On 07-09-18 11:50, Alexander Bokovoy wrote:
> On pe, 07 syys 2018, Kees Bakker wrote:
>> On 07-09-18 10:13, Alexander Bokovoy wrote:
>>> On pe, 07 syys 2018, Kees Bakker via FreeIPA-users wrote:
>>>> On 06-09-18 15:16, Kees Bakker via FreeIPA-users wrote:
>>>>> [...]
>>>>>
>>>>> Also, when I access the IPA server using a browser it fails with
>>>>>     Login failed due to an unknown reason.
>>>>>
>>>>> In /var/log/apache2/error.log there is this:
>>>>> ---------------------8X-----------------8X------------------
>>>>> [Thu Sep 06 12:00:28.720410 2018] [wsgi:error] [pid 6137:tid 
>>>>> 140075658061568] [remote 10.83.0.11:38596] ipa: INFO: [jsonserver_kerb] 
>>>>> host/[email protected]: schema(version=u'2.170'): SUCCESS
>>>>> [Thu Sep 06 12:01:00.010427 2018] [:warn] [pid 6140:tid 140076243191552] 
>>>>> [client 10.83.0.11:38608] failed to set perms (3140) on file 
>>>>> (/var/run/ipa/ccaches/[email protected])!, referer: 
>>>>> https://usrv1.ijtest.nl/ipa/xml
>>>>> [Thu Sep 06 12:01:00.099271 2018] [wsgi:error] [pid 6138:tid 
>>>>> 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: 
>>>>> [jsonserver_session] host/[email protected]: ping(): SUCCESS
>>>>> [Thu Sep 06 12:01:00.101695 2018] [:warn] [pid 6140:tid 140076130498304] 
>>>>> [client 10.83.0.11:38608] failed to set perms (3140) on file 
>>>>> (/var/run/ipa/ccaches/[email protected])!, referer: 
>>>>> https://usrv1.ijtest.nl/ipa/xml
>>>>> [Thu Sep 06 12:01:00.273013 2018] [wsgi:error] [pid 6137:tid 
>>>>> 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: 
>>>>> [jsonserver_session] host/[email protected]: 
>>>>> ca_is_enabled(version=u'2.107'): SUCCESS
>>>>> [Thu Sep 06 12:01:02.805635 2018] [:warn] [pid 6140:tid 140076234798848] 
>>>>> [client 10.83.0.11:38608] failed to set perms (3140) on file 
>>>>> (/var/run/ipa/ccaches/[email protected])!, referer: 
>>>>> https://usrv1.ijtest.nl/ipa/xml
>>>>> [Thu Sep 06 12:01:02.999541 2018] [wsgi:error] [pid 6138:tid 
>>>>> 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: 
>>>>> [jsonserver_session] host/[email protected]: 
>>>>> host_mod(u'usrv1.ijtest.nl', ipasshpubkey=(), updatedns=False, 
>>>>> version=u'2.26'): EmptyModlist
>>>>> [Thu Sep 06 13:02:22.125841 2018] [wsgi:error] [pid 6138:tid 
>>>>> 140075658061568] [remote 172.16.16.30:38014] mod_wsgi (pid=6138): 
>>>>> Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
>>>>> [Thu Sep 06 13:02:22.125877 2018] [wsgi:error] [pid 6138:tid 
>>>>> 140075658061568] [remote 172.16.16.30:38014] Traceback (most recent call 
>>>>> last):
>>>>> [Thu Sep 06 13:02:22.125898 2018] [wsgi:error] [pid 6138:tid 
>>>>> 140075658061568] [remote 172.16.16.30:38014]   File 
>>>>> "/usr/share/ipa/wsgi.py", line 57, in application
>>>>> [Thu Sep 06 13:02:22.125961 2018] [wsgi:error] [pid 6138:tid 
>>>>> 140075658061568] [remote 172.16.16.30:38014]     return 
>>>>> api.Backend.wsgi_dispatch(environ, start_response)
>>>>> [Thu Sep 06 13:02:22.125972 2018] [wsgi:error] [pid 6138:tid 
>>>>> 140075658061568] [remote 172.16.16.30:38014]   File 
>>>>> "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 265, in 
>>>>> __call__
>>>>> [Thu Sep 06 13:02:22.128833 2018] [wsgi:error] [pid 6138:tid 
>>>>> 140075658061568] [remote 172.16.16.30:38014]     return 
>>>>> self.route(environ, start_response)
>>>>> [Thu Sep 06 13:02:22.128846 2018] [wsgi:error] [pid 6138:tid 
>>>>> 140075658061568] [remote 172.16.16.30:38014]   File 
>>>>> "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 277, in 
>>>>> route
>>>>> [Thu Sep 06 13:02:22.128860 2018] [wsgi:error] [pid 6138:tid 
>>>>> 140075658061568] [remote 172.16.16.30:38014]     return app(environ, 
>>>>> start_response)
>>>>> [Thu Sep 06 13:02:22.128872 2018] [wsgi:error] [pid 6138:tid 
>>>>> 140075658061568] [remote 172.16.16.30:38014]   File 
>>>>> "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 935, in 
>>>>> __call__
>>>>> [Thu Sep 06 13:02:22.128881 2018] [wsgi:error] [pid 6138:tid 
>>>>> 140075658061568] [remote 172.16.16.30:38014]     
>>>>> self.kinit(user_principal, password, ipa_ccache_name)
>>>>> [Thu Sep 06 13:02:22.128886 2018] [wsgi:error] [pid 6138:tid 
>>>>> 140075658061568] [remote 172.16.16.30:38014]   File 
>>>>> "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 971, in 
