means that there is no selinux context for those files. The system probably has SELINUX=disabled in /etc/selinux/config.
Can you also check the following: # kinit admin # ipa pkinit-status The above will show you which servers are enabled for PKINIT.
# ipa-pkinit-manage status
# kdestroy -A # KRB5_TRACE=/dev/stdout kinit -n -c /tmp/ccache
In the logs for kinit -n, double-check that the request is sent to ipa2. If that's not the case, you may have a wrong config (/var/lib/sss/pubconf/kdcinfo.your_realm should contain the IP address from ipa2).
flo
in comparission to the ipa1 [root@ipa1 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r--. 1 root root system_u:object_r:realmd_var_lib_t:s0 1313 Feb 21 2022 /var/lib/ipa-client/pki/kdc-ca-bundle.pem [root@ipa1 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1367 Nov 29 13:19 /var/kerberos/krb5kdc/kdc.crt
The krb5-pkinit is installed krb5-pkinit-1.19.2-9.fc35.x86_64
Am Mi., 19. Feb. 2025 um 15:46 Uhr schrieb Florence Blanc-Renaud < flo@redhat.com>:
Hi,
On Wed, Feb 19, 2025 at 1:50 PM Boris via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi list, as I am currently sorting out our freeipa problems we stumbled across another problem. After the last reboot of our 2ndary IPA host, we can no longer login into the webui on the 2nd host.
The webui on the first host works.
I've checked some logs but was only able to find meaningful entries in the httpd log which is this:
mod_wsgi (pid=1137): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/ipaserver/wsgi.py", line 71, in application return api.Backend.wsgi_dispatch(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 301, in __call__ return self.route(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 313, in route return app(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 1066, in __call__ result = attempt_kinit(user_principal, password, File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 996, in attempt_kinit self.kinit(user_principal, password, File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 1094, in kinit kinit_armor( File "/usr/lib/python3.10/site-packages/ipalib/install/kinit.py", line 129, in kinit_armor run(args, env=env, raiseonerr=True, capture_error=True) File "/usr/lib/python3.10/site-packages/ipapython/ipautil.py", line 599, in run raise CalledProcessError( ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_1137', '-X', 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero exit status 1: 'kinit: Cannot read password while getting initial credentials\n')
What is the content of this kdc.crt certificate?
openssl x509 -noout -text -in /var/kerberos/krb5kdc/kdc.crt The output will tell us if it's a self-signed PKINIT cert or signed by IPA CA (look for the Issuer: value in the output).
Does the kdc-ca-bundle.pem contain the CA that signed this certificate? openssl crl2pkcs7 -nocrl -certfile /var/lib/ipa-client/pki/kdc-ca-bundle.pem | openssl pkcs7 -print_certs -text -noout
On a working system I see the following permissions for the above files: # ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1866 Feb 19 14:02 /var/kerberos/krb5kdc/kdc.crt # ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r--. 1 root root unconfined_u:object_r:realmd_var_lib_t:s0 3266 Feb 19 14:05 /var/lib/ipa-client/pki/kdc-ca-bundle.pem
Do you have the package krb5-pkinit installed on your machine?
flo
Does someone know in which direction I need to debug further?
Cheers Boris -- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal.
Hi,
On Wed, Feb 19, 2025 at 5:43 PM Boris bb@kervyn.de wrote:
yes, SELINUX seems to be disabled.
[root@ipa2 ~]# kinit boris@DOMAIN Passwort für boris@DOMAIN:
[root@ipa2 ~]# ipa pkinit-status
2 servers matched
Servername: ipa1.redacted PKINIT status: disabled
Servername: ipa2.redacted PKINIT status: enabled
Anzahl der zurückgegebenen Einträge 2
[root@ipa2 ~]# ipa-pkinit-manage status PKINIT is enabled The ipa-pkinit-manage command was successful [root@ipa2 ~]# kdestroy -A [root@ipa2 ~]# KRB5_TRACE=/dev/stdout kinit -n -c /tmp/ccache [55944] 1739982907.606095: Getting initial credentials for WELLKNOWN/ANONYMOUS@DOMAIN [55944] 1739982907.606097: Sending unauthenticated request [55944] 1739982907.606098: Sending request (194 bytes) to DOMAIN ...
the kinit command tries to connect to the ipa1, in the /var/lib/sss/pubconf/kdcinfo.your_realm are both addresses. It is the same on the ipa1 host.
