On Чцв, 11 сту 2024, Rasto Rickardt via FreeIPA-users wrote:
Hello,
i have setup of 5 IPA servers on RHEL8. This morning i upgraded with
dnf upgrade IPA components to 4.9.12-11 for example:
ipa-server-4.9.12-11.module+el8.9.0+20824+f2605038.x86_64
ipa-server-common-4.9.12-11.module+el8.9.0+20824+f2605038.noarch
After upgrade finished without errors, i was not able to login to UI
with correct password with message "Your session has expired. Please
log in again."
dirsrv replication looks OK.
I checked logs, everytime i try to login, /var/log/httpd/error_log contain:
[Thu Jan 11 17:30:03.490345 2024] [wsgi:error] [pid 3299146:tid
139867429353216] [remote 185.103.146.26:46292] ipa: INFO: 401
Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more
information (Credential cache is empty)
I can do kinit, without any error. But when i try to use ipa
user-show, not working.
The error below tells that a user ticket did not have a PAC associated:
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
camellia128-cts-cmac(25)}) 10.112.65.75:
S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes
{rep=UNSUPPORTED:(0)} HTTP/[email protected] for
ldap/[email protected], KDC policy rejects request
Can you also share your client and server's Kerberos configurations?
configs and which rpms are used.
It looks like either SID is missing in the user account and KDC is
forced to ignore that (disable_pac = true in the realm configuration in
kdc.conf). Or some flags are set on IPA services to force ignoring PAC
checks. PAC presence is required for constrained delegation
operations and we now enforce it for krb5 1.18 as well.
ipaupgrade.log attached, rest inline.
If you have any idea how to fix this please, i will be gratefull.
Thank you,
Rasto
ipa -d user-show
ipa: DEBUG: Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa: DEBUG: Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
ipa: DEBUG: Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
ipa: DEBUG: found session_cookie in persistent storage for principal
'rrickardt@redacted', cookie: 'ipa_session=MagBearerToken=VsNzXWPFKUTUmXpNpoXBnYn%2f7kaXq3b77Vb1HDzWdZ8u1c3ZAAReJFNMYwMeRLYSv4pggL%2bb3O1YH9lpJuXswOV%2fK%2fs%2bF96bBeIykbO2%2bnklplxnRxGyjo4edYLEo4QvfYIr9P2xGoxPEsCjrDj6m%2bro3UZtiFKGIgrI9KJKfZAhLrk46ooeAZ0HF7IAR5DgI07EdHeXdoP%2bA1T70CoXYA%3d%3d'
ipa: DEBUG: setting session_cookie into context
'ipa_session=MagBearerToken=VsNzXWPFKUTUmXpNpoXBnYn%2f7kaXq3b77Vb1HDzWdZ8u1c3ZAAReJFNMYwMeRLYSv4pggL%2bb3O1YH9lpJuXswOV%2fK%2fs%2bF96bBeIykbO2%2bnklplxnRxGyjo4edYLEo4QvfYIr9P2xGoxPEsCjrDj6m%2bro3UZtiFKGIgrI9KJKfZAhLrk46ooeAZ0HF7IAR5DgI07EdHeXdoP%2bA1T70CoXYA%3d%3d;'
ipa: DEBUG: trying https://ipa2.id.example.com/ipa/session/json
ipa: DEBUG: New HTTP connection (ipa2.id.example.com)
ipa: DEBUG: HTTP connection destroyed (ipa2.id.example.com)
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaclient/remote_plugins/__init__.py",
line 120, in get_package
plugins = api._remote_plugins
AttributeError: 'API' object has no attribute '_remote_plugins'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 730, in
single_request
response.msg)
xmlrpc.client.ProtocolError: <ProtocolError for
ipa2.id.example.com/ipa/session/json: 401 Unauthorized>
ipa: DEBUG: trying https://ipa2.id.example.com/ipa/session/json
ipa: DEBUG: New HTTP connection (ipa2.id.example.com)
ipa: DEBUG: HTTP connection destroyed (ipa2.id.example.com)
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaclient/remote_plugins/__init__.py",
line 120, in get_package
plugins = api._remote_plugins
AttributeError: 'API' object has no attribute '_remote_plugins'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 730, in
single_request
response.msg)
xmlrpc.client.ProtocolError: <ProtocolError for
ipa2.id.example.com/ipa/session/json: 401 Unauthorized>
ipa: INFO: Connection to https://ipa2.id.example.com/ipa/session/json
failed with <ProtocolError for ipa2.id.example.com/ipa/session/json:
401 Unauthorized>
krb5kdc.log
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): AS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
camellia128-cts-cmac(25)}) 10.112.65.75: NEEDED_PREAUTH:
[email protected] for krbtgt/[email protected],
Additional pre-authentication required
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): AS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
camellia128-cts-cmac(25)}) 10.112.65.75: ISSUE: authtime 1704991295,
etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
[email protected] for krbtgt/[email protected]
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1231](info): TGS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
camellia128-cts-cmac(25)}) 10.112.65.75: ISSUE: authtime 1704991295,
etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
[email protected] for HTTP/[email protected]
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1231](info): closing down fd 12
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
camellia128-cts-cmac(25)}) 10.112.65.75:
S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes
{rep=UNSUPPORTED:(0)} HTTP/[email protected] for
ldap/[email protected], KDC policy rejects request
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): ...
CONSTRAINED-DELEGATION s4u-client=<unknown>
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6
etypes {aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18),
aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
camellia128-cts-cmac(25)}) 10.112.65.75:
S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes
{rep=UNSUPPORTED:(0)} HTTP/[email protected] for
ldap/[email protected], KDC policy rejects request
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): ...
CONSTRAINED-DELEGATION s4u-client=<unknown>
Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): closing down fd 12
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
