Hi, On Wed, Feb 19, 2025 at 5:43 PM Boris <[email protected]> wrote:
> yes, SELINUX seems to be disabled. > > [root@ipa2 ~]# kinit boris@DOMAIN > Passwort für boris@DOMAIN: > > [root@ipa2 ~]# ipa pkinit-status > ----------------- > 2 servers matched > ----------------- > Servername: ipa1.redacted > PKINIT status: disabled > > Servername: ipa2.redacted > PKINIT status: enabled > ------------------------------------- > Anzahl der zurückgegebenen Einträge 2 > ------------------------------------- > > [root@ipa2 ~]# ipa-pkinit-manage status > PKINIT is enabled > The ipa-pkinit-manage command was successful > [root@ipa2 ~]# kdestroy -A > [root@ipa2 ~]# KRB5_TRACE=/dev/stdout kinit -n -c /tmp/ccache > [55944] 1739982907.606095: Getting initial credentials for > WELLKNOWN/ANONYMOUS@DOMAIN > [55944] 1739982907.606097: Sending unauthenticated request > [55944] 1739982907.606098: Sending request (194 bytes) to DOMAIN > ... > > the kinit command tries to connect to the ipa1, in the > /var/lib/sss/pubconf/kdcinfo.your_realm are both addresses. It is the same > on the ipa1 host. > On an IPA server, the above file should only contain the server itself. Try to delete the file (it will get re-created by SSSD), and check the content of /etc/sssd/sssd.conf. It should contain a section for the IPA domain (with *[domain/$YOUR_SOMAIN]*) and inside this section a value *ipa_server = $YOUR_SERVER*). Make sure that ipa_server has a single value, containing the hostname of the machine. If it contains something like _srv_ it means that the server is automatically discovered using DNS records but that setting should not appear on a server. HTH, flo > > > Am Mi., 19. Feb. 2025 um 17:04 Uhr schrieb Florence Blanc-Renaud < > [email protected]>: > >> Hi, >> >> On Wed, Feb 19, 2025 at 4:07 PM Boris <[email protected]> wrote: >> >>> Hi flo, >>> >>> certificate and ca looks good. Certificate is signed by the correct ca >>> and just got renewed (Not Before: Feb 15 09:43:26 2025 GMT) >>> >>> the permissions looks different (the questionmark) >>> >>> [root@ipa2 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt >>> -rw-r--r-- 1 root root ? 1671 15. Feb 10:43 /var/kerberos/krb5kdc/kdc.crt >>> [root@ipa2 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem >>> -rw-r--r-- 1 root root ? 1294 15. Mär 2023 >>> /var/lib/ipa-client/pki/kdc-ca-bundle.pem >>> >> >> The question mark means that there is no selinux context for those files. >> The system probably has SELINUX=disabled in /etc/selinux/config. >> >> Can you also check the following: >> # kinit admin >> # ipa pkinit-status >> The above will show you which servers are enabled for PKINIT. >> >> # ipa-pkinit-manage status >> >> # kdestroy -A >> # KRB5_TRACE=/dev/stdout kinit -n -c /tmp/ccache >> >> In the logs for kinit -n, double-check that the request is sent to ipa2. >> If that's not the case, you may have a wrong config >> (/var/lib/sss/pubconf/kdcinfo.your_realm should contain the IP address from >> ipa2). >> >> flo >> >> >>> in comparission to the ipa1 >>> [root@ipa1 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem >>> -rw-r--r--. 1 root root system_u:object_r:realmd_var_lib_t:s0 1313 Feb >>> 21 2022 /var/lib/ipa-client/pki/kdc-ca-bundle.pem >>> [root@ipa1 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt >>> -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1367 Nov 29 >>> 13:19 /var/kerberos/krb5kdc/kdc.crt >>> >>> The krb5-pkinit is installed >>> krb5-pkinit-1.19.2-9.fc35.x86_64 >>> >>> >>> >>> Am Mi., 19. Feb. 2025 um 15:46 Uhr schrieb Florence Blanc-Renaud < >>> [email protected]>: >>> >>>> Hi, >>>> >>>> >>>> On Wed, Feb 19, 2025 at 1:50 PM Boris via FreeIPA-users < >>>> [email protected]> wrote: >>>> >>>>> Hi list, >>>>> as I am currently sorting out our freeipa problems we stumbled across >>>>> another problem. >>>>> After