On an IPA server, the above file should only contain the server itself. Try to delete the file (it will get re-created by SSSD), and check the content of /etc/sssd/sssd.conf. It should contain a section for the IPA domain (with *[domain/$YOUR_SOMAIN]*) and inside this section a value *ipa_server = $YOUR_SERVER*). Make sure that ipa_server has a single value, containing the hostname of the machine. If it contains something like _srv_ it means that the server is automatically discovered using DNS records but that setting should not appear on a server.
HTH, flo
Am Mi., 19. Feb. 2025 um 17:04 Uhr schrieb Florence Blanc-Renaud < flo@redhat.com>:
Hi,
On Wed, Feb 19, 2025 at 4:07 PM Boris bb@kervyn.de wrote:
Hi flo,
certificate and ca looks good. Certificate is signed by the correct ca and just got renewed (Not Before: Feb 15 09:43:26 2025 GMT)
the permissions looks different (the questionmark)
[root@ipa2 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r-- 1 root root ? 1671 15. Feb 10:43 /var/kerberos/krb5kdc/kdc.crt [root@ipa2 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r-- 1 root root ? 1294 15. Mär 2023 /var/lib/ipa-client/pki/kdc-ca-bundle.pem
The question mark means that there is no selinux context for those files. The system probably has SELINUX=disabled in /etc/selinux/config.
Can you also check the following: # kinit admin # ipa pkinit-status The above will show you which servers are enabled for PKINIT.
# ipa-pkinit-manage status
# kdestroy -A # KRB5_TRACE=/dev/stdout kinit -n -c /tmp/ccache
In the logs for kinit -n, double-check that the request is sent to ipa2. If that's not the case, you may have a wrong config (/var/lib/sss/pubconf/kdcinfo.your_realm should contain the IP address from ipa2).
flo
in comparission to the ipa1 [root@ipa1 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r--. 1 root root system_u:object_r:realmd_var_lib_t:s0 1313 Feb 21 2022 /var/lib/ipa-client/pki/kdc-ca-bundle.pem [root@ipa1 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1367 Nov 29 13:19 /var/kerberos/krb5kdc/kdc.crt
The krb5-pkinit is installed krb5-pkinit-1.19.2-9.fc35.x86_64
Am Mi., 19. Feb. 2025 um 15:46 Uhr schrieb Florence Blanc-Renaud < flo@redhat.com>:
Hi,
On Wed, Feb 19, 2025 at 1:50 PM Boris via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi list, as I am currently sorting out our freeipa problems we stumbled across another problem. After the last reboot of our 2ndary IPA host, we can no longer login into the webui on the 2nd host.
The webui on the first host works.
I've checked some logs but was only able to find meaningful entries in the httpd log which is this:
mod_wsgi (pid=1137): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/ipaserver/wsgi.py", line 71, in application return api.Backend.wsgi_dispatch(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 301, in __call__ return self.route(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 313, in route return app(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 1066, in __call__ result = attempt_kinit(user_principal, password, File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 996, in attempt_kinit self.kinit(user_principal, password, File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 1094, in kinit kinit_armor( File "/usr/lib/python3.10/site-packages/ipalib/install/kinit.py", line 129, in kinit_armor run(args, env=env, raiseonerr=True, capture_error=True) File "/usr/lib/python3.10/site-packages/ipapython/ipautil.py", line 599, in run raise CalledProcessError( ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_1137', '-X', 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero exit status 1: 'kinit: Cannot read password while getting initial credentials\n')
What is the content of this kdc.crt certificate?
openssl x509 -noout -text -in /var/kerberos/krb5kdc/kdc.crt The output will tell us if it's a self-signed PKINIT cert or signed by IPA CA (look for the Issuer: value in the output).
Does the kdc-ca-bundle.pem contain the CA that signed this certificate? openssl crl2pkcs7 -nocrl -certfile /var/lib/ipa-client/pki/kdc-ca-bundle.pem | openssl pkcs7 -print_certs -text -noout
On a working system I see the following permissions for the above files: # ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1866 Feb 19 14:02 /var/kerberos/krb5kdc/kdc.crt # ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r--. 1 root root unconfined_u:object_r:realmd_var_lib_t:s0 3266 Feb 19 14:05 /var/lib/ipa-client/pki/kdc-ca-bundle.pem
Do you have the package krb5-pkinit installed on your machine?
flo
Does someone know in which direction I need to debug further?
