yes, SELINUX seems to be disabled. [root@ipa2 ~]# kinit boris@DOMAIN Passwort für boris@DOMAIN:
[root@ipa2 ~]# ipa pkinit-status ----------------- 2 servers matched ----------------- Servername: ipa1.redacted PKINIT status: disabled Servername: ipa2.redacted PKINIT status: enabled ------------------------------------- Anzahl der zurückgegebenen Einträge 2 ------------------------------------- [root@ipa2 ~]# ipa-pkinit-manage status PKINIT is enabled The ipa-pkinit-manage command was successful [root@ipa2 ~]# kdestroy -A [root@ipa2 ~]# KRB5_TRACE=/dev/stdout kinit -n -c /tmp/ccache [55944] 1739982907.606095: Getting initial credentials for WELLKNOWN/ANONYMOUS@DOMAIN [55944] 1739982907.606097: Sending unauthenticated request [55944] 1739982907.606098: Sending request (194 bytes) to DOMAIN ... the kinit command tries to connect to the ipa1, in the /var/lib/sss/pubconf/kdcinfo.your_realm are both addresses. It is the same on the ipa1 host. Am Mi., 19. Feb. 2025 um 17:04 Uhr schrieb Florence Blanc-Renaud < [email protected]>: > Hi, > > On Wed, Feb 19, 2025 at 4:07 PM Boris <[email protected]> wrote: > >> Hi flo, >> >> certificate and ca looks good. Certificate is signed by the correct ca >> and just got renewed (Not Before: Feb 15 09:43:26 2025 GMT) >> >> the permissions looks different (the questionmark) >> >> [root@ipa2 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt >> -rw-r--r-- 1 root root ? 1671 15. Feb 10:43 /var/kerberos/krb5kdc/kdc.crt >> [root@ipa2 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem >> -rw-r--r-- 1 root root ? 1294 15. Mär 2023 >> /var/lib/ipa-client/pki/kdc-ca-bundle.pem >> > > The question mark means that there is no selinux context for those files. > The system probably has SELINUX=disabled in /etc/selinux/config. > > Can you also check the following: > # kinit admin > # ipa pkinit-status > The above will show you which servers are enabled for PKINIT. > > # ipa-pkinit-manage status > > # kdestroy -A > # KRB5_TRACE=/dev/stdout kinit -n -c /tmp/ccache > > In the logs for kinit -n, double-check that the request is sent to ipa2. > If that's not the case, you may have a wrong config > (/var/lib/sss/pubconf/kdcinfo.your_realm should contain the IP address from > ipa2). > > flo > > >> in comparission to the ipa1 >> [root@ipa1 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem >> -rw-r--r--. 1 root root system_u:object_r:realmd_var_lib_t:s0 1313 Feb 21 >> 2022 /var/lib/ipa-client/pki/kdc-ca-bundle.pem >> [root@ipa1 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt >> -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1367 Nov 29 >> 13:19 /var/kerberos/krb5kdc/kdc.crt >> >> The krb5-pkinit is installed >> krb5-pkinit-1.19.2-9.fc35.x86_64 >> >> >> >> Am Mi., 19. Feb. 2025 um 15:46 Uhr schrieb Florence Blanc-Renaud < >> [email protected]>: >> >>> Hi, >>> >>> >>> On Wed, Feb 19, 2025 at 1:50 PM Boris via FreeIPA-users < >>> [email protected]> wrote: >>> >>>> Hi list, >>>> as I am currently sorting out our freeipa problems we stumbled across >>>> another problem. >>>> After the last reboot of our 2ndary IPA host, we can no longer login >>>> into the webui on the 2nd host. >>>> >>>> The webui on the first host works. >>>> >>>> I've checked some logs but was only able to find meaningful entries in >>>> the httpd log which is this: >>>> >>>> mod_wsgi (pid=1137): Exception occurred processing WSGI script >>>> '/usr/share/ipa/wsgi.py'. >>>> Traceback (most recent call last): >>>> File "/usr/lib/python3.10/site-packages/ipaserver/wsgi.py", line 71, >>>> in application >>>> return api.Backend.wsgi_dispatch(environ, start_response) >>>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line >>>> 301, in __call__ >>>> return self.route(environ, start_response) >>>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line >>>> 313, in route >>>> return app(environ, start_response) >>>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line >>>> 1066, in __call__ >>>> result = attempt_kinit(user_principal, password, >>>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line >>>> 996, in attempt_kinit >>>> self.kinit(user_principal, password, >>>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line >>>> 1094, in kinit >>>> kinit_armor( >>>> File "/usr/lib/python3.10/site-packages/ipalib/install/kinit.py", line >>>> 129, in kinit_armor >>>> run(args, env=env, raiseonerr=True, capture_error=True) >>>> File "/usr/lib/python3.10/site-packages/ipapython/ipautil.py", line >>>> 599, in run >>>> raise CalledProcessError( >>>> ipapython.ipautil.CalledProcessError: CalledProcessError(Command >>>> ['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_1137', '-X', >>>> 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', >>>> 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] >>>> returned non-zero exit status 1: 'kinit: Cannot read password while getting >>>> initial credentials\\n') >>>> >>>> What is the content of this kdc.crt certificate? >>> openssl x509 -noout -text -in /var/kerberos/krb5kdc/kdc.crt >>> The output will tell us if it's a self-signed PKINIT cert or signed by >>> IPA CA (look for the Issuer: value in the output). >>> >>> Does the kdc-ca-bundle.pem contain the CA that signed this certificate? >>> openssl crl2pkcs7 -nocrl -certfile >>> /var/lib/ipa-client/pki/kdc-ca-bundle.pem | openssl pkcs7 -print_certs >>> -text -noout >>> >>> On a working system I see the following permissions for the above files: >>> # ls -lZ /var/kerberos/krb5kdc/kdc.crt >>> -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1866 Feb 19 >>> 14:02 /var/kerberos/krb5kdc/kdc.crt >>> # ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem >>> -rw-r--r--. 1 root root unconfined_u:object_r:realmd_var_lib_t:s0 3266 >>> Feb 19 14:05 /var/lib/ipa-client/pki/kdc-ca-bundle.pem >>> >>> Do you have the package krb5-pkinit installed on your machine? >>> >>> flo >>> >>> Does someone know in which direction I need to debug further? >>>> >>>> Cheers >>>> Boris >>>> -- >>>> Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend >>>> im groüen Saal. >>>> -- >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- [email protected] >>>> To unsubscribe send an email to >>>> [email protected] >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/[email protected] >>>> Do not reply to spam, report it: >>>> https://pagure.io/fedora-infrastructure/new_issue >>>> >>> >> >> -- >> Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im >> groüen Saal. >> > -- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal.
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
