On Срд, 17 сту 2024, Paul Nickerson via FreeIPA-users wrote:
I have two FreeIPA servers in a cluster, both running on RHEL 8.9. They
started on RHEL 8.0 I believe, and have been upgrading in-place since
then. I recently restarted the FreeIPA services, which triggered an
ipa-server-upgrade to upgrade from 4.9.11 to 4.9.12. When that ran, it
errored out on some expired certificates, which I fixed with
ipa-cert-fix, and then the ipa-server-upgrade's finished successfully.

Now, when I or any of my users try to log on to the web UI, we get the error "Your 
session has expired. Please log in again."
Also, when I try to run any ipa command on the command line, I get the error:
ipa: ERROR: cannot connect to 'any of the configured servers': 
https://ipa01.semi.example.net/ipa/session/json, 
https://ipa02.semi.example.net/ipa/session/json

I've traced down lots of errors, and I think this one is the most relevant:
401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information (Credential 
cache is empty)
I see it in /var/log/httpd/error_log, in the body of the HTTP response from 
https://ipa01.semi.example.net/ipa/session/json in my web browser, and in the 
output from the command ipa --debug

Also, in /var/log/krb5kdc.log, I see:
Jan 17 01:14:47 ipa01.semi.example.net krb5kdc[55855](info): TGS_REQ (6 etypes 
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.16.121.5: 
S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1705454084, etypes 
{rep=UNSUPPORTED:(0)} HTTP/ipa01.semi.example....@semi.example.net for 
ldap/ipa01.semi.example....@semi.example.net, KDC policy rejects request

I have krb5 1.18.2 installed. disable_pac is not present in
/var/kerberos/krb5kdc/kdc.conf.

I think I'm experiencing the same issue seen in the recent thread at
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/DLYLL54LBTT4FVJLIFFWVAPQOEU4GWW7/
(subject line "api authorization stopped working after upgrade to
4.9.12-11 on RHEL8").

I don't think any of my users or groups have an SID
(ipantsecurityidentifier). This FreeIPA cluster was installed on RHEL
8.0 (or thereabouts), and the servers have been upgraded in-place since
then. We've never integrated with any Active Directory or Microsoft
product.

FreeIPA generates SIDs by default since FreeIPA 4.9.8. It is configured
to do so on new installations even when integration with AD is not
considered, due to tightened requirements to process constrained
delegation in Kerberos.


This command has no output, showing that even the admin user does not have an 
SID:
ldapsearch -H ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" 
-W -b cn=users,cn=accounts,dc=semi,dc=example,dc=net uid=admin '*' + | grep -i 
ipantsecurityidentifier

The solution from the other thread, and from
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_strengthening-kerberos-security-with-pac-information_managing-users-groups-hosts#proc_enabling-security-identifiers-sids-in-idm_assembly_strengthening-kerberos-security-with-pac-information,
does not work for me, since the ipa command doesn't work, not even for
the admin user:

[r...@ipa01.semi.example.net ~]
# kinit admin
Password for ad...@semi.example.net:
[r...@ipa01.semi.example.net ~]
# ipa config-mod --enable-sid --add-sids
ipa: ERROR: cannot connect to 'any of the configured servers': 
https://ipa01.semi.example.net/ipa/json, https://ipa02.semi.example.net/ipa/json

I found an alternative method at 
https://freeipa.readthedocs.io/en/latest/designs/adtrust/sidconfig.html#troubleshooting-and-debugging,
 but this also does not work for me:

[r...@ipa01.semi.example.net ~]
# ldapmodify -H ldapi://%2Frun%2Fslapd-SEMI-EXAMPLE-NET.socket -f 
/tmp/ipa-sidgen-task-run.ldif
SASL/GSSAPI authentication started
SASL username: ad...@semi.example.net
SASL SSF: 256
SASL data security layer installed.
adding new entry "cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config"
ldap_add: No such object (32)

I think ipa-sidgen-task does not exist in my LDAP directory, but I'm
not sure if I understand how this is supposed to work. I don't see
ipa-sidgen-task or anything like it from this search: ldapsearch -H
ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" -W -b
cn=config | grep cn=tasks

Can anyone help me here? I think if I could get a
ipantsecurityidentifier attribute properly set up on my user or on the
admin user, then I would be able to use the ipa command to get SID's
enabled and created everywhere.

You'd need to enable SID generation first, then run those tasks. Without
sidgen plugins enabled, one cannot initiate SID generation.

Please follow the command Rob pointed you to. If that one fails, please provide
more details about your configuration, including ID ranges you have. You
can operate IPA API on IPA master as root with

# ipa -e in_server=True ...

This would use LDAPI connection as root and would map you into a
'cn=Directory Manager' in LDAP. Not all calls would work (some check
presence of Kerberos tickets) but at least 'idrange-find' should work.




--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to