Cheers Boris -- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal.
-- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal.
YES! great. That helped.
The /etc/sssd/sssd.conf contained both IPA hosts on both IPA hosts. After correcting that, removing the mentioned file and restarting sssd the login into the webui now works.
Thanks a lot!
Am Do., 20. Feb. 2025 um 09:52 Uhr schrieb Florence Blanc-Renaud < flo@redhat.com>:
Hi,
On Wed, Feb 19, 2025 at 5:43 PM Boris bb@kervyn.de wrote:
yes, SELINUX seems to be disabled.
[root@ipa2 ~]# kinit boris@DOMAIN Passwort für boris@DOMAIN:
[root@ipa2 ~]# ipa pkinit-status
2 servers matched
Servername: ipa1.redacted PKINIT status: disabled
Servername: ipa2.redacted PKINIT status: enabled
Anzahl der zurückgegebenen Einträge 2
[root@ipa2 ~]# ipa-pkinit-manage status PKINIT is enabled The ipa-pkinit-manage command was successful [root@ipa2 ~]# kdestroy -A [root@ipa2 ~]# KRB5_TRACE=/dev/stdout kinit -n -c /tmp/ccache [55944] 1739982907.606095: Getting initial credentials for WELLKNOWN/ANONYMOUS@DOMAIN [55944] 1739982907.606097: Sending unauthenticated request [55944] 1739982907.606098: Sending request (194 bytes) to DOMAIN ...
the kinit command tries to connect to the ipa1, in the /var/lib/sss/pubconf/kdcinfo.your_realm are both addresses. It is the same on the ipa1 host.
On an IPA server, the above file should only contain the server itself. Try to delete the file (it will get re-created by SSSD), and check the content of /etc/sssd/sssd.conf. It should contain a section for the IPA domain (with *[domain/$YOUR_SOMAIN]*) and inside this section a value *ipa_server = $YOUR_SERVER*). Make sure that ipa_server has a single value, containing the hostname of the machine. If it contains something like _srv_ it means that the server is automatically discovered using DNS records but that setting should not appear on a server.
HTH, flo
Am Mi., 19. Feb. 2025 um 17:04 Uhr schrieb Florence Blanc-Renaud < flo@redhat.com>:
Hi,
On Wed, Feb 19, 2025 at 4:07 PM Boris bb@kervyn.de wrote:
Hi flo,
certificate and ca looks good. Certificate is signed by the correct ca and just got renewed (Not Before: Feb 15 09:43:26 2025 GMT)
the permissions looks different (the questionmark)
[root@ipa2 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r-- 1 root root ? 1671 15. Feb 10:43 /var/kerberos/krb5kdc/kdc.crt [root@ipa2 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r-- 1 root root ? 1294 15. Mär 2023 /var/lib/ipa-client/pki/kdc-ca-bundle.pem
The question mark means that there is no selinux context for those files. The system probably has SELINUX=disabled in /etc/selinux/config.
Can you also check the following: # kinit admin # ipa pkinit-status The above will show you which servers are enabled for PKINIT.
# ipa-pkinit-manage status
# kdestroy -A # KRB5_TRACE=/dev/stdout kinit -n -c /tmp/ccache
In the logs for kinit -n, double-check that the request is sent to ipa2. If that's not the case, you may have a wrong config (/var/lib/sss/pubconf/kdcinfo.your_realm should contain the IP address from ipa2).
flo
in comparission to the ipa1 [root@ipa1 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r--. 1 root root system_u:object_r:realmd_var_lib_t:s0 1313 Feb 21 2022 /var/lib/ipa-client/pki/kdc-ca-bundle.pem [root@ipa1 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1367 Nov 29 13:19 /var/kerberos/krb5kdc/kdc.crt
The krb5-pkinit is installed krb5-pkinit-1.19.2-9.fc35.x86_64
Am Mi., 19. Feb. 2025 um 15:46 Uhr schrieb Florence Blanc-Renaud < flo@redhat.com>:
Hi,
On Wed, Feb 19, 2025 at 1:50 PM Boris via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi list, as I am currently sorting out our freeipa problems we stumbled across another problem. After the last reboot of our 2ndary IPA host, we can no longer login into the webui on the 2nd host.
