On 07-09-18 10:13, Alexander Bokovoy wrote: > On pe, 07 syys 2018, Kees Bakker via FreeIPA-users wrote: >> On 06-09-18 15:16, Kees Bakker via FreeIPA-users wrote: >>> [...] >>> >>> Also, when I access the IPA server using a browser it fails with >>> Login failed due to an unknown reason. >>> >>> In /var/log/apache2/error.log there is this: >>> ---------------------8X-----------------8X------------------ >>> [Thu Sep 06 12:00:28.720410 2018] [wsgi:error] [pid 6137:tid >>> 140075658061568] [remote 10.83.0.11:38596] ipa: INFO: [jsonserver_kerb] >>> host/[email protected]: schema(version=u'2.170'): SUCCESS >>> [Thu Sep 06 12:01:00.010427 2018] [:warn] [pid 6140:tid 140076243191552] >>> [client 10.83.0.11:38608] failed to set perms (3140) on file >>> (/var/run/ipa/ccaches/[email protected])!, referer: >>> https://usrv1.ijtest.nl/ipa/xml >>> [Thu Sep 06 12:01:00.099271 2018] [wsgi:error] [pid 6138:tid >>> 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] >>> host/[email protected]: ping(): SUCCESS >>> [Thu Sep 06 12:01:00.101695 2018] [:warn] [pid 6140:tid 140076130498304] >>> [client 10.83.0.11:38608] failed to set perms (3140) on file >>> (/var/run/ipa/ccaches/[email protected])!, referer: >>> https://usrv1.ijtest.nl/ipa/xml >>> [Thu Sep 06 12:01:00.273013 2018] [wsgi:error] [pid 6137:tid >>> 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] >>> host/[email protected]: ca_is_enabled(version=u'2.107'): SUCCESS >>> [Thu Sep 06 12:01:02.805635 2018] [:warn] [pid 6140:tid 140076234798848] >>> [client 10.83.0.11:38608] failed to set perms (3140) on file >>> (/var/run/ipa/ccaches/[email protected])!, referer: >>> https://usrv1.ijtest.nl/ipa/xml >>> [Thu Sep 06 12:01:02.999541 2018] [wsgi:error] [pid 6138:tid >>> 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] >>> host/[email protected]: host_mod(u'usrv1.ijtest.nl', >>> ipasshpubkey=(), updatedns=False, version=u'2.26'): EmptyModlist >>> [Thu Sep 06 13:02:22.125841 2018] [wsgi:error] [pid 6138:tid >>> 140075658061568] [remote 172.16.16.30:38014] mod_wsgi (pid=6138): Exception >>> occurred processing WSGI script '/usr/share/ipa/wsgi.py'. >>> [Thu Sep 06 13:02:22.125877 2018] [wsgi:error] [pid 6138:tid >>> 140075658061568] [remote 172.16.16.30:38014] Traceback (most recent call >>> last): >>> [Thu Sep 06 13:02:22.125898 2018] [wsgi:error] [pid 6138:tid >>> 140075658061568] [remote 172.16.16.30:38014] File >>> "/usr/share/ipa/wsgi.py", line 57, in application >>> [Thu Sep 06 13:02:22.125961 2018] [wsgi:error] [pid 6138:tid >>> 140075658061568] [remote 172.16.16.30:38014] return >>> api.Backend.wsgi_dispatch(environ, start_response) >>> [Thu Sep 06 13:02:22.125972 2018] [wsgi:error] [pid 6138:tid >>> 140075658061568] [remote 172.16.16.30:38014] File >>> "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 265, in >>> __call__ >>> [Thu Sep 06 13:02:22.128833 2018] [wsgi:error] [pid 6138:tid >>> 140075658061568] [remote 172.16.16.30:38014] return self.route(environ, >>> start_response) >>> [Thu Sep 06 13:02:22.128846 2018] [wsgi:error] [pid 6138:tid >>> 140075658061568] [remote 172.16.16.30:38014] File >>> "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 277, in >>> route >>> [Thu Sep 06 13:02:22.128860 2018] [wsgi:error] [pid 6138:tid >>> 140075658061568] [remote 