Paul Nickerson via FreeIPA-users wrote: > I have two FreeIPA servers in a cluster, both running on RHEL 8.9. They > started on RHEL 8.0 I believe, and have been upgrading in-place since then. I > recently restarted the FreeIPA services, which triggered an > ipa-server-upgrade to upgrade from 4.9.11 to 4.9.12. When that ran, it > errored out on some expired certificates, which I fixed with ipa-cert-fix, > and then the ipa-server-upgrade's finished successfully. > > Now, when I or any of my users try to log on to the web UI, we get the error > "Your session has expired. Please log in again." > Also, when I try to run any ipa command on the command line, I get the error: > ipa: ERROR: cannot connect to 'any of the configured servers': > https://ipa01.semi.example.net/ipa/session/json, > https://ipa02.semi.example.net/ipa/session/json > > I've traced down lots of errors, and I think this one is the most relevant: > 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more information > (Credential cache is empty) > I see it in /var/log/httpd/error_log, in the body of the HTTP response from > https://ipa01.semi.example.net/ipa/session/json in my web browser, and in the > output from the command ipa --debug > > Also, in /var/log/krb5kdc.log, I see: > Jan 17 01:14:47 ipa01.semi.example.net krb5kdc[55855](info): TGS_REQ (6 > etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), > aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.16.121.5: > S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1705454084, etypes > {rep=UNSUPPORTED:(0)} HTTP/[email protected] for > ldap/[email protected], KDC policy rejects request > > I have krb5 1.18.2 installed. disable_pac is not present in > /var/kerberos/krb5kdc/kdc.conf. > > I think I'm experiencing the same issue seen in the recent thread at > https://lists.fedorahosted.org/archives/list/[email protected]/thread/DLYLL54LBTT4FVJLIFFWVAPQOEU4GWW7/ > (subject line "api authorization stopped working after upgrade to 4.9.12-11 > on RHEL8"). > > I don't think any of my users or groups have an SID > (ipantsecurityidentifier). This FreeIPA cluster was installed on RHEL 8.0 (or > thereabouts), and the servers have been upgraded in-place since then. We've > never integrated with any Active Directory or Microsoft product. > > This command has no output, showing that even the admin user does not have an > SID: > ldapsearch -H ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" > -W -b cn=users,cn=accounts,dc=semi,dc=example,dc=net uid=admin '*' + | grep > -i ipantsecurityidentifier > > The solution from the other thread, and from > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_strengthening-kerberos-security-with-pac-information_managing-users-groups-hosts#proc_enabling-security-identifiers-sids-in-idm_assembly_strengthening-kerberos-security-with-pac-information, > does not work for me, since the ipa command doesn't work, not even for the > admin user: > > [[email protected] ~] > # kinit admin > Password for [email protected]: > [[email protected] ~] > # ipa config-mod --enable-sid --add-sids > ipa: ERROR: cannot connect to 'any of the configured servers': > https://ipa01.semi.example.net/ipa/json, > https://ipa02.semi.example.net/ipa/json > > I found an alternative method at > https://freeipa.readthedocs.io/en/latest/designs/adtrust/sidconfig.html#troubleshooting-and-debugging, > but this also does not work for me: > > [[email protected] ~] > # ldapmodify -H ldapi://%2Frun%2Fslapd-SEMI-EXAMPLE-NET.socket -f > /tmp/ipa-sidgen-task-run.ldif > SASL/GSSAPI authentication started > SASL username: [email protected] > SASL SSF: 256 > SASL data security layer installed. > adding new entry "cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config" > ldap_add: No such object (32) > > I think ipa-sidgen-task does not exist in my LDAP directory, but I'm not sure > if I understand how this is supposed to work. I don't see ipa-sidgen-task or > anything like it from this search: > ldapsearch -H ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" > -W -b cn=config | grep cn=tasks > > Can anyone help me here? I think if I could get a ipantsecurityidentifier > attribute properly set up on my user or on the admin user, then I would be > able to use the ipa command to get SID's enabled and created everywhere.
Try, as root: # /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --add-sids rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