The webui on the first host works.
I've checked some logs but was only able to find meaningful entries in the httpd log which is this:
mod_wsgi (pid=1137): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/ipaserver/wsgi.py", line 71, in application return api.Backend.wsgi_dispatch(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 301, in __call__ return self.route(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 313, in route return app(environ, start_response) File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 1066, in __call__ result = attempt_kinit(user_principal, password, File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 996, in attempt_kinit self.kinit(user_principal, password, File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 1094, in kinit kinit_armor( File "/usr/lib/python3.10/site-packages/ipalib/install/kinit.py", line 129, in kinit_armor run(args, env=env, raiseonerr=True, capture_error=True) File "/usr/lib/python3.10/site-packages/ipapython/ipautil.py", line 599, in run raise CalledProcessError( ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_1137', '-X', 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero exit status 1: 'kinit: Cannot read password while getting initial credentials\n')
What is the content of this kdc.crt certificate?
openssl x509 -noout -text -in /var/kerberos/krb5kdc/kdc.crt The output will tell us if it's a self-signed PKINIT cert or signed by IPA CA (look for the Issuer: value in the output).
Does the kdc-ca-bundle.pem contain the CA that signed this certificate? openssl crl2pkcs7 -nocrl -certfile /var/lib/ipa-client/pki/kdc-ca-bundle.pem | openssl pkcs7 -print_certs -text -noout
On a working system I see the following permissions for the above files: # ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1866 Feb 19 14:02 /var/kerberos/krb5kdc/kdc.crt # ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r--. 1 root root unconfined_u:object_r:realmd_var_lib_t:s0 3266 Feb 19 14:05 /var/lib/ipa-client/pki/kdc-ca-bundle.pem
Do you have the package krb5-pkinit installed on your machine?
flo
Does someone know in which direction I need to debug further?
Cheers Boris -- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal.
-- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal.
On Thu, Feb 20, 2025 at 10:49 AM Boris bb@kervyn.de wrote:
YES! great. That helped.
The /etc/sssd/sssd.conf contained both IPA hosts on both IPA hosts. After correcting that, removing the mentioned file and restarting sssd the login into the webui now works.
Thanks a lot!
Glad it worked! Thanks for letting us know. flo
Am Do., 20. Feb. 2025 um 09:52 Uhr schrieb Florence Blanc-Renaud < flo@redhat.com>:
Hi,
On Wed, Feb 19, 2025 at 5:43 PM Boris bb@kervyn.de wrote:
yes, SELINUX seems to be disabled.
[root@ipa2 ~]# kinit boris@DOMAIN Passwort für boris@DOMAIN:
[root@ipa2 ~]# ipa pkinit-status
2 servers matched
Servername: ipa1.redacted PKINIT status: disabled
Servername: ipa2.redacted PKINIT status: enabled
Anzahl der zurückgegebenen Einträge 2
[root@ipa2 ~]# ipa-pkinit-manage status PKINIT is enabled The ipa-pkinit-manage command was successful [root@ipa2 ~]# kdestroy -A [root@ipa2 ~]# KRB5_TRACE=/dev/stdout kinit -n -c /tmp/ccache [55944] 1739982907.606095: Getting initial credentials for WELLKNOWN/ANONYMOUS@DOMAIN [55944] 1739982907.606097: Sending unauthenticated request [55944] 1739982907.606098: Sending request (194 bytes) to DOMAIN ...
the kinit command tries to connect to the ipa1, in the /var/lib/sss/pubconf/kdcinfo.your_realm are both addresses. It is the same on the ipa1 host.
On an IPA server, the above file should only contain the server itself. Try to delete the file (it will get re-created by SSSD), and check the content of /etc/sssd/sssd.conf. It should contain a section for the IPA domain (with *[domain/$YOUR_SOMAIN]*) and inside this section a value *ipa_server = $YOUR_SERVER*). Make sure that ipa_server has a single value, containing the hostname of the machine. If it contains something like _srv_ it means that the server is automatically discovered using DNS records but that setting should not appear on a server.
