Hi all, After upgrading to Rocky linux 9.2 I'm running into issues with my IPA server (4.10.1-9.el9_2). In particular, my IPA CLI seems FUBARred:
$ kinit admin Password for [email protected]: $ ipa show-user admin ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible (Credential cache is empty) /var/log/krb5kdc.log: okt 24 16:17:48 freeipa.example.com krb5kdc[10493]: TGS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 192.168.12.57: S4U2PROXY_NO_HEADER_PAC: authtime 0, etypes {rep=UNSUPPORTED:(0)} HTTP/[email protected] for ldap/[email protected], TGT has been revoked As the log shows, the KDC states there is no PAC, and therefore revokes the TGT (note, I had to RTFS to decipher the S4U2PROXY_NO_HEADER_PAC). Because of this, the web gui also doesn't work. $ ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=nl "ipaNTSecurityIdentifier=*" uid ipaNTSecurityIdentifier SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=users,cn=accounts,dc=example,dc=com> with scope subtree # filter: ipaNTSecurityIdentifier=* # requesting: uid ipaNTSecurityIdentifier # # admin, users, accounts, example.com dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com uid: admin ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440-500 # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 Out of the ~200 or so users only the admin user has a ipaNTSecurityIdentifier, but I don't know if it's correct... I can't run `ipa config-mod --enable-sid --add-sids`, since my ipa CLI is broken. I do still have LDAP access fortunately. I tried to set `disable_pac = true` in /var/kerberos/krb5kdc/kdc.conf, but that results in the exact same error. Setting ipaKrbAuthzData=None in cn=ipaConfig also has no effect. Does anyone have any advice how to unbreak my installation? At this point I'd *like* to have PAC working, but I'd prefer a working IPA without PAC. Many thanks, Peter _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
