I have two FreeIPA servers in a cluster, both running on RHEL 8.9. They started on RHEL 8.0 I believe, and have been upgrading in-place since then. I recently restarted the FreeIPA services, which triggered an ipa-server-upgrade to upgrade from 4.9.11 to 4.9.12. When that ran, it errored out on some expired certificates, which I fixed with ipa-cert-fix, and then the ipa-server-upgrade's finished successfully.
Now, when I or any of my users try to log on to the web UI, we get the error "Your session has expired. Please log in again." Also, when I try to run any ipa command on the command line, I get the error: ipa: ERROR: cannot connect to 'any of the configured servers': https://ipa01.semi.example.net/ipa/session/json, https://ipa02.semi.example.net/ipa/session/json I've traced down lots of errors, and I think this one is the most relevant: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty) I see it in /var/log/httpd/error_log, in the body of the HTTP response from https://ipa01.semi.example.net/ipa/session/json in my web browser, and in the output from the command ipa --debug Also, in /var/log/krb5kdc.log, I see: Jan 17 01:14:47 ipa01.semi.example.net krb5kdc[55855](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.16.121.5: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1705454084, etypes {rep=UNSUPPORTED:(0)} HTTP/[email protected] for ldap/[email protected], KDC policy rejects request I have krb5 1.18.2 installed. disable_pac is not present in /var/kerberos/krb5kdc/kdc.conf. I think I'm experiencing the same issue seen in the recent thread at https://lists.fedorahosted.org/archives/list/[email protected]/thread/DLYLL54LBTT4FVJLIFFWVAPQOEU4GWW7/ (subject line "api authorization stopped working after upgrade to 4.9.12-11 on RHEL8"). I don't think any of my users or groups have an SID (ipantsecurityidentifier). This FreeIPA cluster was installed on RHEL 8.0 (or thereabouts), and the servers have been upgraded in-place since then. We've never integrated with any Active Directory or Microsoft product. This command has no output, showing that even the admin user does not have an SID: ldapsearch -H ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" -W -b cn=users,cn=accounts,dc=semi,dc=example,dc=net uid=admin '*' + | grep -i ipantsecurityidentifier The solution from the other thread, and from https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_strengthening-kerberos-security-with-pac-information_managing-users-groups-hosts#proc_enabling-security-identifiers-sids-in-idm_assembly_strengthening-kerberos-security-with-pac-information, does not work for me, since the ipa command doesn't work, not even for the admin user: [[email protected] ~] # kinit admin Password for [email protected]: [[email protected] ~] # ipa config-mod --enable-sid --add-sids ipa: ERROR: cannot connect to 'any of the configured servers': https://ipa01.semi.example.net/ipa/json, https://ipa02.semi.example.net/ipa/json I found an alternative method at https://freeipa.readthedocs.io/en/latest/designs/adtrust/sidconfig.html#troubleshooting-and-debugging, but this also does not work for me: [[email protected] ~] # ldapmodify -H ldapi://%2Frun%2Fslapd-SEMI-EXAMPLE-NET.socket -f /tmp/ipa-sidgen-task-run.ldif SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 256 SASL data security layer installed. adding new entry "cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config" ldap_add: No such object (32) I think ipa-sidgen-task does not exist in my LDAP directory, but I'm not sure if I understand how this is supposed to work. I don't see ipa-sidgen-task or anything like it from this search: ldapsearch -H ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" -W -b cn=config | grep cn=tasks Can anyone help me here? I think if I could get a ipantsecurityidentifier attribute properly set up on my user or on the admin user, then I would be able to use the ipa command to get SID's enabled and created everywhere. -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
