On Чцв, 21 сак 2024, Ian Kumlien via FreeIPA-users wrote:
On Wed, Mar 20, 2024 at 9:52 PM Florence Renaud <[email protected]> wrote:
> On 20 Mar 2024, at 16:38, Ian Kumlien <[email protected]> wrote:
>
> On Wed, Mar 20, 2024 at 3:52 PM Ian Kumlien <[email protected]> wrote:
>>
>>> On Wed, Mar 20, 2024 at 11:21 AM Florence Blanc-Renaud <[email protected]>
wrote:
>>>
>>> Hi,
>>>
>>> On Wed, Mar 20, 2024 at 10:00 AM Ian Kumlien <[email protected]> wrote:
>>>>
>>>> On Wed, Mar 20, 2024 at 9:45 AM Ian Kumlien <[email protected]> wrote:
>>>>>
>>>>> So... this one's new:
>>>>>
>>>>> Connection to https://freeipa-1.xerces.lan/ipa/json failed with
>>>>> Insufficient access: SASL(-1): generic failure: GSSAPI Error:
>>>>> Unspecified GSS failure. Minor code may provide more information
>>>>> (Credential cache is empty)
>>>
>>>
>>> this one can happen if you have an existing ticket in your cache, for
instance from a previous installation, but that is not valid anymore.
>>
>> Ah, ok, i did do kdestroy -A but only on the new machine...
>>
>> A new issue that appeared, no user from the old machines can
>> authenticate at all - still looking in to why it doesn't work
>
> Disabling MS-PAC fixed this issue, will have to dig in to why it was later =)
>
> Any clues?
Your users are probably missing a SID. Run ipa config-mod —enable-sid —add-sids
and check with ipa user-show —all —raw that they contain an
ipantsecurityidentifier attribute.
Uhm, nope, changed nothing it seems... leaving ms-pac disabled works however
There were plenty of discussions on this list in past couple months,
including a lot of instructions what to investigate. Have you tried to
apply those suggestions?
You haven't shown a single log excerpt from IPA servers, be it
/var/log/krb5kdc.log or error logs from the directory server.
Disabling MS-PAC basically kills protection mechanisms that we have
against a numerous breaches using Kerberos protocol's issues.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
