[Freeipa-users] Re: kinit fails on freeipa master: File or directory not found

[Alexander Bokovoy via FreeIPA-users]

On Суб, 25 ліс 2023, David Leeuwestein via FreeIPA-users wrote:
Dear IPA users,
I need your help on an issue. An upgrade from Fedora 36 to Fedora 38 
has completely broken Kerberos authentication in our Freeipa realm.

kinit <username>

fails for every user but our domain admin. Hosts can't authenticate 
themselves, too.

Everything works fine if I add disable_pac = true in the /etc/krb5.conf.

However, this isn't a recommended setting from a security point of 
view. Therefore, we can't accept that as a workaround.
I found several posts suggesting generating sids for the users. So I 
did that by calling ipa config-mod --enable-sid --add-sids. The job 
run without any error and assigned a sid to each user. I confirmed 
this with ipa user show --all.

I also verified that the firewall configuration matches the 
recommondations of freeipa: 
https://www.freeipa.org/page/Active_Directory_trust_setup#iptables
I also thought this issue could be caused by a Freeipa version 
mismatch between our two master servers. Therefore, I updated both 
servers to Fedora 38, but the problem still exists.

I tried to collect the vital system information.

Please provide this user entry's content and the output of 'ipa idrange-find'.

If you cannot get 'kinit' working for admin, then try the following
command as root on the IPA server:

# ipa -e in_server=True user-show admin --all --raw |grep -E -v -i 
'(password|principalkey|nthash)'
# ipa -e in_server=True idrange-find

It filters out any field with those three words in the name so that we
don't see your user's credentials but still get the rest. 

Most of what I am going to suggest based on that output was already
discussed on this list in past couple months in the thread 'ipa CLI
doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC' so
you can use
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/
to browse archives.



$ kinit user
Passwort für u...@intern.example.de:
kinit: allgemeiner Fehler (siehe E-Text) bei Anfängliche Anmeldedaten 
werden geholt.

the `/var/log/krb5kdc.log` contains the following entries for an 
authentication attempt:
Nov 25 20:22:35 id.intern.example.de krb5kdc[2858](Information): 
AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), 
aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), 
aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17), 
camellia128-cts-cmac(25)}) 141.83.153.180: HANDLE_AUTHDATA: 
u...@intern.example.de für krbtgt/intern.example...@intern.example.de, 
Datei oder Verzeichnis nicht gefunden

The content of our `/etc/krb5.conf` is:
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = INTERN.EXAMPLE.DE
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = true
 udp_preference_limit = 0
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 INTERN.EXAMPLE.DE = {
  kdc = id.intern.example.de:88
  master_kdc = id.intern.example.de:88
  kpasswd_server = id.intern.example.de:464
  admin_server = id.intern.example.de:749
  default_domain = intern.example.de
  pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
  pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}

[domain_realm]
 .intern.example.de = INTERN.EXAMPLE.DE
 intern.example.de = INTERN.EXAMPLE.DE
 id.intern.example.de = INTERN.EXAMPLE.DE

[dbmodules]
  INTERN.EXAMPLE.DE = {
    db_library = ipadb.so
  }

[plugins]
 certauth = {
  module = ipakdb:kdb/ipadb.so
  enable_only = ipakdb
 }

IPA diagnostics show no error:
$ ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

I also asked this question on serverfault: 
https://serverfault.com/posts/1148566

Please let me know, if I forgot to include anything vital.  I never 
posted to a user mailing list before. Please let me know if I failed 
to follow a best practice. I'd appreciate any help since I am stuck 
here.

Have a nice day!

David Leeuwestein






--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue