Hi all, So, apparently Outlook web (which I'm bound to because work, and linux) can't properly quote inline replies ><
I removed `disable_pac=true` from /var/kerberos/krb5kdc/kdc.conf around the time I sent the previous mail, then restarted the server, tested, and sent the mail. However, pure magic happened, and now it works? I guess a ticket had to expire. Once again, a million thanks for your (and Rob's) prompt, detailed, and accurate replies. Peter ________________________________________ Van: Alexander Bokovoy <[email protected]> Verzonden: woensdag 22 november 2023 14:47 Aan: Kroon PC, Peter CC: Rob Crittenden; FreeIPA users list Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC On Пан, 20 ліс 2023, Kroon PC, Peter wrote: >Hi all, > >I went for option B and deleted some offending groups and users, and adjusted >the gidNumber of those that remained. Running >`/usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --add-sids` >produces the following logs: >[20/Nov/2023:14:39:00.414065260 +0100] - ERR - sidgen_task_thread - [file >ipa_sidgen_task.c, line 194]: Sidgen task starts ... >[20/Nov/2023:14:39:00.472454841 +0100] - ERR - sidgen_task_thread - [file >ipa_sidgen_task.c, line 199]: Sidgen task finished [0]. > >which to me means good news. > >However, `kinit admin`, confirming success with `klist`, and then trying `ipa >user-show admin` gives: >ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: No >credentials were supplied, or the credentials were unavailable or inaccessible >(Credential cache is empty) > >krb5kdc.log: >Nov 20 14:56:04 freeipa.example.com krb5kdc[427](info): TGS_REQ (4 etypes >{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), >aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 192.168.12.57: >S4U2PROXY_NO_HEADER_PAC: authtime 0, etypes {rep=UNSUPPORTED:(0)} >HTTP/[email protected] for ldap/[email protected], >TGT has been revoked > >Further advise would be most welcome while I try to figure out how to have >outlook behave nicely with inline responses... admin already has the SID assigned manually, so theoretically it should already have a ticket with PAC issued. I suspect you have some misconfiguration that disables PAC issuance at all. Can you check your kdc.conf that it doesn't have 'disable_pac' set in it? It is in /var/kerberos/krb5kdc/kdc.conf Alternatively, it might be something with the default configuration: # ipa -e in_server=True config-show --raw |grep ipakrbauthzdata This should return ipakrbauthzdata: MS-PAC ipakrbauthzdata: nfs:NONE > >Peter > > >________________________________________ >Van: Alexander Bokovoy <[email protected]> >Verzonden: donderdag 9 november 2023 14:32 >Aan: Kroon PC, Peter >CC: Rob Crittenden; FreeIPA users list >Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT >following S4U2PROXY_NO_HEADER_PAC > >On Чцв, 09 ліс 2023, Kroon PC, Peter wrote: >>Hi all, >> >>to confirm, both uidNumber and gidNumber must be within the ID range >>right? I have 1 user and 22 groups that got assigned numbers outside >>the range. Would it be possible to constrain these at an ldap level? > >Correct, they must be within the range. >You can use approach outlined in the following discussion from 2017 to >create the range: >https://listman.redhat.com/archives/freeipa-users/2017-February/026913.html > >> >>Peter >> >>________________________________________ >>Van: Alexander Bokovoy <[email protected]> >>Verzonden: dinsdag 7 november 2023 09:34 >>Aan: Kroon PC, Peter >>CC: Rob Crittenden; FreeIPA users list >>Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT >>following S4U2PROXY_NO_HEADER_PAC >> >>On Пан, 06 ліс 2023, Kroon PC, Peter wrote: >>>Hi all, >>> >>>thanks for the response, and my apologies for my slow reply -- life happened. >>>I put my responses inline. It seems that the ldapupdate file you provided >>>generated a SID config. >> >>Thanks. It is hard to read your inline responses as they