Ok, I was able to restore the last state from backup and `ipa-replica-manage re-initialize --from ipa2` fixed the replication errors in the log.
Going to postpone the update to next week. That was really scary. Am Fr., 21. Feb. 2025 um 16:11 Uhr schrieb Boris <[email protected]>: > I've checked some more logs. > > the krb5kdc.log is flooded with these logs > Feb 21 16:01:42 ipa1.redacted krb5kdc[1344](info): AS_REQ (6 etypes > {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), > aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.0.255.11: > NEEDED_PREAUTH: boris@redacted for krbtgt/redacted@redacted, Additional > pre-authentication required > Feb 21 16:01:42 ipa1.redacted krb5kdc[1344](info): closing down fd 11 > Feb 21 16:01:43 ipa1.redacted krb5kdc[1344](info): preauth (spake) verify > failure: More preauthentication data is required > Feb 21 16:01:43 ipa1.redacted krb5kdc[1344](info): AS_REQ (6 etypes > {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), > aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.0.255.11: > PREAUTH_FAILED: boris@redacted for krbtgt/redacted@redacted, More > preauthentication data is required > ... > Feb 21 16:01:45 ipa1.redacted krb5kdc[1344](info): AS_REQ : > handle_authdata (2) > Feb 21 16:01:45 ipa1.redacted krb5kdc[1344](info): AS_REQ (6 etypes > {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), > aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.0.255.11: > HANDLE_AUTHDATA: boris@redacted for krbtgt/redacted@redacted, No such > file or directory > > But I still haven't found something that leads into any direction. > > Am Fr., 21. Feb. 2025 um 13:11 Uhr schrieb Boris <[email protected]>: > >> Hi, >> >> sorry to pester this mailinglist with my problems. >> >> After you people helped me to get the old problems off the table I did an >> fedora upgrade to 39 with the freeipa-server-4.12.2-1.fc39.x86_64 >> >> dnf upgrade --refresh >> dnf system-upgrade download --releasever=39 >> dnf system-upgrade reboot >> ipa-server-upgrade >> >> >> This all went through without errors. >> >> But now the webinterface login gives the error "Username or password >> incorrect". This is what the httpd log says: >> >> ipa: DEBUG: WSGI wsgi_dispatch.__call__: >> ipa: DEBUG: WSGI login_password.__call__: >> ipa: DEBUG: Valid Referer https://ipa1.redacted/ipa/ui/ >> ipa: DEBUG: Obtaining armor in ccache /run/ipa/ccaches/armor_1378 >> ipa: DEBUG: Initializing anonymous ccache >> ipa: DEBUG: Starting external process >> ipa: DEBUG: args=['/usr/bin/kinit', '-n', '-c', >> '/run/ipa/ccaches/armor_1378', '-X', >> 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', >> 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] >> ipa: DEBUG: Process finished, return code=0 >> ipa: DEBUG: stdout= >> ipa: DEBUG: stderr= >> ipa: DEBUG: Initializing principal boris using password >> ipa: DEBUG: Using armor ccache /run/ipa/ccaches/armor_1378 for FAST >> webauth >> ipa: DEBUG: Requesting principal canonicalization >> ipa: DEBUG: Using enterprise principal >> ipa: DEBUG: Starting external process >> ipa: DEBUG: args=['/usr/bin/kinit', '-c', '/run/ipa/ccaches/kinit_1378', >> '-T', '/run/ipa/ccaches/armor_1378', '-C', '-E', '--', 'boris'] >> ipa: DEBUG: Process finished, return code=1 >> ipa: DEBUG: stdout=Password for boris@redacted: >> >> ipa: DEBUG: stderr=kinit: Generic error (see e-text) while getting >> initial credentials >> >> ipa: DEBUG: Cleanup the armor ccache >> ipa: DEBUG: Starting external process >> ipa: DEBUG: args=['/usr/bin/kdestroy', '-A', '-c', >> '/run/ipa/ccaches/armor_1378'] >> ipa: DEBUG: Process finished, return code=0 >> ipa: DEBUG: stdout= >> ipa: DEBUG: stderr= >> ipa: INFO: 401 Unauthorized: kinit: Generic error (see e-text) while >> getting initial credentials >> >> and when I try a kinit on the terminal of ipa1 I receive >> >> [root@ipa1 ~]# kinit boris@redacted >> Password for boris@redacted: >> kinit: Generic error (see e-text) while getting initial credentials >> >> the ipa2 is still on fedora37 and the login works there. >> >> -- >> Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im >> groüen Saal. >> > > > -- > Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im > groüen Saal. > -- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal.
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