HTH, flo
Am Mi., 19. Feb. 2025 um 17:04 Uhr schrieb Florence Blanc-Renaud < flo@redhat.com>:
Hi,
On Wed, Feb 19, 2025 at 4:07 PM Boris bb@kervyn.de wrote:
Hi flo,
certificate and ca looks good. Certificate is signed by the correct ca and just got renewed (Not Before: Feb 15 09:43:26 2025 GMT)
the permissions looks different (the questionmark)
[root@ipa2 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r-- 1 root root ? 1671 15. Feb 10:43 /var/kerberos/krb5kdc/kdc.crt [root@ipa2 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r-- 1 root root ? 1294 15. Mär 2023 /var/lib/ipa-client/pki/kdc-ca-bundle.pem
The question mark means that there is no selinux context for those files. The system probably has SELINUX=disabled in /etc/selinux/config.
Can you also check the following: # kinit admin # ipa pkinit-status The above will show you which servers are enabled for PKINIT.
# ipa-pkinit-manage status
# kdestroy -A # KRB5_TRACE=/dev/stdout kinit -n -c /tmp/ccache
In the logs for kinit -n, double-check that the request is sent to ipa2. If that's not the case, you may have a wrong config (/var/lib/sss/pubconf/kdcinfo.your_realm should contain the IP address from ipa2).
flo
in comparission to the ipa1 [root@ipa1 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r--. 1 root root system_u:object_r:realmd_var_lib_t:s0 1313 Feb 21 2022 /var/lib/ipa-client/pki/kdc-ca-bundle.pem [root@ipa1 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1367 Nov 29 13:19 /var/kerberos/krb5kdc/kdc.crt
The krb5-pkinit is installed krb5-pkinit-1.19.2-9.fc35.x86_64
Am Mi., 19. Feb. 2025 um 15:46 Uhr schrieb Florence Blanc-Renaud < flo@redhat.com>:
Hi,
On Wed, Feb 19, 2025 at 1:50 PM Boris via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> Hi list, > as I am currently sorting out our freeipa problems we stumbled > across another problem. > After the last reboot of our 2ndary IPA host, we can no longer login > into the webui on the 2nd host. > > The webui on the first host works. > > I've checked some logs but was only able to find meaningful entries > in the httpd log which is this: > > mod_wsgi (pid=1137): Exception occurred processing WSGI script > '/usr/share/ipa/wsgi.py'. > Traceback (most recent call last): > File "/usr/lib/python3.10/site-packages/ipaserver/wsgi.py", line > 71, in application > return api.Backend.wsgi_dispatch(environ, start_response) > File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", > line 301, in __call__ > return self.route(environ, start_response) > File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", > line 313, in route > return app(environ, start_response) > File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", > line 1066, in __call__ > result = attempt_kinit(user_principal, password, > File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", > line 996, in attempt_kinit > self.kinit(user_principal, password, > File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", > line 1094, in kinit > kinit_armor( > File "/usr/lib/python3.10/site-packages/ipalib/install/kinit.py", > line 129, in kinit_armor > run(args, env=env, raiseonerr=True, capture_error=True) > File "/usr/lib/python3.10/site-packages/ipapython/ipautil.py", line > 599, in run > raise CalledProcessError( > ipapython.ipautil.CalledProcessError: CalledProcessError(Command > ['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_1137', '-X', > 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', > 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] > returned non-zero exit status 1: 'kinit: Cannot read password while getting > initial credentials\n') > > What is the content of this kdc.crt certificate? openssl x509 -noout -text -in /var/kerberos/krb5kdc/kdc.crt The output will tell us if it's a self-signed PKINIT cert or signed by IPA CA (look for the Issuer: value in the output).
Does the kdc-ca-bundle.pem contain the CA that signed this certificate? openssl crl2pkcs7 -nocrl -certfile /var/lib/ipa-client/pki/kdc-ca-bundle.pem | openssl pkcs7 -print_certs -text -noout
On a working system I see the following permissions for the above files: # ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1866 Feb 19 14:02 /var/kerberos/krb5kdc/kdc.crt # ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r--. 1 root root unconfined_u:object_r:realmd_var_lib_t:s0 3266 Feb 19 14:05 /var/lib/ipa-client/pki/kdc-ca-bundle.pem
Do you have the package krb5-pkinit installed on your machine?
flo
Does someone know in which direction I need to debug further? > > Cheers > Boris > -- > Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal > abweichend im groüen Saal. > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to > freeipa-users-leave@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal.
-- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal.
-- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal.
freeipa-users@lists.fedorahosted.org
-
Boris -
Florence Blanc-Renaud