Hi folks,
after the upgrade from ipa-server.x86_64 4.9.12-9 to version 4.9.12-11
my FreeIPA servers' web interfaces became inaccessible. At login time there
is a message
Your session has expired. Please log in again.
I found some other threads about similar problems in this ML. However, the
suggested fix to create SIDs
[root@ipa0 log]# /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid
--netbios-name EXAMPLE --add-sids
Configuring SID generation
[1/8]: creating samba domain object
Samba domain object already exists
[2/8]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do
[3/8]: adding RID bases
RID bases already set, nothing to do
[4/8]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
[5/8]: activating sidgen task
Sidgen task plugin already configured, nothing to do
[6/8]: restarting Directory Server to take MS PAC and LDAP plugins changes
into account
[7/8]: adding fallback group
Fallback group already set, nothing to do
[8/8]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
Done.
The ipa-enable-sid command was successful
[root@ipa0 log]# echo $?
0
did not help. I still cannot login on the web interface. (Looking at the
output it didn't had to do anything, anyway. AFAIR this SID thingy was
already done during migration from CentOS 7 to 8, AFAIR).
[root@ipa0 ~]# ipa idrange-find --raw
----------------
3 ranges matched
----------------
cn: EXAMPLE.DE_id_range
ipabaseid: 379400000
ipaidrangesize: 200000
ipabaserid: 379400000
ipasecondarybaserid: 379600000
iparangetype: ipa-local
cn: EXAMPLE.DE_posix
ipabaseid: 1000
ipaidrangesize: 99000
ipabaserid: 1000
ipasecondarybaserid: 100000
iparangetype: ipa-local
cn: EXAMPLE.DE_subid_range
ipabaseid: 2147483648
ipaidrangesize: 2147352576
ipabaserid: 2147283648
ipanttrusteddomainsid: S-1-5-21-738065-838566-194929194
iparangetype: ipa-ad-trust
----------------------------
Number of entries returned 3
----------------------------
/var/log/messages shows
Jan 23 13:50:28 ipa0 [6654]: GSSAPI Error: Unspecified GSS failure. Minor code
may provide more information (Credential cache is empty)
Jan 23 13:50:28 ipa0 [6653]: GSSAPI Error: Unspecified GSS failure. Minor code
may provide more information (Credential cache is empty)
Jan 23 13:50:31 ipa0 [6654]: GSSAPI Error: Unspecified GSS failure. Minor code
may provide more information (Credential cache is empty)
Jan 23 13:50:31 ipa0 [6653]: GSSAPI Error: Unspecified GSS failure. Minor code
may provide more information (Credential cache is empty)
/var/log/krb5kdc.log
Jan 23 13:50:28 ipa0.example.de krb5kdc[6611](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.19.96.2:
S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1706012763, etypes
{rep=UNSUPPORTED:(0)} HTTP/[email protected] for
ldap/[email protected], KDC policy rejects request
Jan 23 13:50:28 ipa0.example.de krb5kdc[6611](info): ... CONSTRAINED-DELEGATION
s4u-client=<unknown>
Jan 23 13:50:28 ipa0.example.de krb5kdc[6611](info): closing down fd 4
Jan 23 13:50:28 ipa0.example.de krb5kdc[6611](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.19.96.2:
S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1706012763, etypes
{rep=UNSUPPORTED:(0)} HTTP/[email protected] for
ldap/[email protected], KDC policy rejects request
Jan 23 13:50:28 ipa0.example.de krb5kdc[6611](info): ... CONSTRAINED-DELEGATION
s4u-client=<unknown>
Jan 23 13:50:28 ipa0.example.de krb5kdc[6611](info): closing down fd 4
Jan 23 13:50:30 ipa0.example.de krb5kdc[6611](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.19.96.2:
NEEDED_PREAUTH: WELLKNOWN/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
Jan 23 13:50:30 ipa0.example.de krb5kdc[6611](info): closing down fd 4
Jan 23 13:50:31 ipa0.example.de krb5kdc[6587](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.19.96.2: ISSUE:
authtime 1706014231, etypes {rep=aes256-cts-hmac-sha384-192(20),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
WELLKNOWN/[email protected] for krbtgt/[email protected]
Jan 23 13:50:31 ipa0.example.de krb5kdc[6587](info): closing down fd 4
Jan 23 13:50:31 ipa0.example.de krb5kdc[6611](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.19.96.2:
NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional
pre-authentication required
Jan 23 13:50:31 ipa0.example.de krb5kdc[6611](info): closing down fd 4
Jan 23 13:50:31 ipa0.example.de krb5kdc[6592](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.19.96.2: ISSUE:
authtime 1706014231, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
[email protected] for krbtgt/[email protected]
Jan 23 13:50:31 ipa0.example.de krb5kdc[6592](info): closing down fd 4
Jan 23 13:50:31 ipa0.example.de krb5kdc[6588](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.19.96.2: ISSUE:
authtime 1706014231, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
[email protected] for HTTP/[email protected]
Jan 23 13:50:31 ipa0.example.de krb5kdc[6588](info): closing down fd 4
Jan 23 13:50:31 ipa0.example.de krb5kdc[6587](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.19.96.2:
S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1706014231, etypes
{rep=UNSUPPORTED:(0)} HTTP/[email protected] for
ldap/[email protected], KDC policy rejects request
Jan 23 13:50:31 ipa0.example.de krb5kdc[6587](info): ... CONSTRAINED-DELEGATION
s4u-client=<unknown>
Jan 23 13:50:31 ipa0.example.de krb5kdc[6587](info): closing down fd 4
Jan 23 13:50:31 ipa0.example.de krb5kdc[6588](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.19.96.2:
S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1706014231, etypes
{rep=UNSUPPORTED:(0)} HTTP/[email protected] for
ldap/[email protected], KDC policy rejects request
Jan 23 13:50:31 ipa0.example.de krb5kdc[6588](info): ... CONSTRAINED-DELEGATION
s4u-client=<unknown>
Jan 23 13:50:31 ipa0.example.de krb5kdc[6588](info): closing down fd 4
Every helpful hint is highly appreciated.
Harri
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
