On Срд, 25 кас 2023, Rob Crittenden wrote:
Alexander Bokovoy via FreeIPA-users wrote:
On Срд, 25 кас 2023, Kroon PC, Peter via FreeIPA-users wrote:
Hi all,
After upgrading to Rocky linux 9.2 I'm running into issues with my IPA
server (4.10.1-9.el9_2). In particular, my IPA CLI seems FUBARred:
$ kinit admin
Password for [email protected]:
$ ipa show-user admin
ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
Error: No credentials were supplied, or the credentials were
unavailable or inaccessible (Credential cache is empty)
/var/log/krb5kdc.log:
okt 24 16:17:48 freeipa.example.com krb5kdc[10493]: TGS_REQ (4 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)})
192.168.12.57: S4U2PROXY_NO_HEADER_PAC: authtime 0, etypes
{rep=UNSUPPORTED:(0)} HTTP/[email protected] for
ldap/[email protected], TGT has been revoked
As the log shows, the KDC states there is no PAC, and therefore revokes
the TGT (note, I had to RTFS to decipher the S4U2PROXY_NO_HEADER_PAC).
Because of this, the web gui also doesn't work.
That is correct description of the reason why it does not work.
$ ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=nl
"ipaNTSecurityIdentifier=*" uid ipaNTSecurityIdentifier
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=users,cn=accounts,dc=example,dc=com> with scope subtree
# filter: ipaNTSecurityIdentifier=*
# requesting: uid ipaNTSecurityIdentifier
#
# admin, users, accounts, example.com
dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
uid: admin
ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440-500
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
Out of the ~200 or so users only the admin user has a
ipaNTSecurityIdentifier, but I don't know if it's correct...
I can't run `ipa config-mod --enable-sid --add-sids`, since my ipa CLI
is broken. I do still have LDAP access fortunately.
You can run it, see below. If you'd run, do you have any error messages in
the dirsrv errors log related to sidgen plugin?
I tried to set `disable_pac = true` in /var/kerberos/krb5kdc/kdc.conf,
but that results in the exact same error. Setting ipaKrbAuthzData=None
in cn=ipaConfig also has no effect.
No, one cannot disable PAC globally in FreeIPA. S4U operations
require PAC presence since last year, so for any real Kerberos service
that uses S4U (like IPA API or web UI) one cannot disable PAC
enforcement.
Look at your ID range and SID configuration. You can avoid admin issue
currently by running 'ipa' tool on IPA server as root with '-e
in_server=true' option. This will force the tool to simulate direct
access (as if it is running within httpd) and talk directly to LDAPI
socket.
Something like below:
# KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show
ipa: WARNING: API Version number was not sent, forward compatibility not
guaranteed. Assuming server's API version, 2.253
Domain: ipa1.test
Security Identifier: S-1-5-21-790702333-3825749031-3739951824
NetBIOS name: IPA1
Domain GUID: 529fcbe9-3e34-436d-a541-6ffa88e7dac1
Fallback primary group: Default SMB Group
IPA AD trust agents: master1.ipa1.test
IPA AD trust controllers: master1.ipa1.test
# KRB5CACHE=/dev/null ipa -e in_server=true idrange-find
ipa: WARNING: API Version number was not sent, forward compatibility not
guaranteed. Assuming server's API version, 2.253
----------------
5 ranges matched
----------------
Range name: IPA1.TEST_id_range
First Posix ID of the range: 1055600000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
... [ skip ] ...
In my testing you can't run config-mod without a principal, and running
in-server does not have a principal.
# KRB5CACHE=/dev/null ipa -e in_server=true config-mod --add-sids
--enable-sid
[snip]
File "/usr/lib/python3.11/site-packages/ipaserver/plugins/config.py",
line 701, in pre_callback
self._enable_sid(ldap, options)
File "/usr/lib/python3.11/site-packages/ipaserver/plugins/config.py",
line 512, in _enable_sid
if not principal_has_privilege(self.api, context.principal, privilege):
^^^^^^^^^^^^^^^^^
AttributeError: '_thread._local' object has no attribute 'principal'
ipa: ERROR: an internal error has occurred
Thank you, Rob. I did not check that part.
On IPA master one can run the oddjobd-activated script directly:
# /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --add-sids
I still need to see ID range and trustconfig-show output to understand
the state of this deployment. Also, dirsrv errors log would be helpful
if there was an attempt to run sidgen in past.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