the last reboot of our 2ndary IPA host, we can no longer login >>>>> into the webui on the 2nd host. >>>>> >>>>> The webui on the first host works. >>>>> >>>>> I've checked some logs but was only able to find meaningful entries in >>>>> the httpd log which is this: >>>>> >>>>> mod_wsgi (pid=1137): Exception occurred processing WSGI script >>>>> '/usr/share/ipa/wsgi.py'. >>>>> Traceback (most recent call last): >>>>> File "/usr/lib/python3.10/site-packages/ipaserver/wsgi.py", line 71, >>>>> in application >>>>> return api.Backend.wsgi_dispatch(environ, start_response) >>>>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line >>>>> 301, in __call__ >>>>> return self.route(environ, start_response) >>>>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line >>>>> 313, in route >>>>> return app(environ, start_response) >>>>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line >>>>> 1066, in __call__ >>>>> result = attempt_kinit(user_principal, password, >>>>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line >>>>> 996, in attempt_kinit >>>>> self.kinit(user_principal, password, >>>>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line >>>>> 1094, in kinit >>>>> kinit_armor( >>>>> File "/usr/lib/python3.10/site-packages/ipalib/install/kinit.py", >>>>> line 129, in kinit_armor >>>>> run(args, env=env, raiseonerr=True, capture_error=True) >>>>> File "/usr/lib/python3.10/site-packages/ipapython/ipautil.py", line >>>>> 599, in run >>>>> raise CalledProcessError( >>>>> ipapython.ipautil.CalledProcessError: CalledProcessError(Command >>>>> ['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_1137', '-X', >>>>> 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', >>>>> 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] >>>>> returned non-zero exit status 1: 'kinit: Cannot read password while >>>>> getting >>>>> initial credentials\\n') >>>>> >>>>> What is the content of this kdc.crt certificate? >>>> openssl x509 -noout -text -in /var/kerberos/krb5kdc/kdc.crt >>>> The output will tell us if it's a self-signed PKINIT cert or signed by >>>> IPA CA (look for the Issuer: value in the output). >>>> >>>> Does the kdc-ca-bundle.pem contain the CA that signed this certificate? >>>> openssl crl2pkcs7 -nocrl -certfile >>>> /var/lib/ipa-client/pki/kdc-ca-bundle.pem | openssl pkcs7 -print_certs >>>> -text -noout >>>> >>>> On a working system I see the following permissions for the above files: >>>> # ls -lZ /var/kerberos/krb5kdc/kdc.crt >>>> -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1866 Feb 19 >>>> 14:02 /var/kerberos/krb5kdc/kdc.crt >>>> # ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem >>>> -rw-r--r--. 1 root root unconfined_u:object_r:realmd_var_lib_t:s0 3266 >>>> Feb 19 14:05 /var/lib/ipa-client/pki/kdc-ca-bundle.pem >>>> >>>> Do you have the package krb5-pkinit installed on your machine? >>>> >>>> flo >>>> >>>> Does someone know in which direction I need to debug further? >>>>> >>>>> Cheers >>>>> Boris >>>>> -- >>>>> Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend >>>>> im groüen Saal. >>>>> -- >>>>> _______________________________________________ >>>>> FreeIPA-users mailing list -- [email protected] >>>>> To unsubscribe send an email to >>>>> [email protected] >>>>> Fedora Code of Conduct: >>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>> List Guidelines: >>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>> List Archives: >>>>> https://lists.fedorahosted.org/archives/list/[email protected] >>>>> Do not reply to spam, report it: >>>>> https://pagure.io/fedora-infrastructure/new_issue >>>>> >>>> >>> >>> -- >>> Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im >>> groüen Saal. >>> >> > > -- > Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im > groüen Saal. >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
