On Thu, Feb 20, 2025 at 10:49 AM Boris <[email protected]> wrote: > YES! great. That helped. > > The /etc/sssd/sssd.conf contained both IPA hosts on both IPA hosts. After > correcting that, removing the mentioned file and restarting sssd the login > into the webui now works. > > Thanks a lot! > Glad it worked! Thanks for letting us know. flo
> Am Do., 20. Feb. 2025 um 09:52 Uhr schrieb Florence Blanc-Renaud < > [email protected]>: > >> Hi, >> >> On Wed, Feb 19, 2025 at 5:43 PM Boris <[email protected]> wrote: >> >>> yes, SELINUX seems to be disabled. >>> >>> [root@ipa2 ~]# kinit boris@DOMAIN >>> Passwort für boris@DOMAIN: >>> >>> [root@ipa2 ~]# ipa pkinit-status >>> ----------------- >>> 2 servers matched >>> ----------------- >>> Servername: ipa1.redacted >>> PKINIT status: disabled >>> >>> Servername: ipa2.redacted >>> PKINIT status: enabled >>> ------------------------------------- >>> Anzahl der zurückgegebenen Einträge 2 >>> ------------------------------------- >>> >>> [root@ipa2 ~]# ipa-pkinit-manage status >>> PKINIT is enabled >>> The ipa-pkinit-manage command was successful >>> [root@ipa2 ~]# kdestroy -A >>> [root@ipa2 ~]# KRB5_TRACE=/dev/stdout kinit -n -c /tmp/ccache >>> [55944] 1739982907.606095: Getting initial credentials for >>> WELLKNOWN/ANONYMOUS@DOMAIN >>> [55944] 1739982907.606097: Sending unauthenticated request >>> [55944] 1739982907.606098: Sending request (194 bytes) to DOMAIN >>> ... >>> >>> the kinit command tries to connect to the ipa1, in the >>> /var/lib/sss/pubconf/kdcinfo.your_realm are both addresses. It is the same >>> on the ipa1 host. >>> >> >> On an IPA server, the above file should only contain the server itself. >> Try to delete the file (it will get re-created by SSSD), and check the >> content of /etc/sssd/sssd.conf. It should contain a section for the IPA >> domain (with *[domain/$YOUR_SOMAIN]*) and inside this section a value >> *ipa_server >> = $YOUR_SERVER*). Make sure that ipa_server has a single value, >> containing the hostname of the machine. If it contains something like _srv_ >> it means that the server is automatically discovered using DNS records but >> that setting should not appear on a server. >> >> HTH, >> flo >> >>> >>> >>> Am Mi., 19. Feb. 2025 um 17:04 Uhr schrieb Florence Blanc-Renaud < >>> [email protected]>: >>> >>>> Hi, >>>> >>>> On Wed, Feb 19, 2025 at 4:07 PM Boris <[email protected]> wrote: >>>> >>>>> Hi flo, >>>>> >>>>> certificate and ca looks good. Certificate is signed by the correct ca >>>>> and just got renewed (Not Before: Feb 15 09:43:26 2025 GMT) >>>>> >>>>> the permissions looks different (the questionmark) >>>>> >>>>> [root@ipa2 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt >>>>> -rw-r--r-- 1 root root ? 1671 15. Feb 10:43 >>>>> /var/kerberos/krb5kdc/kdc.crt >>>>> [root@ipa2 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem >>>>> -rw-r--r-- 1 root root ? 1294 15. Mär 2023 >>>>> /var/lib/ipa-client/pki/kdc-ca-bundle.pem >>>>> >>>> >>>> The question mark means that there is no selinux context for those >>>> files. The system probably has SELINUX=disabled in /etc/selinux/config. >>>> >>>> Can you also check the following: >>>> # kinit admin >>>> # ipa pkinit-status >>>> The above will show you which servers are enabled for PKINIT. >>>> >>>> # ipa-pkinit-manage status >>>> >>>> # kdestroy -A >>>> # KRB5_TRACE=/dev/stdout kinit -n -c /tmp/ccache >>>> >>>> In the logs for kinit -n, double-check that the request is sent to ipa2. >>>> If that's not the case, you may have a wrong config >>>> (/var/lib/sss/pubconf/kdcinfo.your_realm should contain the IP address from >>>> ipa2). >>>> >>>> flo >>>> >>>> >>>>> in comparission to the ipa1 >>>>> [root@ipa1 ~]# ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem >>>>> -rw-r--r--. 