On 07-09-18 11:50, Alexander Bokovoy wrote: > On pe, 07 syys 2018, Kees Bakker wrote: >> On 07-09-18 10:13, Alexander Bokovoy wrote: >>> On pe, 07 syys 2018, Kees Bakker via FreeIPA-users wrote: >>>> On 06-09-18 15:16, Kees Bakker via FreeIPA-users wrote: >>>>> [...] >>>>> >>>>> Also, when I access the IPA server using a browser it fails with >>>>> Login failed due to an unknown reason. >>>>> >>>>> In /var/log/apache2/error.log there is this: >>>>> ---------------------8X-----------------8X------------------ >>>>> [Thu Sep 06 12:00:28.720410 2018] [wsgi:error] [pid 6137:tid >>>>> 140075658061568] [remote 10.83.0.11:38596] ipa: INFO: [jsonserver_kerb] >>>>> host/[email protected]: schema(version=u'2.170'): SUCCESS >>>>> [Thu Sep 06 12:01:00.010427 2018] [:warn] [pid 6140:tid 140076243191552] >>>>> [client 10.83.0.11:38608] failed to set perms (3140) on file >>>>> (/var/run/ipa/ccaches/[email protected])!, referer: >>>>> https://usrv1.ijtest.nl/ipa/xml >>>>> [Thu Sep 06 12:01:00.099271 2018] [wsgi:error] [pid 6138:tid >>>>> 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: >>>>> [jsonserver_session] host/[email protected]: ping(): SUCCESS >>>>> [Thu Sep 06 12:01:00.101695 2018] [:warn] [pid 6140:tid 140076130498304] >>>>> [client 10.83.0.11:38608] failed to set perms (3140) on file >>>>> (/var/run/ipa/ccaches/[email protected])!, referer: >>>>> https://usrv1.ijtest.nl/ipa/xml >>>>> [Thu Sep 06 12:01:00.273013 2018] [wsgi:error] [pid 6137:tid >>>>> 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: >>>>> [jsonserver_session] host/[email protected]: >>>>> ca_is_enabled(version=u'2.107'): SUCCESS >>>>> [Thu Sep 06 12:01:02.805635 2018] [:warn] [pid 6140:tid 140076234798848] >>>>> [client 10.83.0.11:38608] failed to set perms (3140) on file >>>>> (/var/run/ipa/ccaches/[email protected])!, referer: >>>>> https://usrv1.ijtest.nl/ipa/xml >>>>> [Thu Sep 06 12:01:02.999541 2018] [wsgi:error] [pid 6138:tid >>>>> 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: >>>>> [jsonserver_session] host/[email protected]: >>>>> host_mod(u'usrv1.ijtest.nl', ipasshpubkey=(), updatedns=False, >>>>> version=u'2.26'): EmptyModlist >>>>> [Thu Sep 06 13:02:22.125841 2018] [wsgi:error] [pid 6138:tid >>>>> 140075658061568] [remote 172.16.16.30:38014] mod_wsgi (pid=6138): >>>>> Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. >>>>> [Thu Sep 06 13:02:22.125877 2018] [wsgi:error] [pid 6138:tid >>>>> 140075658061568] [remote 172.16.16.30:38014] Traceback (most recent call >>>>> last): >>>>> [Thu Sep 06 13:02:22.125898 2018] [wsgi:error] [pid 6138:tid >>>>> 140075658061568] [remote 172.16.16.30:38014] File >>>>> "/usr/share/ipa/wsgi.py", line 57, in application >>>>> [Thu Sep 06 13:02:22.125961 2018] [wsgi:error] [pid 6138:tid >>>>> 140075658061568] [remote 172.16.16.30:38014] return >>>>> api.Backend.wsgi_dispatch(environ, start_response) >>>>> [Thu Sep 06 13:02:22.125972 2018] [wsgi:error] [pid 6138:tid >>>>> 140075658061568] [remote 172.16.16.30:38014] File >>>>> "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 265, in >>>>> __call__ >>>>> [Thu Sep 06 13:02:22.128833 2018] [wsgi:error] [pid 6138:tid >>>>> 140075658061568] [remote 172.16.16.30:38014] return >>>>> self.route(environ, start_response) >>>>> [Thu Sep 06 13:02:22.128846 2018] [wsgi:error] [pid 6138:tid >>>>> 140075658061568] [remote 172.16.16.30:38014] File >>>>> "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 277, in >>>>> route >>>>> [Thu Sep 06 13:02:22.128860 2018] [wsgi:error] [pid 6138:tid >>>>> 140075658061568] [remote 172.16.16.30:38014] return app(environ, >>>>> start_response) >>>>> [Thu Sep 06 13:02:22.128872 2018] [wsgi:error] [pid 6138:tid >>>>> 140075658061568] [remote 172.16.16.30:38014] File >>>>> "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 935, in >>>>> __call__ >>>>> [Thu Sep 06 13:02:22.128881 2018] [wsgi:error] [pid 6138:tid >>>>> 140075658061568] [remote 172.16.16.30:38014] >>>>> self.kinit(user_principal, password, ipa_ccache_name) >>>>> [Thu Sep 06 13:02:22.128886 2018] [wsgi:error] [pid 6138:tid >>>>> 140075658061568] [remote 172.16.16.30:38014] File >>>>> "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 971, in >>>>> kinit >>>>> [Thu Sep 06 13:02:22.128892 2018] [wsgi:error] [pid 6138:tid >>>>> 140075658061568] [remote 172.16.16.30:38014] >>>>> pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM], >>>>> [Thu Sep 06 13:02:22.128898 2018] [wsgi:error] [pid 6138:tid >>>>> 140075658061568] [remote 172.16.16.30:38014] File >>>>> "/usr/lib/python2.7/dist-packages/ipalib/install/kinit.py", line 125, in >>>>> kinit_armor >>>>> [Thu Sep 06 13:02:22.133878 2018] [wsgi:error] [pid 6138:tid >>>>> 140075658061568] [remote 172.16.16.30:38014] run(args, env=env, >>>>> raiseonerr=True, capture_error=True) >>>>> [Thu Sep 06 13:02:22.133892 2018] [wsgi:error] [pid 6138:tid >>>>> 140075658061568] [remote 172.16.16.30:38014] File >>>>> "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 572, in run >>>>> [Thu Sep 06 13:02:22.138435 2018] [wsgi:error] [pid 6138:tid >>>>> 140075658061568] [remote 172.16.16.30:38014] p.returncode, >>>>> arg_string, output_log, error_log >>>>> [Thu Sep 06 13:02:22.138488 2018] [wsgi:error] [pid 6138:tid >>>>> 140075658061568] [remote 172.16.16.30:38014] CalledProcessError: >>>>> CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', >>>>> '/var/run/ipa/ccaches/armor_6138', '-X', >>>>> 'X509_anchors=FILE:/var/lib/krb5kdc/kdc.crt', '-X', >>>>> 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned >>>>> non-zero exit status 1: "kinit: Pre-authentication failed: Cannot open >>>>> file '/var/lib/krb5kdc/kdc.crt': Permission denied while getting initial >>>>> credentials\\n") >>>>> ---------------------8X-----------------8X------------------ >>>>> >>>> >>>> The problem with this seems to be related to the fact that directory >>>> /var/lib/krb5kdc >>>> is only readable for root. >>>> >>>> $ ls -ld /var/lib/krb5kdc >>>> drwx------ 2 root root 4096 Feb 5 2018 /var/lib/krb5kdc >>>> >>>> If I chmod the directory to 711 it is possible to login via the browser. >>> I wonder what was used to change it because krb5-server package installs >>> it as 755: >>> >>> # rpm -qlv krb5-server| grep /var/kerberos/krb5kdc >>> drwxr-xr-x 2 root root 0 Aug 1 19:19 >>> /var/kerberos/krb5kdc >>> -rw------- 1 root root 22 Aug 1 19:13 >>> /var/kerberos/krb5kdc/kadm5.acl >>> -rw------- 1 root root 458 Aug 1 19:13 >>> /var/kerberos/krb5kdc/kdc.conf >>> >> >> I'm using Ubuntu 18.04, where it is /var/lib/krb5kdc and this directory has >> chmod 700. >> That is true on Ubuntu 16.04 as well. Ubuntu 16.04 has freeipa-server >> 4.3.1-0ubuntu1 >> >> The Ubuntu 18.04 FreeIPA server installation >> (4.7.0~pre1+git20180411-2ubuntu2) places a >> few files in /var/lib/krb5kdc (that's new). >> >> So the question is: what was changed (in freeipa?) that it now wants read >> access of /var/lib/krb5kdc ? > We need access to the KDC's public certificate in case we are dealing > with a KDC certificate issued by a local certmonger (self-signed) which > is not trusted by the machine. > > You can read https://www.freeipa.org/page/V4/Kerberos_PKINIT for > details. A short version is: > -------- > When you install 4.5 with --no-pkinit, the installer will generate > self-signed certificate for PKINIT. This certificate is only used and > trusted by IPA Web UI running on the same server to obtain an anonymous > ticket. > -------- > > That anonymous PKINIT is required right now to enable two-factor > authentication login to web UI because since FreeIPA 4.5 we cannot use > HTTP service keytab anymore: FreeIPA framework lost access to the keytab > due to privilege separation work we did (read > https://vda.li/en/docs/freeipa-debug-privsep/ for details) > > Since your KDC PKINIT certificate might be issued by a local self-signed > certmonger 'CA' in case you are not using integrated FreeIPA CA, we have > to be able to trust *that* public KDC certificate when running 'kinit > -n', thus we need access to it. >
( insert emoji with confused face ) Thanks for explaining this, not that I understand all of it. So, does this mean we have to ask the Ubuntu/Debian maintainers to allow read access of /var/lib/krb5kdc ? -- Kees _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