went without >>proper quoting but I think I understood what you wanted to show. >> >>You still need to add an ID range that covers your actual POSIX IDs. Without >>that we wouldn't able to generate SIDs either. >> >>After an ID range is added, `ipa config-mod --enable-sid --add-sids` >>should fix the rest. >> >> >>> >>>Peter >>> >>> >>>________________________________________ >>>Van: Alexander Bokovoy <[email protected]> >>>Verzonden: donderdag 26 oktober 2023 16:59 >>>Aan: Kroon PC, Peter >>>CC: Rob Crittenden; FreeIPA users list >>>Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT >>>following S4U2PROXY_NO_HEADER_PAC >>> >>>On Чцв, 26 кас 2023, Kroon PC, Peter wrote: >>>>Hi Alexander and Rob, >>>> >>>>many thanks for your prompt responses :) >>>>I made a new lxc machine and restored a backup so at least I have a working >>>>environment again. I kept the borken one for further investigation which >>>>I'll use to provide more information. >>>>I'm not super comfortable using mailing lists, and I'm not sure whether my >>>>mail client (outlook) will mangle my inline responses. >>>> >>>>Peter >>>> >>>>________________________________________ >>>>Van: Alexander Bokovoy <[email protected]> >>>>Verzonden: woensdag 25 oktober 2023 20:49 >>>>Aan: Rob Crittenden >>>>CC: FreeIPA users list; Kroon PC, Peter >>>>Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT >>>>following S4U2PROXY_NO_HEADER_PAC >>>> >>>>On ���, 25 ��� 2023, Rob Crittenden wrote: >>>>>Alexander Bokovoy via FreeIPA-users wrote: >>>>>> On ���, 25 ��� 2023, Kroon PC, Peter via FreeIPA-users wrote: >>>>>>> Hi all, >>>>>>> >>>>>>> After upgrading to Rocky linux 9.2 I'm running into issues with my IPA >>>>>>> server (4.10.1-9.el9_2). In particular, my IPA CLI seems FUBARred: >>>>>>> >>>>>>> $ kinit admin >>>>>>> Password for [email protected]: >>>>>>> $ ipa show-user admin >>>>>>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI >>>>>>> Error: No credentials were supplied, or the credentials were >>>>>>> unavailable or inaccessible (Credential cache is empty) >>>>>>> >>>>>>> /var/log/krb5kdc.log: >>>>>>> okt 24 16:17:48 freeipa.example.com krb5kdc[10493]: TGS_REQ (4 etypes >>>>>>> {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), >>>>>>> aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) >>>>>>> 192.168.12.57: S4U2PROXY_NO_HEADER_PAC: authtime 0, etypes >>>>>>> {rep=UNSUPPORTED:(0)} HTTP/[email protected] for >>>>>>> ldap/[email protected], TGT has been revoked >>>>>>> >>>>>>> As the log shows, the KDC states there is no PAC, and therefore revokes >>>>>>> the TGT (note, I had to RTFS to decipher the S4U2PROXY_NO_HEADER_PAC). >>>>>>> Because of this, the web gui also doesn't work. >>>>>> >>>>>> That is correct description of the reason why it does not work. >>>>>> >>>>>>> >>>>>>> $ ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=nl >>>>>>> "ipaNTSecurityIdentifier=*" uid ipaNTSecurityIdentifier >>>>>>> SASL/GSSAPI authentication started >>>>>>> SASL username: [email protected] >>>>>>> SASL SSF: 256 >>>>>>> SASL data security layer installed. >>>>>>> # extended LDIF >>>>>>> # >>>>>>> # LDAPv3 >>>>>>> # base <cn=users,cn=accounts,dc=example,dc=com> with scope subtree >>>>>>> # filter: ipaNTSecurityIdentifier=* >>>>>>> # requesting: uid ipaNTSecurityIdentifier >>>>>>> # >>>>>>> >>>>>>> # admin, users, accounts, example.com >>>>>>> dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com >>>>>>> uid: admin >>>>>>> ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440-500 >>>>>>> >>>>>>> # search result >>>>>>> search: 4 >>>>>>> result: 0 Success >>>>>>> >>>>>>> # numResponses: 2 >>>>>>> # numEntries: 1 >>>>>>> >>>>>>> Out of the ~200 or so users only the admin user has a >>>>>>> ipaNTSecurityIdentifier, but I don't know if it's correct... >>>>>>> I can't run `ipa config-mod --enable-sid --add-sids`, since my ipa CLI >>>>>>> is broken. I do still have LDAP access