1 root root system_u:object_r:realmd_var_lib_t:s0 1313 Feb >>>>> 21 2022 /var/lib/ipa-client/pki/kdc-ca-bundle.pem >>>>> [root@ipa1 ~]# ls -lZ /var/kerberos/krb5kdc/kdc.crt >>>>> -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1367 Nov >>>>> 29 13:19 /var/kerberos/krb5kdc/kdc.crt >>>>> >>>>> The krb5-pkinit is installed >>>>> krb5-pkinit-1.19.2-9.fc35.x86_64 >>>>> >>>>> >>>>> >>>>> Am Mi., 19. Feb. 2025 um 15:46 Uhr schrieb Florence Blanc-Renaud < >>>>> [email protected]>: >>>>> >>>>>> Hi, >>>>>> >>>>>> >>>>>> On Wed, Feb 19, 2025 at 1:50 PM Boris via FreeIPA-users < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi list, >>>>>>> as I am currently sorting out our freeipa problems we stumbled >>>>>>> across another problem. >>>>>>> After the last reboot of our 2ndary IPA host, we can no longer login >>>>>>> into the webui on the 2nd host. >>>>>>> >>>>>>> The webui on the first host works. >>>>>>> >>>>>>> I've checked some logs but was only able to find meaningful entries >>>>>>> in the httpd log which is this: >>>>>>> >>>>>>> mod_wsgi (pid=1137): Exception occurred processing WSGI script >>>>>>> '/usr/share/ipa/wsgi.py'. >>>>>>> Traceback (most recent call last): >>>>>>> File "/usr/lib/python3.10/site-packages/ipaserver/wsgi.py", line >>>>>>> 71, in application >>>>>>> return api.Backend.wsgi_dispatch(environ, start_response) >>>>>>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", >>>>>>> line 301, in __call__ >>>>>>> return self.route(environ, start_response) >>>>>>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", >>>>>>> line 313, in route >>>>>>> return app(environ, start_response) >>>>>>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", >>>>>>> line 1066, in __call__ >>>>>>> result = attempt_kinit(user_principal, password, >>>>>>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", >>>>>>> line 996, in attempt_kinit >>>>>>> self.kinit(user_principal, password, >>>>>>> File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", >>>>>>> line 1094, in kinit >>>>>>> kinit_armor( >>>>>>> File "/usr/lib/python3.10/site-packages/ipalib/install/kinit.py", >>>>>>> line 129, in kinit_armor >>>>>>> run(args, env=env, raiseonerr=True, capture_error=True) >>>>>>> File "/usr/lib/python3.10/site-packages/ipapython/ipautil.py", line >>>>>>> 599, in run >>>>>>> raise CalledProcessError( >>>>>>> ipapython.ipautil.CalledProcessError: CalledProcessError(Command >>>>>>> ['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_1137', '-X', >>>>>>> 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', >>>>>>> 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] >>>>>>> returned non-zero exit status 1: 'kinit: Cannot read password while >>>>>>> getting >>>>>>> initial credentials\\n') >>>>>>> >>>>>>> What is the content of this kdc.crt certificate? >>>>>> openssl x509 -noout -text -in /var/kerberos/krb5kdc/kdc.crt >>>>>> The output will tell us if it's a self-signed PKINIT cert or signed >>>>>> by IPA CA (look for the Issuer: value in the output). >>>>>> >>>>>> Does the kdc-ca-bundle.pem contain the CA that signed this >>>>>> certificate? >>>>>> openssl crl2pkcs7 -nocrl -certfile >>>>>> /var/lib/ipa-client/pki/kdc-ca-bundle.pem | openssl pkcs7 -print_certs >>>>>> -text -noout >>>>>> >>>>>> On a working system I see the following permissions for the above >>>>>> files: >>>>>> # ls -lZ /var/kerberos/krb5kdc/kdc.crt >>>>>> -rw-r--r--. 1 root root system_u:object_r:krb5kdc_conf_t:s0 1866 Feb >>>>>> 19 14:02 /var/kerberos/krb5kdc/kdc.crt >>>>>> # ls -lZ /var/lib/ipa-client/pki/kdc-ca-bundle.pem >>>>>> -rw-r--r--. 1 root root unconfined_u:object_r:realmd_var_lib_t:s0 >>>>>> 3266 Feb 19 14:05 /var/lib/ipa-client/pki/kdc-ca-bundle.pem >>>>>> >>>>>> Do you have the package krb5-pkinit installed on your machine? >>>>>> >>>>>> flo >>>>>> >>>>>> Does someone know in which direction I need to debug further? >>>>>>> >>>>>>> Cheers >>>>>>> Boris >>>>>>> -- >>>>>>> Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal >>>>>>> abweichend im groüen Saal. >>>>>>> -- >>>>>>> _______________________________________________ >>>>>>> FreeIPA-users mailing list -- [email protected] >>>>>>> To unsubscribe send an email to >>>>>>> [email protected] >>>>>>> Fedora Code of Conduct: >>>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>> List Guidelines: >>>>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>> List Archives: >>>>>>> https://lists.fedorahosted.org/archives/list/[email protected] >>>>>>> Do not reply to spam, report it: >>>>>>> https://pagure.io/fedora-infrastructure/new_issue >>>>>>> >>>>>> >>>>> >>>>> -- >>>>> Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend >>>>> im groüen Saal. >>>>> >>>> >>> >>> -- >>> Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im >>> groüen Saal. >>> >> > > -- > Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im > groüen Saal. >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
