Hello all,

Has anyone seen this issue or have suggestions?

We had FreeIPA configured a few years ago by a team that is now gone.
Several months ago we had an issue where passwords seemed to expire and
authentication started failing for users.  For example we were not able to
login to the LDAP server via ssh as an LDAP user, shows "Permission denied
":

[fred@fred ~]$ ssh cr0777kk@biobb-ss
cr0777kk@biobb-ss's password:
Permission denied, please try again.
...

We checked the user status in LDAP and it is not locked and has the correct
permissions.  Then we noticed that the server is marked as LOCKED by
kerberos in kerberos log:
[/var/log/krb5kdc.log]

root ldap-p1  ~
# grep biobb-ss /var/log/krb5kdc.log | tail
May 16 15:49:51 ldap-p1.freeipa.example.com krb5kdc[20459](info): AS_REQ (4
etypes {18 17 16 23}) 10.107.179.53: LOCKED_OUT:
host/biobb-ss.freeipa.example....@freeipa.example.com for
krbtgt/freeipa.example....@freeipa.example.com, Clients credentials have
been revoked
...


We used to workaround this issue by re-enrolling the server in LDAP DB:

On the LDAP server, we execute these commands:
# kinit <LDAP_Admin>
# ipa host-del biobb-ss.freeipa.example.com
# ipa host-add biobb-ss.freeipa.example.com --password xxxxxxxxxxx
# ipa hostgroup-add-member dev --hosts=biobb-ss.freeipa.example.com


This worked in the past, but now when the second command (to delete the
server from the LDAP DB) fails.  And if we re execute the same command it
shows three different errors in the order below:

Here is what we see now:

# ipa host-del host.freeipa.example.com
# ipa: ERROR: cannot connect to
'https://host.freeipa.example.com:443/ca/agent/ca/displayBySerial':
(SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.

# ipa host-del host.freeipa.example.com
# ipa: ERROR: cannot connect to
'https://host.freeipa.example.com:443/ca/agent/ca/displayBySerial':
(SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.

# ipa host-del host.freeipa.example.com
# ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
certificate/key database is in an old, unsupported format.


When we restart the IPA services (ipactl restart) we see the following
errors in the errors log:

 [18/May/2017:12:04:24 -0500] - 389-Directory/1.2.11.15 B2016.155.1910
starting up
    [18/May/2017:12:04:24 -0500] attrcrypt - attrcrypt_unwrap_key: failed
to unwrap key for cipher AES
    [18/May/2017:12:04:24 -0500] attrcrypt - attrcrypt_cipher_init:
symmetric key failed to unwrap with the private key; Cert might have been
renewed since the key is wrapped.  To recover the encrypted contents, keep
the wrapped symmetric key value.
    [18/May/2017:12:04:24 -0500] attrcrypt - attrcrypt_unwrap_key: failed
to unwrap key for cipher 3DES
    [18/May/2017:12:04:24 -0500] attrcrypt - attrcrypt_cipher_init:
symmetric key failed to unwrap with the private key; Cert might have been
renewed since the key is wrapped.  To recover the encrypted contents, keep
the wrapped symmetric key value.
    [18/May/2017:12:04:24 -0500] attrcrypt - All prepared ciphers are not
available. Please disable attribute encryption.
    [18/May/2017:12:04:24 -0500] - slapd started.  Listening on All
Interfaces port 7389 for LDAP requests
    [18/May/2017:12:04:24 -0500] - Listening on All Interfaces port 7390
for LDAPS requests
    [18/May/2017:12:04:24 -0500] slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect error) errno 0 (Success)
    [18/May/2017:12:04:24 -0500] NSMMReplicationPlugin -
agmt="cn=masterAgreement1-biogendb-p2.wgap.ibm.com-pki-ca" (biogendb-p2:7389):

Replication bind with SIMPLE auth failed: LDAP error -11 (Connect error)
(TLS error -8054:You are attempting to import a cert with the same
issuer/serial as an existing cert, but that is not the same cert.)
    [18/May/2017:12:04:27 -0500] slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect error) errno 0 (Success)
    [18/May/2017:12:04:33 -0500] slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect error) errno 0 (Success)
    [18/May/2017:12:04:45 -0500] slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect error) errno 0 (Success)


Has anyone seen this issue before?  Thank you in advance.


-Vin
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to