fortunately. >>>>>> >>>>>> You can run it, see below. If you'd run, do you have any error messages >>>>>> in >>>>>> the dirsrv errors log related to sidgen plugin? >>>>>> >>>>>>> >>>>>>> I tried to set `disable_pac = true` in /var/kerberos/krb5kdc/kdc.conf, >>>>>>> but that results in the exact same error. Setting ipaKrbAuthzData=None >>>>>>> in cn=ipaConfig also has no effect. >>>>>> >>>>>> No, one cannot disable PAC globally in FreeIPA. S4U operations >>>>>> require PAC presence since last year, so for any real Kerberos service >>>>>> that uses S4U (like IPA API or web UI) one cannot disable PAC >>>>>> enforcement. >>>> >>>>This is useful information :) >>>> >>>>>> >>>>>> Look at your ID range and SID configuration. You can avoid admin issue >>>>>> currently by running 'ipa' tool on IPA server as root with '-e >>>>>> in_server=true' option. This will force the tool to simulate direct >>>>>> access (as if it is running within httpd) and talk directly to LDAPI >>>>>> socket. >>>>>> >>>>>> Something like below: >>>>>> >>>>>> # KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show >>>>>> ipa: WARNING: API Version number was not sent, forward compatibility not >>>>>> guaranteed. Assuming server's API version, 2.253 >>>>>> Domain: ipa1.test >>>>>> Security Identifier: S-1-5-21-790702333-3825749031-3739951824 >>>>>> NetBIOS name: IPA1 >>>>>> Domain GUID: 529fcbe9-3e34-436d-a541-6ffa88e7dac1 >>>>>> Fallback primary group: Default SMB Group >>>>>> IPA AD trust agents: master1.ipa1.test >>>>>> IPA AD trust controllers: master1.ipa1.test >>>> >>>>KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show >>>>ipa: ERROR: : trust configuration not found >>> >>>Ok, let's try differently. Can you provide output of >>> >>># ldapsearch -Y EXTERNAL -H ldapi://%2Frun%2Fslapd-EXAMPLE-COM.socket \ >>> -b cn=ad,cn=etc,dc=example,dc=com >>> >>>(replace EXAMPLE-COM and dc=example,dc=com by your domain data) >>> >>>dn: cn=ad,cn=etc,dc=example,dc=com >>>objectClass: nsContainer >>>objectClass: top >>>cn: cn >>>cn: ad >>>> >>>> >>>>>> >>>>>> # KRB5CACHE=/dev/null ipa -e in_server=true idrange-find >>>>>> ipa: WARNING: API Version number was not sent, forward compatibility not >>>>>> guaranteed. Assuming server's API version, 2.253 >>>>>> ---------------- >>>>>> 5 ranges matched >>>>>> ---------------- >>>>>> Range name: IPA1.TEST_id_range >>>>>> First Posix ID of the range: 1055600000 >>>>>> Number of IDs in the range: 200000 >>>>>> First RID of the corresponding RID range: 1000 >>>>>> First RID of the secondary RID range: 100000000 >>>>>> Range type: local domain range >>>>>> >>>>>> ... [ skip ] ... >>>>>> >>>>>> >>>> >>>>ipa: WARNING: API Version number was not sent, forward compatibility not >>>>guaranteed. Assuming server's API version, 2.251 >>>>---------------- >>>>2 ranges matched >>>>---------------- >>>> Range name: EXAMPLE.COM_id_range >>>> First Posix ID of the range: 1000 >>>> Number of IDs in the range: 4000 >>>> Range type: local domain range >>> >>>This one is definitely not configured to handle SIDs. Also, see my >>>comment at the bottom of this email. >>> >>>> >>>> Range name: EXAMPLE.COM_subid_range >>>> First Posix ID of the range: 2147483648 >>>> Number of IDs in the range: 2147352576 >>>> First RID of the corresponding RID range: 2147479648 >>>> Domain SID of the trusted domain: S-1-5-21-738065-838566-2966017632 >>>> Range type: Active Directory domain range >>>>---------------------------- >>>>Number of entries returned 2 >>>>---------------------------- >>>> >>>>> >>>>>In my testing you can't run config-mod without a principal, and running >>>>>in-server does not have a principal. >>>>> >>>>># KRB5CACHE=/dev/null ipa -e in_server=true config-mod --add-sids >>>>>--enable-sid >>>>>[snip] >>>>> File "/usr/lib/python3.11/site-packages/ipaserver/plugins/config.py", >>>>>line 701, in pre_callback >>>>> self._enable_sid(ldap, options) >>>>> File "/usr/lib/python3.11/site-packages/ipaserver/plugins/config.py", >>>>>line 512, in _enable_sid >>>>> if not principal_has_privilege(self.api, context.principal, privilege): >>>>> ^^^^^^^^^^^^^^^^^ >>>>>AttributeError: '_thread._local' object has no attribute 'principal' >>>>>ipa: ERROR: an internal error has occurred >>>> >>>>Thank you, Rob. I did not check that part. >>>> >>>>On IPA master one can run the oddjobd-activated script directly: >>>> >>>># /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --add-sids >>>> >>>>$ /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --add-sids >>>>Configuring SID generation >>>> [1/8]: creating samba domain object >>>> [error] TypeError: ('Tuple_to_LDAPMod(): expected a byte string in the >>>> list', None) >>>>('Tuple_to_LDAPMod(): expected a byte string in the list', None) >>>>The ipa-enable-sid command failed. See /var/log/ipaserver-enable-sid.log >>>>for more information >>>> >>>>Python traceback from the log: >>>>2023-10-26T13:24:21Z DEBUG Traceback (most recent call last): >>>> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", >>>> line 686, in start_creation >>>> run_step(full_msg, method) >>>> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", >>>> line 672, in run_step >>>> method() >>>> File >>>> "/usr/lib/python3.9/site-packages/ipaserver/install/adtrustinstance.py", >>>> line 485, in __create_samba_domain_object >>>> api.Backend.ldap2.add_entry(entry) >>>> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1893, >>>> in add_entry >>>> super(LDAPCache, self).add_entry(entry) >>>> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1659, >>>> in add_entry >>>> self.conn.add_s(str(entry.dn), list(attrs.items())) >>>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 236, >>>> in add_s >>>> return self.add_ext_s(dn,modlist,None,None) >>>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 221, >>>> in add_ext_s >>>> msgid = self.add_ext(dn,modlist,serverctrls,clientctrls) >>>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 218, >>>> in add_ext >>>> return >>>> self._ldap_call(self._l.add_ext,dn,modlist,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls)) >>>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 128, >>>> in _ldap_call >>>> result = func(*args,**kwargs) >>>>TypeError: ('Tuple_to_LDAPMod(): expected a byte string in the list', None) >>>> >>>>2023-10-26T13:24:21Z DEBUG [error] TypeError: ('Tuple_to_LDAPMod(): >>>>expected a byte string in the list', None) >>>>2023-10-26T13:24:21Z DEBUG Destroyed connection >>>>context.ldap2_140617190554016 >>>>2023-10-26T13:24:21Z DEBUG File >>>>"/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in >>>>execute >>>> return_value = self.run() >>>> File "/usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid", line >>>> 68, in run >>>> smb.create_instance() >>>> File >>>> "/usr/lib/python3.9/site-packages/ipaserver/install/adtrustinstance.py", >>>> line 913, in create_instance >>>> self.start_creation(show_service_name=False) >>>> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", >>>> line 686, in start_creation >>>> run_step(full_msg, method) >>>> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", >>>> line 672, in run_step >>>> method() >>>> File >>>> "/usr/lib/python3.9/site-packages/ipaserver/install/adtrustinstance.py", >>>> line 485, in __create_samba_domain_object >>>> api.Backend.ldap2.add_entry(entry) >>>> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1893, >>>> in add_entry >>>> super(LDAPCache, self).add_entry(entry) >>>> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1659, >>>> in add_entry >>>> self.conn.add_s(str(entry.dn), list(attrs.items())) >>>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 236, >>>> in add_s >>>> return self.add_ext_s(dn,modlist,None,None) >>>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 221, >>>> in add_ext_s >>>> msgid = self.add_ext(dn,modlist,serverctrls,clientctrls) >>>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 