>>>>> kinit
>>>>> [Thu Sep 06 13:02:22.128892 2018] [wsgi:error] [pid 6138:tid 
>>>>> 140075658061568] [remote 172.16.16.30:38014]     
>>>>> pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
>>>>> [Thu Sep 06 13:02:22.128898 2018] [wsgi:error] [pid 6138:tid 
>>>>> 140075658061568] [remote 172.16.16.30:38014]   File 
>>>>> "/usr/lib/python2.7/dist-packages/ipalib/install/kinit.py", line 125, in 
>>>>> kinit_armor
>>>>> [Thu Sep 06 13:02:22.133878 2018] [wsgi:error] [pid 6138:tid 
>>>>> 140075658061568] [remote 172.16.16.30:38014]     run(args, env=env, 
>>>>> raiseonerr=True, capture_error=True)
>>>>> [Thu Sep 06 13:02:22.133892 2018] [wsgi:error] [pid 6138:tid 
>>>>> 140075658061568] [remote 172.16.16.30:38014]   File 
>>>>> "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 572, in run
>>>>> [Thu Sep 06 13:02:22.138435 2018] [wsgi:error] [pid 6138:tid 
>>>>> 140075658061568] [remote 172.16.16.30:38014]     p.returncode, 
>>>>> arg_string, output_log, error_log
>>>>> [Thu Sep 06 13:02:22.138488 2018] [wsgi:error] [pid 6138:tid 
>>>>> 140075658061568] [remote 172.16.16.30:38014] CalledProcessError: 
>>>>> CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', 
>>>>> '/var/run/ipa/ccaches/armor_6138', '-X', 
>>>>> 'X509_anchors=FILE:/var/lib/krb5kdc/kdc.crt', '-X', 
>>>>> 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned 
>>>>> non-zero exit status 1: "kinit: Pre-authentication failed: Cannot open 
>>>>> file '/var/lib/krb5kdc/kdc.crt': Permission denied while getting initial 
>>>>> credentials\\n")
>>>>> ---------------------8X-----------------8X------------------
>>>>>
>>>>
>>>> The problem with this seems to be related to the fact that directory 
>>>> /var/lib/krb5kdc
>>>> is only readable for root.
>>>>
>>>> $ ls -ld /var/lib/krb5kdc
>>>> drwx------ 2 root root 4096 Feb  5  2018 /var/lib/krb5kdc
>>>>
>>>> If I chmod the directory to 711 it is possible to login via the browser.
>>> I wonder what was used to change it because krb5-server package installs
>>> it as 755:
>>>
>>> # rpm -qlv krb5-server| grep /var/kerberos/krb5kdc
>>> drwxr-xr-x    2 root    root                        0 Aug  1 19:19 
>>> /var/kerberos/krb5kdc
>>> -rw-------    1 root    root                       22 Aug  1 19:13 
>>> /var/kerberos/krb5kdc/kadm5.acl
>>> -rw-------    1 root    root                      458 Aug  1 19:13 
>>> /var/kerberos/krb5kdc/kdc.conf
>>>
>>
>> I'm using Ubuntu 18.04, where it is /var/lib/krb5kdc and this directory has 
>> chmod 700.
>> That is true on Ubuntu 16.04 as well. Ubuntu 16.04 has freeipa-server 
>> 4.3.1-0ubuntu1
>>
>> The Ubuntu 18.04 FreeIPA server installation 
>> (4.7.0~pre1+git20180411-2ubuntu2) places a
>> few files in /var/lib/krb5kdc (that's new).
>>
>> So the question is: what was changed (in freeipa?) that it now wants read 
>> access of /var/lib/krb5kdc ?
> We need access to the KDC's public certificate in case we are dealing
> with a KDC certificate issued by a local certmonger (self-signed) which
> is not trusted by the machine.
>
> You can read https://www.freeipa.org/page/V4/Kerberos_PKINIT for
> details. A short version is:
> --------
> When you install 4.5 with --no-pkinit, the installer will generate
> self-signed certificate for PKINIT. This certificate is only used and
> trusted by IPA Web UI running on the same server to obtain an anonymous
> ticket.
> --------
>
> That anonymous PKINIT is required right now to enable two-factor
> authentication login to web UI because since FreeIPA 4.5 we cannot use
> HTTP service keytab anymore: FreeIPA framework lost access to the keytab
> due to privilege separation work we did (read
> https://vda.li/en/docs/freeipa-debug-privsep/ for details)
>
> Since your KDC PKINIT certificate might be issued by a local self-signed
> certmonger 'CA' in case you are not using integrated FreeIPA CA, we have
> to be able to trust *that* public KDC certificate when running 'kinit
> -n', thus we need access to it.
>

( insert emoji with confused face )
Thanks for explaining this, not that I understand all of it. So, does this mean 
we
have to ask the Ubuntu/Debian maintainers to allow read access of 
/var/lib/krb5kdc ?
-- 
Kees
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

Reply via email to