Hi,
On Wed, Feb 19, 2025 at 1:50 PM Boris via FreeIPA-users < [email protected]> wrote: > Hi list, > as I am currently sorting out our freeipa problems we stumbled across > another problem. > After the last reboot of our 2ndary IPA host, we can no longer login into > the webui on the 2nd host. > > The webui on the first host works. > > I've checked some logs but was only able to find meaningful entries in the > httpd log which is this: > > mod_wsgi (pid=1137): Exception occurred processing WSGI script > '/usr/share/ipa/wsgi.py'. > Traceback (most recent call last): > File "/usr/lib/python3.10/site-packages/ipaserver/wsgi.py", line 71, in > application > return api.Backend.wsgi_dispatch(environ, start_response) > File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line > 301, in __call__ > return self.route(environ, start_response) > File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line > 313, in route > return app(environ, start_response) > File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line > 1066, in __call__ > result = attempt_kinit(user_principal, password, > File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line > 996, in attempt_kinit > self.kinit(user_principal, password, > File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line > 1094, in kinit > kinit_armor( > File "/usr/lib/python3.10/site-packages/ipalib/install/kinit.py", line > 129, in kinit_armor > run(args, env=env, raiseonerr=True, capture_error=True) > File "/usr/lib/python3.10/site-packages/ipapython/ipautil.py", line 599, > in run > raise CalledProcessError( > ipapython.ipautil.CalledProcessError: CalledProcessError(Command > ['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_1137', '-X', > 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', > 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned > non-zero exit status 1: 'kinit: Cannot read password while getting initial > credentials\\n') > > What is the content of this kdc.crt certificate? openssl x509 -noout -text -in /var/kerberos/krb5kdc/kdc.crt The output will tell us if it's a self-signed PKINIT cert or signed by IPA CA (look for the Issuer: value in the output). Does the kdc-ca-bundle.pem contain the CA that signed this certificate? openssl crl2pkcs7 -nocrl -certfile /var/lib/ipa-client/pki/kdc-ca-bundle.pem | openssl pkcs7 -print_certs -text -noout On a working system I see the following permissions for the above files: # ls -lZ /var/kerberos/krb5kdc/kdc.crt -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1866 Feb 19 14:02 /var/kerberos/krb5kdc/kdc.crt # ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r--. 1 root root unconfined_u:object_r:realmd_var_lib_t:s0 3266 Feb 19 14:05 /var/lib/ipa-client/pki/kdc-ca-bundle.pem Do you have the package krb5-pkinit installed on your machine? flo Does someone know in which direction I need to debug further? > > Cheers > Boris > -- > Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im > groüen Saal. > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