218, >>>> in add_ext >>>> return >>>> self._ldap_call(self._l.add_ext,dn,modlist,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls)) >>>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 128, >>>> in _ldap_call >>>> result = func(*args,**kwargs) >>>> >>>>2023-10-26T13:24:21Z DEBUG The ipa-enable-sid command failed, exception: >>>>TypeError: ('Tuple_to_LDAPMod(): expected a byte string in the list', None) >>>> >>>> >>>>I still need to see ID range and trustconfig-show output to understand >>>>the state of this deployment. Also, dirsrv errors log would be helpful >>>>if there was an attempt to run sidgen in past. >>>> >>>>I went through the dirsrv logs, and found the following: >>>>[24/Oct/2023:10:25:34.071341978 +0000] - ERR - sidgen_task_thread - [file >>>>ipa_sidgen_task.c, line 194]: Sidgen task starts ... >>>>[24/Oct/2023:10:25:34.300104111 +0000] - ERR - find_sid_for_ldap_entry - >>>>[file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [52021] into >>>>an unused SID. >>>>[24/Oct/2023:10:25:34.300266490 +0000] - ERR - do_work - [file >>>>ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. >>>>[24/Oct/2023:10:25:34.303536359 +0000] - ERR - sidgen_task_thread - [file >>>>ipa_sidgen_task.c, line 199]: Sidgen task finished [32]. >>> >>>You have a range that defines UID/GID space of [1000...5000] but IDs are >>>outside this range. This is pretty much wrong regardless of whether we >>>enforce SIDs or not ;) >>> >>>You need to create a separate ID range that would cover your existing >>>IDs. Before that, we need to create a configuration to be used for SID >>>generation -- if the ldapsearch above would show us that the entry in >>>cn=ad,cn=etc,$SUFFIX does not exist. >>> >>>Since ipa-enable-sid has failed, probably the entry indeed does not exist and >>>it would be easier to construct it with ipa-ldap-updater tool: >>> >>>---- >>>dn: cn=${DOMAIN},cn=ad,cn=etc,${SUFFIX} >>>default:objectClass: ipaNTDomainAttrs >>>default:objectClass: nsContainer >>>default:objectClass: top >>>default:cn: ${DOMAIN} >>>default:ipaNTFlatName: NETBIOSNAME >>>default:ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440 >>>default:ipaNTDomainGUID: 529fcbe9-3e34-3122-a541-6786236014c1 >>>default:ipaNTFallbackPrimaryGroup: cn=Default SMB >>>Group,cn=groups,cn=accounts,${SUFFIX} >>>---- >>> >>>Change 'NETBIOSNAME' above to some name. By default that would be a >>>first part of your Kerberos realm, e.g. for IPA1.TEST that would be >>>IPA. >>> >>>The SID value (S-1-5-21-...) is the one that your admin user has, >>>without the last part (relative identifier, RID, which is -500 for >>>administrator case). >>> >>>Save this to a file named '90-somefile.update' and run as root >>> >>># ipa-ldap-updater ./90-somefile.update >>> >>> >>>Alright, it said "update successful". The ldapsearch above now produces: >>># ad, etc, example.com >>>dn: cn=ad,cn=etc,dc=example,dc=com >>>objectClass: nsContainer >>>objectClass: top >>>cn: cn >>>cn: ad >>> >>># example.com, ad, etc, example.com >>>dn: cn=example.com,cn=ad,cn=etc,dc=example,dc=com >>>objectClass: ipaNTDomainAttrs >>>objectClass: nsContainer >>>objectClass: top >>>cn: example.com >>>ipaNTFlatName: MYNETBIOSNAME >>>ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440 >>>ipaNTDomainGUID: 529fcbe9-3e34-3122-a541-6786236014c1 >>>ipaNTFallbackPrimaryGroup: cn=Default SMB >>>Group,cn=groups,cn=accounts,dc=example,dc=com >>> >>>-- >>>/ Alexander Bokovoy >>>Sr. Principal Software Engineer >>>Security / Identity Management Engineering >>>Red Hat Limited, Finland >>> >> >> >> >>-- >>/ Alexander Bokovoy >>Sr. Principal Software Engineer >>Security / Identity Management Engineering >>Red Hat Limited, Finland >> > > > > >-- >/ Alexander Bokovoy >Sr. Principal Software Engineer >Security / Identity Management Engineering >Red Hat Limited, Finland > -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