172.16.16.30:38014] return app(environ, >>> start_response) >>> [Thu Sep 06 13:02:22.128872 2018] [wsgi:error] [pid 6138:tid >>> 140075658061568] [remote 172.16.16.30:38014] File >>> "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 935, in >>> __call__ >>> [Thu Sep 06 13:02:22.128881 2018] [wsgi:error] [pid 6138:tid >>> 140075658061568] [remote 172.16.16.30:38014] self.kinit(user_principal, >>> password, ipa_ccache_name) >>> [Thu Sep 06 13:02:22.128886 2018] [wsgi:error] [pid 6138:tid >>> 140075658061568] [remote 172.16.16.30:38014] File >>> "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 971, in >>> kinit >>> [Thu Sep 06 13:02:22.128892 2018] [wsgi:error] [pid 6138:tid >>> 140075658061568] [remote 172.16.16.30:38014] >>> pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM], >>> [Thu Sep 06 13:02:22.128898 2018] [wsgi:error] [pid 6138:tid >>> 140075658061568] [remote 172.16.16.30:38014] File >>> "/usr/lib/python2.7/dist-packages/ipalib/install/kinit.py", line 125, in >>> kinit_armor >>> [Thu Sep 06 13:02:22.133878 2018] [wsgi:error] [pid 6138:tid >>> 140075658061568] [remote 172.16.16.30:38014] run(args, env=env, >>> raiseonerr=True, capture_error=True) >>> [Thu Sep 06 13:02:22.133892 2018] [wsgi:error] [pid 6138:tid >>> 140075658061568] [remote 172.16.16.30:38014] File >>> "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 572, in run >>> [Thu Sep 06 13:02:22.138435 2018] [wsgi:error] [pid 6138:tid >>> 140075658061568] [remote 172.16.16.30:38014] p.returncode, arg_string, >>> output_log, error_log >>> [Thu Sep 06 13:02:22.138488 2018] [wsgi:error] [pid 6138:tid >>> 140075658061568] [remote 172.16.16.30:38014] CalledProcessError: >>> CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', >>> '/var/run/ipa/ccaches/armor_6138', '-X', >>> 'X509_anchors=FILE:/var/lib/krb5kdc/kdc.crt', '-X', >>> 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned >>> non-zero exit status 1: "kinit: Pre-authentication failed: Cannot open file >>> '/var/lib/krb5kdc/kdc.crt': Permission denied while getting initial >>> credentials\\n") >>> ---------------------8X-----------------8X------------------ >>> >> >> The problem with this seems to be related to the fact that directory >> /var/lib/krb5kdc >> is only readable for root. >> >> $ ls -ld /var/lib/krb5kdc >> drwx------ 2 root root 4096 Feb 5 2018 /var/lib/krb5kdc >> >> If I chmod the directory to 711 it is possible to login via the browser. > I wonder what was used to change it because krb5-server package installs > it as 755: > > # rpm -qlv krb5-server| grep /var/kerberos/krb5kdc > drwxr-xr-x 2 root root 0 Aug 1 19:19 > /var/kerberos/krb5kdc > -rw------- 1 root root 22 Aug 1 19:13 > /var/kerberos/krb5kdc/kadm5.acl > -rw------- 1 root root 458 Aug 1 19:13 > /var/kerberos/krb5kdc/kdc.conf >
I'm using Ubuntu 18.04, where it is /var/lib/krb5kdc and this directory has chmod 700. That is true on Ubuntu 16.04 as well. Ubuntu 16.04 has freeipa-server 4.3.1-0ubuntu1 The Ubuntu 18.04 FreeIPA server installation (4.7.0~pre1+git20180411-2ubuntu2) places a few files in /var/lib/krb5kdc (that's new). So the question is: what was changed (in freeipa?) that it now wants read access of /var/lib/krb5kdc ? -- Kees _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
